Penetration Testing Research Report¶

## Rules of Engagement

- Testing window: [Agreed dates and times]
- Emergency contact: [Phone/email for immediate escalation]
- Allowed actions: Scanning, enumeration, exploitation attempts on staging
- Forbidden actions: DoS attacks, data exfiltration of real PII, lateral movement to production
- Data handling: All findings stored encrypted, destroyed after report delivery
- Notification: Team notified before testing begins
- Rollback plan: Staging can be redeployed from pipeline if disrupted

┌─────────────────────────────────────────────────────────────────────┐
│                    PENETRATION TEST LIFECYCLE                        │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  Phase 1         Phase 2         Phase 3         Phase 4            │
│  ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐        │
│  │ Recon &  │──▶│ DNS &    │──▶│ Web App  │──▶│ API      │        │
│  │ OSINT    │   │ Infra    │   │ Testing  │   │ Testing  │        │
│  └──────────┘   └──────────┘   └──────────┘   └──────────┘        │
│                                                                     │
│  Phase 5         Phase 6         Phase 7         Phase 8            │
│  ┌──────────┐   ┌──────────┐   ┌──────────┐   ┌──────────┐        │
│  │ Server   │──▶│ Database │──▶│ Container│──▶│ Auth &   │        │
│  │ (SSH)    │   │ Security │   │ & Supply │   │ Session  │        │
│  └──────────┘   └──────────┘   │ Chain    │   └──────────┘        │
│                                 └──────────┘                        │
│  Phase 9                                                            │
│  ┌──────────┐   ┌──────────┐                                       │
│  │ Business │──▶│ Report & │                                       │
│  │ Logic    │   │ NIS2 Map │                                       │
│  └──────────┘   └──────────┘                                       │
│                                                                     │
└─────────────────────────────────────────────────────────────────────┘

# Subdomain enumeration
subfinder -d forma3d.be -all -o subdomains.txt
amass enum -passive -d forma3d.be -o amass-subdomains.txt

# Combine and deduplicate
cat subdomains.txt amass-subdomains.txt | sort -u > all-subdomains.txt

# Resolve live subdomains
httpx -l all-subdomains.txt -o live-hosts.txt -status-code -title -tech-detect

# Screenshot all live hosts
gowitness file -f live-hosts.txt -P screenshots/

## DNS Security Assessment

- [ ] Zone transfer blocked (AXFR denied)
- [ ] DNSSEC enabled and valid
- [ ] SPF record present and restrictive (ends with -all)
- [ ] DMARC record present with p=reject or p=quarantine
- [ ] DKIM configured for mail-sending domains
- [ ] CAA record restricts certificate issuance to authorized CAs
- [ ] No dangling CNAME records (subdomain takeover risk)
- [ ] No wildcard DNS records unless intentional
- [ ] NS records point to reputable provider
- [ ] No TXT records leaking sensitive information

# Full TCP scan of the droplet
nmap -sS -sV -sC -p- -oA nmap-full 167.172.45.47

# UDP top ports
nmap -sU --top-ports 100 -oA nmap-udp 167.172.45.47

# Aggressive scan with OS detection
nmap -A -T4 -oA nmap-aggressive 167.172.45.47

# Script scan for vulnerabilities
nmap --script vuln -oA nmap-vuln 167.172.45.47

# Comprehensive TLS test
testssl.sh --html staging-connect-api.forma3d.be

# Alternative: sslyze
sslyze staging-connect-api.forma3d.be staging-connect.forma3d.be staging-connect-db.forma3d.be

# Quick SSL Labs grade (manual)
# Visit: https://www.ssllabs.com/ssltest/analyze.html?d=staging-connect-api.forma3d.be

## TLS Security Assessment

- [ ] TLS 1.2+ only (TLS 1.0/1.1 disabled)
- [ ] Strong cipher suites (no RC4, DES, 3DES, NULL)
- [ ] Perfect Forward Secrecy (PFS) enabled
- [ ] HSTS header present with long max-age
- [ ] HSTS includeSubDomains set
- [ ] HSTS preload set (or planned)
- [ ] Certificate valid and not near expiry
- [ ] Certificate chain complete
- [ ] No certificate transparency issues
- [ ] OCSP stapling enabled
- [ ] HTTP redirects to HTTPS (no mixed content)
- [ ] SSL Labs grade A or A+

