only basic stuff to gear that i manage myself, to make sure its not exposed to general weaknesses and that brute force protection systems are operational but not all the time - if a client has a need for security testing i generally stick with the approved PCI-DSS compliance scanner companies like trustwave or securitymetrics for PCI compliance testing - its just as thorough and the credit card companies require it for e-commerce sites
its illegal to do it to any server/service you dont have control over, if that wasnt already obvious to you
