External Penetration Test - Owl Gateway¶
Date: 2026-02-12 Target: owl.scandora.net (46.110.77.34) Source: CenturyLink WiFi (external perspective) Tester: Joe Scandora (authorized) Status: 🔄 IN PROGRESS
Executive Summary¶
This penetration test validates the security posture of owl.scandora.net after fixing a CRITICAL WebGUI WAN exposure vulnerability discovered earlier today (2026-02-12 02:00 CST).
Primary Objective: Confirm WebGUI is blocked on WAN interface after deploying fix
Secondary Objectives:
- Enumerate all publicly exposed services
- Verify SSH hardening (GeoIP, fail2ban, key-only auth)
- Identify any unexpected open ports
- Validate firewall rules from external perspective
Test Scope¶
In Scope¶
- ✅ DNS reconnaissance
- ✅ Full TCP port scan (1-65535)
- ✅ UDP scan of common ports
- ✅ Service version detection
- ✅ SSH security testing
- ✅ WebGUI exposure validation (CRITICAL)
- ✅ Common vulnerability scanning
Out of Scope¶
- ❌ Exploitation attempts
- ❌ DoS/DDoS testing
- ❌ Social engineering
- ❌ Physical security testing
- ❌ Internal network testing (ZeroTier overlay)
Expected Baseline (Security Posture)¶
Based on configuration, we expect to find:
✅ Should Be Accessible¶
| Service | Port | Protocol | Notes |
|---|---|---|---|
| SSH | 22 | TCP | GeoIP filtering (US only), fail2ban, key-only |
| ICMP | - | ICMP | Ping responses enabled |
| ZeroTier | 9993 | UDP | Overlay network mesh |
❌ Should Be BLOCKED¶
| Service | Port | Protocol | Criticality |
|---|---|---|---|
| WebGUI | 443, 8443 | TCP | CRITICAL - Primary validation |
| DNS | 53 | TCP/UDP | HIGH |
| HTTP | 80 | TCP | MEDIUM |
| SMB | 445 | TCP | HIGH |
| MySQL | 3306 | TCP | HIGH |
| PostgreSQL | 5432 | TCP | HIGH |
| RDP | 3389 | TCP | HIGH |
Test Methodology¶
Phase 1: Network Reconnaissance¶
# Verify external IP (should NOT be 46.110.77.x)
curl ifconfig.me
# DNS enumeration
dig owl.scandora.net +short
dig -x 46.110.77.34 +short
# Check for subdomains
dig scandora.net ANY
Phase 2: Port Scanning¶
# Quick scan - common ports
nmap -Pn -sS -p 21,22,23,25,53,80,110,143,443,445,3306,3389,5432,8080,8443,9993 46.110.77.34
# Full TCP scan (all 65535 ports)
sudo nmap -Pn -sS -p- --open 46.110.77.34
# UDP scan (top 100 ports)
sudo nmap -Pn -sU --top-ports 100 46.110.77.34
Phase 3: Service Detection¶
# Version detection on open ports
sudo nmap -Pn -sV -sC -p <open-ports> 46.110.77.34
# OS fingerprinting
sudo nmap -Pn -O 46.110.77.34
Phase 4: SSH Security¶
# SSH banner grab
nc -v 46.110.77.34 22
# Enumerate SSH algorithms
nmap --script ssh2-enum-algos -p 22 46.110.77.34
# Test authentication methods
nmap --script ssh-auth-methods -p 22 46.110.77.34
# Verify key-only auth (should fail)
ssh -o PreferredAuthentications=password joe@46.110.77.34
Phase 5: WebGUI Testing (CRITICAL)¶
# Test HTTPS port 443 (should be BLOCKED)
curl -v --connect-timeout 5 -k https://46.110.77.34/
# Test HTTPS port 8443 (should be BLOCKED)
curl -v --connect-timeout 5 -k https://46.110.77.34:8443/
# If open, test SSL/TLS
nmap --script ssl-enum-ciphers -p 443,8443 46.110.77.34
Findings¶
1. Open Ports¶
[TO BE FILLED IN AFTER SCAN]
| Port | Protocol | Service | Version | Status |
|---|---|---|---|---|
| 22 | TCP | SSH | OpenSSH x.x | ✅ Expected |
| ... | ... | ... | ... | ... |
2. Unexpected Exposures¶
[TO BE FILLED IN]
- No unexpected open ports found
- List any unexpected services here
3. WebGUI Validation (PRIMARY OBJECTIVE)¶
[TO BE FILLED IN AFTER TEST]
- Port 443 BLOCKED (connection refused) ✅ PASS
- Port 8443 BLOCKED (connection refused) ✅ PASS
Result: [PASS/FAIL]
Evidence:
4. SSH Security¶
[TO BE FILLED IN]
- SSH accessible on port 22
- Password authentication disabled
- Only strong ciphers/KEX algorithms
- fail2ban operational (test with 3 failed attempts)
SSH Algorithms:
5. Other Findings¶
[TO BE FILLED IN]
List any other security observations:
- DNS leaks
- Service version vulnerabilities
- Misconfigured services
- etc.
Risk Assessment¶
| Finding | Severity | CVSS | Impact | Likelihood |
|---|---|---|---|---|
| [Finding 1] | HIGH/MEDIUM/LOW | x.x |
Recommendations¶
Immediate Actions¶
[TO BE FILLED IN]
- [Any critical fixes needed]
- [Any high-priority hardening]
Short-Term Improvements¶
[TO BE FILLED IN]
- [Recommended security enhancements]
- [Configuration improvements]
Long-Term Strategy¶
[TO BE FILLED IN]
- [Automated external scanning]
- [Security monitoring enhancements]
- [Regular pen testing schedule]
Security Baseline Validation¶
| Check | Expected | Actual | Status |
|---|---|---|---|
| WebGUI on 443 | BLOCKED | [RESULT] | [PASS/FAIL] |
| WebGUI on 8443 | BLOCKED | [RESULT] | [PASS/FAIL] |
| SSH on 22 | OPEN | [RESULT] | [PASS/FAIL] |
| DNS on 53 | BLOCKED | [RESULT] | [PASS/FAIL] |
| HTTP on 80 | BLOCKED | [RESULT] | [PASS/FAIL] |
| All other ports | BLOCKED | [RESULT] | [PASS/FAIL] |
Overall Status: [PASS/FAIL]
Conclusion¶
[TO BE FILLED IN AFTER COMPLETING TEST]
Summary of findings:
- Total ports scanned: 65535
- Open ports found: X
- Unexpected exposures: X
- Critical issues: X
- High issues: X
- Medium issues: X
- Low issues: X
WebGUI Fix Validation: [PASS/FAIL]
Recommendation: [Continue monitoring / Address findings / etc.]
Appendices¶
Appendix A: Raw Scan Data¶
See: docs/security/nmap-full-<timestamp>.txt
Appendix B: Test Environment¶
- Source IP: [TO BE FILLED]
- Source ISP: CenturyLink
- Source Location: Blue residence, Colorado
- Test Duration: [START] - [END]
- Tools Used: nmap, curl, dig, nc
Appendix C: Related Incidents¶
- 2026-02-12: WebGUI WAN Exposure (HIGH severity, resolved)
- Root cause: Missing
become: truein webgui task - Fix: Deployed config-xml-webgui.yml with sudo permissions
- Validation: This pen test
Report Status: 🔄 Template ready - awaiting test execution
Next Steps:
- Run pen test:
./scripts/security/external-pentest.sh - Fill in findings sections above
- Commit report:
git add docs/security/ && git commit -m "security: external pen test findings"