# Start ZAP in daemon mode
zap.sh -daemon -port 8080 -config api.key=your-api-key

# Spider the application
zap-cli spider https://staging-connect.forma3d.be

# Active scan
zap-cli active-scan https://staging-connect.forma3d.be

# Generate HTML report
zap-cli report -o zap-report.html -f html

# Run all templates against web targets
nuclei -u https://staging-connect.forma3d.be -o nuclei-web.txt
nuclei -u https://staging-connect-api.forma3d.be -o nuclei-api.txt
nuclei -u https://staging-connect-db.forma3d.be -o nuclei-pgadmin.txt

# Run with specific severity
nuclei -u https://staging-connect.forma3d.be -severity critical,high -o nuclei-critical.txt

# Technology-specific templates
nuclei -u https://staging-connect-api.forma3d.be -tags nodejs,express,nestjs -o nuclei-nestjs.txt

# Scan web and API endpoints
nikto -h https://staging-connect.forma3d.be -o nikto-web.html -Format html
nikto -h https://staging-connect-api.forma3d.be -o nikto-api.html -Format html
nikto -h https://staging-connect-db.forma3d.be -o nikto-pgadmin.html -Format html

# Test CORS
curl -H "Origin: https://evil.com" -I https://staging-connect-api.forma3d.be/health
# Check: Access-Control-Allow-Origin should NOT be * or reflect arbitrary origins

# Test forced browsing
curl https://staging-connect-api.forma3d.be/api/v1/admin/users
# Should return 401/403 without valid session

# XSS scanning with dalfox
dalfox url "https://staging-connect.forma3d.be/search?q=test" -o dalfox-results.txt

# SQL injection testing (should fail — Prisma ORM prevents this)
sqlmap -u "https://staging-connect-api.forma3d.be/api/v1/orders?id=1" --batch --risk=3 --level=5

# Security headers check
curl -sI https://staging-connect-api.forma3d.be/health | grep -iE \
  "strict-transport|content-security|x-frame|x-content-type|referrer-policy|permissions-policy"

# Directory/endpoint fuzzing
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u https://staging-connect-api.forma3d.be/FUZZ \
  -mc 200,301,302,403 \
  -o ffuf-api-dirs.json

# Check Swagger/API docs accessibility
curl -s https://staging-connect-api.forma3d.be/api/docs | head -20

## pgAdmin Security Checklist

- [ ] Default credentials changed
- [ ] Brute force protection enabled
- [ ] Access restricted to authorized IPs (or behind VPN)
- [ ] HTTPS enforced
- [ ] Session timeout configured
- [ ] pgAdmin version is current (check for known CVEs)
- [ ] Server credentials not exposed in UI
- [ ] No public access to query tool

# Fetch OpenAPI/Swagger spec
curl -s https://staging-connect-api.forma3d.be/api/docs-json | jq > swagger.json

# Parse all endpoints
cat swagger.json | jq -r '.paths | keys[]' > api-endpoints.txt

# Generate Postman collection from Swagger
# Import swagger.json into Postman or use openapi-to-postman

# Test Shopify webhook without HMAC
curl -X POST https://staging-connect-api.forma3d.be/api/v1/webhooks/shopify/orders/create \
  -H "Content-Type: application/json" \
  -d '{"test": true}'
# Expected: 401 or 403

# Test with invalid HMAC
curl -X POST https://staging-connect-api.forma3d.be/api/v1/webhooks/shopify/orders/create \
  -H "Content-Type: application/json" \
  -H "X-Shopify-Hmac-Sha256: invalidhash" \
  -d '{"test": true}'
# Expected: 401 or 403

# Test SimplyPrint webhook without token
curl -X POST https://staging-connect-api.forma3d.be/api/v1/webhooks/simplyprint \
  -H "Content-Type: application/json" \
  -d '{"event": "test"}'
# Expected: 401 or 403

# Test SendCloud webhook without signature
curl -X POST https://staging-connect-api.forma3d.be/api/v1/webhooks/sendcloud \
  -H "Content-Type: application/json" \
  -d '{"action": "test"}'
# Expected: 401 or 403

