# ONATEL - Office National des Telecommunications
**Sector:** Telecommunications (State Telecom + ISP)
**Date:** 2026-03-03
**Source:** THOT Domain Intel + Manual Recon

## Domains
| Domain | Status |
|--------|--------|
| `onatel.bf` | UP (403 - Red Hat test page) |

## Hosting & Infrastructure
- **IP:** 196.28.243.151 (Burkina Faso)
- **Server:** Apache/2.4.62 (Red Hat Enterprise Linux)
- **OpenSSL:** 3.5.1
- **Module:** mod_fcgid/2.3.9
- **Status:** Returns 403 Forbidden — shows default "Test Page for the HTTP Server on Red Hat Enterprise Linux"
- **WHOIS Registrar:** MOOV AFRICA (dns_contact@fasonet.bf)

## Tech Stack
- Apache 2.4.62 on RHEL
- OpenSSL 3.5.1
- mod_fcgid (FastCGI Process Manager)
- Default email in test page: webmaster@example.com (unchanged default config)

## DNS Records (13 found)
- Full DNS infrastructure with SPF, DMARC
- **DMARC record reveals email:** `e.guigma@onatel.bf` (in rua/ruf reporting fields)
- MX records indicate email infrastructure

## Subdomains (14 found via brute-force)
- `www.onatel.bf` — main website
- `dbadmin.onatel.bf` — **DATABASE ADMIN PANEL EXPOSED**
- `api.onatel.bf` — API endpoint
- `id.onatel.bf` — identity/authentication service
- `service.onatel.bf` — service portal
- `mail.onatel.bf` — mail server
- `email.onatel.bf` — secondary mail
- `efacture.onatel.bf` — electronic billing
- `autodiscover.onatel.bf` — Exchange/M365 autodiscover
- `webmail.onatel.bf` — webmail interface
- Additional subdomains from crt.sh harvest

## Interesting Findings
- **403 Forbidden on main domain** — web server is running but no site deployed, shows RHEL default test page
- **Default webmaster@example.com** — Apache config not customized = sloppy deployment
- **dbadmin subdomain** — database administration panel publicly accessible (phpMyAdmin or similar)
- **DMARC reveals personnel:** e.guigma@onatel.bf receives DMARC reports
- **efacture subdomain** — electronic invoicing system, likely has customer data
- **id.onatel.bf** — authentication/identity service, high-value target
- **api.onatel.bf** — API endpoint for services
- **This is the national telecom AND .bf TLD operator** — compromise here = domain infrastructure compromise

## Security Concerns
- dbadmin publicly resolvable = potential database access if not properly secured
- Default Apache test page suggests incomplete deployment or misconfiguration
- Multiple exposed services (efacture, api, id) increase attack surface
- As TLD operator, ONATEL infrastructure compromise could affect all .bf domains

## Emails Discovered
- `e.guigma@onatel.bf` (from DMARC record)
- `dns_contact@fasonet.bf` (from WHOIS — FasoNet is ONATEL subsidiary)

## LATERAL FINDINGS (2026-03-04)

### api.onatel.bf — "Ma Consommation" Customer Portal
- **IP:** 196.28.243.158
- **Server:** Nginx
- **Title:** "Ma Consommation" (consumption monitoring app)
- **HSTS:** max-age=31536000 with includeSubDomains
- **Security Headers:** X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, X-XSS-Protection
- Likely a Vue.js or React SPA (serves HTML with logo.jpeg)

### service.onatel.bf — "Nectar+" (CRITICAL CORS FLAW)
- **CNAME:** serviceclient.moov-africa.bf
- **Server:** Apache/2.4.62 (Rocky Linux), PHP/8.1.34, OpenSSL/3.5.1
- **Title:** "Nectar+"
- **CRITICAL CORS MISCONFIGURATION:**
  ```
  Access-Control-Allow-Origin: *
  Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
  Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
  Access-Control-Allow-Credentials: true
  ```
- Wildcard origin + credentials = any website can make authenticated requests
- PHPSESSID cookie exposed

### efacture.onatel.bf — Electronic Invoicing
- **IP:** 196.28.243.135
- **X-Powered-By:** InzaS (custom platform)
- **Server:** "localhost" (misconfigured)
- **Last-Modified:** Mon, 31 Jul 2017 (7+ years old)
- **Content-Length:** 0 (empty body — possibly redirect or SPA)

### id.onatel.bf — Identity Service
- **IP:** 196.28.243.155
- **Status:** Connection timeout on both protocols
- Possibly firewalled or internal-only

### dbadmin.onatel.bf — Database Admin (EXTERNAL)
- **IP:** 212.52.142.20 (**NOT in BF address space!**)
- **Status:** Connection timeout
- Different network from all other ONATEL IPs (196.28.243.x)
- May be hosted externally or decommissioned

### ONATEL IP Map:
| IP | Subdomain | Service |
|----|-----------|---------|
| 196.28.243.151 | onatel.bf | Main (403 test page) |
| 196.28.243.158 | api.onatel.bf | Ma Consommation (Nginx) |
| 196.28.243.155 | id.onatel.bf | Identity (timeout) |
| 196.28.243.135 | efacture.onatel.bf | InzaS e-invoicing |
| 212.52.142.20 | dbadmin.onatel.bf | DB admin (EXTERNAL) |

## TODO
- [ ] Test CORS on service.onatel.bf with actual credential requests
- [ ] Research IP 212.52.142.20 (dbadmin)
- [ ] Shodan/Censys on all ONATEL IPs
- [ ] Check api.onatel.bf for API endpoints