# Install
pip install schemathesis

# Run stateful API testing against Swagger spec
schemathesis run https://staging-connect-api.forma3d.be/api/docs-json \
  --stateful=links \
  --hypothesis-max-examples=100 \
  --report \
  --output schemathesis-report.html

# With authentication header
schemathesis run https://staging-connect-api.forma3d.be/api/docs-json \
  -H "X-API-Key: <internal-api-key>" \
  --stateful=links \
  --report

# Connect to server
ssh -i /path/to/key root@167.172.45.47

# System identification
uname -a
cat /etc/os-release
hostnamectl

# Automated SSH audit
ssh-audit 167.172.45.47

# Check SSH configuration
sshd -T | grep -iE "permit|password|pubkey|protocol|maxauth|alive"

# Check authorized keys
cat ~/.ssh/authorized_keys
# Verify only expected keys are present

# Check UFW status and rules
ufw status verbose

# Expected rules:
# 22/tcp    ALLOW IN    Anywhere
# 80/tcp    ALLOW IN    Anywhere
# 443/tcp   ALLOW IN    Anywhere

# Check iptables directly
iptables -L -n -v
ip6tables -L -n -v

# Check for unexpected ACCEPT rules

# Docker version and configuration
docker version
docker info

# Check Docker daemon configuration
cat /etc/docker/daemon.json
# Verify: log rotation, no insecure registries, no experimental features

# List all containers (including stopped)
docker ps -a

# Check container resource limits
docker inspect --format='{{.Name}} CPU:{{.HostConfig.NanoCpus}} MEM:{{.HostConfig.Memory}}' $(docker ps -q)

# Check container user (should not be root)
docker inspect --format='{{.Name}} User:{{.Config.User}}' $(docker ps -q)

# Check container capabilities
docker inspect --format='{{.Name}} CapAdd:{{.HostConfig.CapAdd}} CapDrop:{{.HostConfig.CapDrop}}' $(docker ps -q)

# Check mounted volumes (sensitive file exposure)
docker inspect --format='{{.Name}} Mounts:{{json .Mounts}}' $(docker ps -q) | python3 -m json.tool

# Check container networks
docker network ls
docker network inspect forma3d-network

# Check if Docker socket is mounted in any container
docker inspect --format='{{.Name}} {{range .Mounts}}{{.Source}}{{end}}' $(docker ps -q) | grep docker.sock

# Check for privileged containers
docker inspect --format='{{.Name}} Privileged:{{.HostConfig.Privileged}}' $(docker ps -q)

# Check Docker image versions for CVEs
trivy image registry.digitalocean.com/forma-3d/forma3d-connect-api:latest
trivy image registry.digitalocean.com/forma-3d/forma3d-connect-web:latest

# Check .env file permissions
ls -la /opt/forma3d/.env
# Should be 600 (owner read/write only)

# Check for secrets in environment variables of running containers
docker inspect --format='{{.Name}} {{.Config.Env}}' $(docker ps -q)
# WARNING: This exposes secrets — document but handle with care

# Check for .env files in unexpected locations
find / -name ".env" -o -name "*.env" 2>/dev/null

# Check for hardcoded credentials in Docker Compose
grep -i "password\|secret\|key\|token" /opt/forma3d/docker-compose.yml

# Check bash history for leaked secrets
cat ~/.bash_history | grep -iE "password|secret|key|token|curl.*-H"

# Check for sensitive files
find /opt/forma3d -name "*.pem" -o -name "*.key" -o -name "*.crt" 2>/dev/null
ls -la /opt/forma3d/certs/

# Check authentication logs
grep "Failed password\|Invalid user\|Accepted" /var/log/auth.log | tail -50

# Check for brute force attempts
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn | head

# Check Docker logs for security events
docker logs forma3d-api 2>&1 | grep -iE "unauthorized|forbidden|error|fail" | tail -50

# Check Traefik access logs
docker logs forma3d-traefik 2>&1 | grep -E "4[0-9]{2}|5[0-9]{2}" | tail -50

# Check for suspicious network connections
ss -tlnp
netstat -antp 2>/dev/null

# Check system logs
journalctl --since "24 hours ago" | grep -iE "error|fail|denied|unauthorized"

# Install and run Lynis
apt install lynis -y
lynis audit system --quick

# Or use Docker
docker run --rm -v /:/hostroot:ro cisofy/lynis audit system --auditor "Pentest" --quick

# Review results
cat /var/log/lynis-report.dat

# Download and run CIS benchmark scripts (Docker CIS Benchmark)
docker run --rm -it \
  --net host --pid host \
  --userns host --cap-add audit_control \
  -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
  -v /etc:/etc:ro \
  -v /usr/bin/containerd:/usr/bin/containerd:ro \
  -v /usr/bin/runc:/usr/bin/runc:ro \
  -v /usr/lib/systemd:/usr/lib/systemd:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --label docker_bench_security \
  docker/docker-bench-security

## Server Security Assessment Checklist

### OS Hardening

- [ ] OS fully patched and up to date
- [ ] Automatic security updates enabled
- [ ] Unnecessary services disabled
- [ ] Kernel hardening parameters set (sysctl)
- [ ] No unnecessary SUID/SGID binaries
- [ ] File permissions correctly set

### SSH

- [ ] Key-based authentication only (no password auth)
- [ ] Root login restricted
- [ ] Fail2ban or equivalent active
- [ ] SSH idle timeout configured
- [ ] Only authorized keys present
- [ ] SSH protocol 2 only

### Firewall

- [ ] UFW/iptables active
- [ ] Only ports 22, 80, 443 open
- [ ] Default deny policy
- [ ] IPv6 rules configured

### Docker

- [ ] Containers run as non-root user
- [ ] No privileged containers
- [ ] No Docker socket mounted in containers
- [ ] Resource limits configured
- [ ] Log rotation configured
- [ ] Base images scanned for CVEs
- [ ] No unnecessary capabilities

### Secrets

- [ ] .env file permissions 600
- [ ] No secrets in bash history
- [ ] No secrets in Docker Compose files (using env_file)
- [ ] No secrets in container image layers
- [ ] Certificate files properly secured

### Logging

- [ ] Auth logs monitored
- [ ] No brute force patterns detected
- [ ] Docker logs rotated
- [ ] No sensitive data in logs

# Verify database is NOT accessible from public internet
nmap -p 25060 db-postgresql-ams3-forma3d-staging-do-user-1196005-0.m.db.ondigitalocean.com

# Check SSL enforcement
psql "postgresql://doadmin@db-postgresql-ams3-forma3d-staging-do-user-1196005-0.m.db.ondigitalocean.com:25060/defaultdb?sslmode=disable" -c "SELECT 1"
# Should FAIL if SSL is enforced

# Check SSL connection
psql "postgresql://doadmin:<password>@db-postgresql-ams3-forma3d-staging-do-user-1196005-0.m.db.ondigitalocean.com:25060/defaultdb?sslmode=require" -c "SELECT version();"

# Connect via the API container's Prisma
docker exec -it forma3d-api npx prisma db execute --stdin <<< "
  SELECT usename, usesuper, usecreatedb, passwd IS NOT NULL as has_password
  FROM pg_user;
"

# Check database roles and permissions
docker exec -it forma3d-api npx prisma db execute --stdin <<< "
  SELECT grantee, table_schema, table_name, privilege_type
  FROM information_schema.role_table_grants
  WHERE grantee NOT IN ('pg_monitor', 'pg_read_all_settings');
"

# Check for sensitive data in plain text
# (Review schema for columns that should be encrypted)
docker exec -it forma3d-api npx prisma db execute --stdin <<< "
  SELECT column_name, data_type, table_name
  FROM information_schema.columns
  WHERE column_name ILIKE '%password%'
     OR column_name ILIKE '%secret%'
     OR column_name ILIKE '%token%'
     OR column_name ILIKE '%key%';
"

## Database Security Checklist

- [ ] SSL/TLS enforced for all connections
- [ ] Minimum privileges for application user
- [ ] No superuser access from application
- [ ] Sensitive fields encrypted at rest (tokens, OAuth data)
- [ ] Connection pooling configured (prevent connection exhaustion)
- [ ] Trusted sources / IP allowlist configured on managed DB
- [ ] Database backups enabled and tested
- [ ] No raw SQL queries (Prisma ORM only)
- [ ] pgAdmin access restricted (IP, credentials, session timeout)

# Verify cosign signature on images
cosign verify --key cosign.pub registry.digitalocean.com/forma-3d/forma3d-connect-api:latest
cosign verify --key cosign.pub registry.digitalocean.com/forma-3d/forma3d-connect-web:latest

# Scan images for vulnerabilities
trivy image --severity HIGH,CRITICAL registry.digitalocean.com/forma-3d/forma3d-connect-api:latest
trivy image --severity HIGH,CRITICAL registry.digitalocean.com/forma-3d/forma3d-connect-web:latest

# Check SBOM (Software Bill of Materials)
cosign verify-attestation --key cosign.pub \
  --type cyclonedx \
  registry.digitalocean.com/forma-3d/forma3d-connect-api:latest

# Analyze Dockerfile for security issues
hadolint apps/api/Dockerfile
hadolint apps/web/Dockerfile

# Check for secrets in image layers
docker history --no-trunc registry.digitalocean.com/forma-3d/forma3d-connect-api:latest
# Look for ENV/ARG with secrets

# Audit npm dependencies
pnpm audit --audit-level=moderate

# Check for outdated packages
pnpm outdated

# Scan with Snyk (if available)
snyk test --all-projects

# Check for known vulnerabilities in lockfile
npm audit --json | jq '.vulnerabilities | to_entries[] | select(.value.severity == "critical" or .value.severity == "high")'

## Supply Chain Security Checklist

- [ ] Container images signed with cosign
- [ ] SBOM generated and attached as attestation
- [ ] No critical/high CVEs in base images
- [ ] No critical/high CVEs in npm dependencies
- [ ] Lockfile (pnpm-lock.yaml) committed and integrity verified
- [ ] Dockerfile uses specific image tags (not :latest in production)
- [ ] Multi-stage builds used (no build tools in final image)
- [ ] Non-root user in container
- [ ] No secrets in image layers
- [ ] CI/CD pipeline integrity (branch protection, signed commits)

# Run Kali as Docker container for quick testing
docker run -it --rm kalilinux/kali-rolling /bin/bash
apt update && apt install -y kali-tools-web kali-tools-information-gathering

# Or use a Kali VM for full GUI tools
# Download from: https://www.kali.org/get-kali/

## Finding: [VULN-001] [Title]

### Metadata

| Field          | Value                                 |
| -------------- | ------------------------------------- |
| Severity       | Critical / High / Medium / Low / Info |
| CVSS Score     | X.X                                   |
| CVSS Vector    | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H   |
| OWASP Category | A01:2021 Broken Access Control        |
| Status         | Open / Remediated / Accepted Risk     |
| Affected Asset | staging-connect-api.forma3d.be        |
| CWE            | CWE-XXX                               |

### Description

[Clear description of the vulnerability]

### Impact

[Business impact if exploited]

### Steps to Reproduce

1. [Step 1]
2. [Step 2]
3. [Step 3]

### Evidence

[Screenshots, request/response pairs, tool output]

### Remediation

**Recommended Fix:**
[Specific code or configuration change]

**Alternative Mitigations:**
[Temporary workarounds if immediate fix is not possible]

### References

- [Link to CWE]
- [Link to OWASP reference]

# Penetration Test — Executive Summary

**Client:** Forma 3D / DevGem  
**Target:** Forma 3D Connect Staging Environment  
**Date:** [Test Date]  
**Tester:** [Name/Organization]  
**Classification:** Confidential

## Overall Risk Rating: [Critical / High / Medium / Low]

## Scope

- Web application, REST API, DNS, server infrastructure (with SSH access)

## Summary of Findings

| Severity      | Count |
| ------------- | ----- |
| Critical      | X     |
| High          | X     |
| Medium        | X     |
| Low           | X     |
| Informational | X     |
| **Total**     | **X** |

## Top 3 Critical Findings

1. [Finding title and brief impact]
2. [Finding title and brief impact]
3. [Finding title and brief impact]

## Key Recommendations

1. [Top priority action]
2. [Second priority action]
3. [Third priority action]

## NIS2 Compliance Status

[Brief assessment of compliance posture]

## Next Steps

- [ ] Remediate critical and high findings within SLA
- [ ] Schedule retest in [X] weeks
- [ ] Update security documentation

## NIS2 Compliance Evaluation

### Governance and Risk Management

- [ ] Information security policy documented and approved
- [ ] Risk assessment methodology defined
- [ ] Risk register maintained and regularly updated
- [ ] Management accountability for cybersecurity (board-level)
- [ ] Security roles and responsibilities defined

### Incident Handling (Art. 21.2b + Art. 23)

- [ ] Incident response plan documented
- [ ] Incident classification scheme (severity levels)
- [ ] 24-hour early warning to CSIRT for significant incidents
- [ ] 72-hour incident notification with initial assessment
- [ ] 1-month final report for significant incidents
- [ ] Incident response team identified
- [ ] Incident response tested (tabletop or simulation)
- [ ] Contact details for national CSIRT known (Belgium: CCB/CERT.be)

### Business Continuity (Art. 21.2c)

- [ ] Business continuity plan documented
- [ ] Backup strategy implemented and tested
- [ ] Recovery Time Objective (RTO) defined
- [ ] Recovery Point Objective (RPO) defined
- [ ] Disaster recovery procedures documented
- [ ] Business continuity plan tested annually

### Supply Chain Security (Art. 21.2d)

- [ ] Third-party risk assessment for critical suppliers
- [ ] Security requirements in supplier contracts
- [ ] SBOM (Software Bill of Materials) generated
- [ ] Container images signed (cosign)
- [ ] Dependency vulnerability scanning automated
- [ ] Supplier security incidents monitored

### Secure Development (Art. 21.2e)

- [ ] Secure coding guidelines documented (.cursorrules)
- [ ] Code review process in place
- [ ] Automated security testing in CI/CD (SAST)
- [ ] Vulnerability disclosure process defined
- [ ] Patch management process defined
- [ ] Change management process documented

### Security Assessment (Art. 21.2f)

- [ ] Regular penetration testing (at least annually)
- [ ] Vulnerability scanning (at least quarterly)
- [ ] Security metrics tracked (MTTD, MTTR)
- [ ] Audit trail maintained
- [ ] Findings tracked to remediation

### Cyber Hygiene (Art. 21.2g)

- [ ] Security awareness training for all team members
- [ ] Secure password policy enforced
- [ ] Phishing awareness
- [ ] Clean desk / clean screen policy
- [ ] Device management policy

### Cryptography (Art. 21.2h)

- [ ] Encryption policy documented
- [ ] TLS 1.2+ enforced for all communications
- [ ] Sensitive data encrypted at rest
- [ ] Key management procedures documented
- [ ] Certificate lifecycle management
- [ ] Cryptographic key rotation schedule

### Access Control (Art. 21.2i)

- [ ] Role-based access control (RBAC) implemented
- [ ] Least privilege principle enforced
- [ ] User access regularly reviewed
- [ ] Privileged access management
- [ ] Asset inventory maintained
- [ ] Offboarding process revokes all access

### Authentication (Art. 21.2j)

- [ ] Multi-factor authentication for administrative access
- [ ] MFA for remote access (SSH, VPN)
- [ ] Strong password requirements enforced
- [ ] Session management secure (timeout, invalidation)
- [ ] API authentication using secure methods (not basic auth)

                    Incident Detected
                           │
                           ▼
              ┌────────────────────────┐
              │  24 Hours: Early       │
              │  Warning to CSIRT      │──── "Is this a significant incident?"
              │  (Belgium: CCB)        │     Cross-border impact? Large-scale?
              └────────────┬───────────┘
                           │
                           ▼
              ┌────────────────────────┐
              │  72 Hours: Incident    │
              │  Notification          │──── Initial assessment, severity,
              │  + Initial Assessment  │     impact, IoCs
              └────────────┬───────────┘
                           │
                           ▼
              ┌────────────────────────┐
              │  1 Month: Final        │
              │  Report                │──── Root cause, remediation,
              │                        │     cross-border impact
              └────────────────────────┘

#!/bin/bash
# quick-external-scan.sh
# Non-intrusive external scan of staging environment

TARGET_API="staging-connect-api.forma3d.be"
TARGET_WEB="staging-connect.forma3d.be"
TARGET_DB="staging-connect-db.forma3d.be"
TARGET_IP="167.172.45.47"
OUTPUT_DIR="pentest-results-$(date +%Y%m%d)"

mkdir -p $OUTPUT_DIR

echo "=== Phase 1: DNS ==="
dig forma3d.be ANY > $OUTPUT_DIR/dns-any.txt
dig axfr forma3d.be @$(dig NS forma3d.be +short | head -1) > $OUTPUT_DIR/dns-axfr.txt 2>&1
dig _dmarc.forma3d.be TXT > $OUTPUT_DIR/dns-dmarc.txt
dig forma3d.be TXT > $OUTPUT_DIR/dns-txt.txt
dig forma3d.be CAA > $OUTPUT_DIR/dns-caa.txt

echo "=== Phase 2: Port Scan ==="
nmap -sS -sV -sC -p- -oA $OUTPUT_DIR/nmap-full $TARGET_IP

echo "=== Phase 3: TLS ==="
testssl.sh --html $TARGET_API > $OUTPUT_DIR/tls-api.html
testssl.sh --html $TARGET_WEB > $OUTPUT_DIR/tls-web.html

echo "=== Phase 4: Security Headers ==="
curl -sI https://$TARGET_API/health > $OUTPUT_DIR/headers-api.txt
curl -sI https://$TARGET_WEB > $OUTPUT_DIR/headers-web.txt
curl -sI https://$TARGET_DB > $OUTPUT_DIR/headers-pgadmin.txt

echo "=== Phase 5: Nuclei ==="
nuclei -u https://$TARGET_API -o $OUTPUT_DIR/nuclei-api.txt
nuclei -u https://$TARGET_WEB -o $OUTPUT_DIR/nuclei-web.txt
nuclei -u https://$TARGET_DB -o $OUTPUT_DIR/nuclei-pgadmin.txt

echo "=== Phase 6: Directory Discovery ==="
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
  -u https://$TARGET_API/FUZZ -mc 200,301,302,403 \
  -o $OUTPUT_DIR/ffuf-api.json -of json

echo "=== Scan complete. Results in $OUTPUT_DIR ==="

#!/bin/bash
# quick-server-audit.sh
# Run on the droplet after SSH access

OUTPUT_DIR="/tmp/audit-$(date +%Y%m%d)"
mkdir -p $OUTPUT_DIR

echo "=== System Info ==="
uname -a > $OUTPUT_DIR/system-info.txt
cat /etc/os-release >> $OUTPUT_DIR/system-info.txt

echo "=== Open Ports ==="
ss -tlnp > $OUTPUT_DIR/open-ports.txt

echo "=== Running Services ==="
systemctl list-units --type=service --state=running > $OUTPUT_DIR/services.txt

echo "=== Firewall ==="
ufw status verbose > $OUTPUT_DIR/firewall.txt

echo "=== SSH Config ==="
sshd -T 2>/dev/null > $OUTPUT_DIR/ssh-config.txt

echo "=== Docker Containers ==="
docker ps -a > $OUTPUT_DIR/docker-containers.txt
docker images > $OUTPUT_DIR/docker-images.txt

echo "=== Docker Security ==="
for container in $(docker ps -q); do
  name=$(docker inspect --format='{{.Name}}' $container)
  echo "--- $name ---" >> $OUTPUT_DIR/docker-security.txt
  docker inspect --format='User:{{.Config.User}} Privileged:{{.HostConfig.Privileged}} CapAdd:{{.HostConfig.CapAdd}}' $container >> $OUTPUT_DIR/docker-security.txt
done

echo "=== .env Permissions ==="
ls -la /opt/forma3d/.env > $OUTPUT_DIR/env-permissions.txt

echo "=== Updatable Packages ==="
apt list --upgradable 2>/dev/null > $OUTPUT_DIR/updatable-packages.txt

echo "=== SUID Binaries ==="
find / -perm -4000 -type f 2>/dev/null > $OUTPUT_DIR/suid-binaries.txt

echo "=== Failed Auth (Last 50) ==="
grep "Failed password\|Invalid user" /var/log/auth.log 2>/dev/null | tail -50 > $OUTPUT_DIR/failed-auth.txt

echo "=== Audit complete. Results in $OUTPUT_DIR ==="