# Haiti Government cPanel & Email Infrastructure Recon **Date:** 2026-03-04 **Source:** THOT certificate transparency discoveries, probed from local machine **Scope:** 20 cPanel targets, 29 autodiscover targets --- ## EXECUTIVE SUMMARY - **7 active cPanel admin panels** confirmed (+ 2 bonus: orepacentre, orepaouest) - **2 additional cPanels discovered** via autodiscover probing (mae.gouv.ht, dzf.gouv.ht) - **1 CRITICAL Microsoft Exchange 2016 server** fully exposed (douane.gouv.ht - Customs) - **2 behind openresty reverse proxy** (mtptc, ute) - partially accessible - **13 cPanel targets NXDOMAIN** (DNS deleted but certs still in CT logs) - **22 of 29 autodiscover targets NXDOMAIN** - infrastructure decommissioned - **5 hosting providers identified** serving Haiti .gouv.ht domains - **0 DMARC enforcement** on most domains (only douane has reject policy) --- ## CRITICAL FINDING: EXCHANGE 2016 SERVER (DOUANE / CUSTOMS) ### Target: `agdmail.douane.gouv.ht` / `autodiscover.douane.gouv.ht` - **IP:** `190.115.189.36` (Haiti, via web.ht nameservers) - **Server:** Microsoft IIS/10.0 + Exchange 2016 - **Build:** `15.1.2507.61` (CU23 + approx Oct 2024 Security Update) - **Frontend Server:** `EX2016` - **ASP.NET:** 4.0.30319 - **SSL Cert:** CN=agdmail.douane.gouv.ht (Let's Encrypt R13, valid Feb 25 - May 26 2026) - **SAN:** agdmail.douane.gouv.ht, autodiscover.douane.gouv.ht ### Exposed Endpoints (ALL CONFIRMED LIVE): | Endpoint | URL | Status | |----------|-----|--------| | **OWA (Outlook Web Access)** | `https://agdmail.douane.gouv.ht/owa/` | 440 Login Timeout (login page served) | | **OWA Logon** | `https://agdmail.douane.gouv.ht/owa/auth/logon.aspx` | 200 OK - Full login page | | **ECP (Exchange Control Panel)** | `https://agdmail.douane.gouv.ht/ecp/` | 440 Login Timeout | | **EWS (Exchange Web Services)** | `https://agdmail.douane.gouv.ht/ews/exchange.asmx` | 401 - NTLM/Negotiate auth | | **MAPI/HTTP** | `https://agdmail.douane.gouv.ht/mapi/` | 401 - NTLM/Negotiate auth | | **RPC/HTTP** | `https://agdmail.douane.gouv.ht/rpc/rpcproxy.dll` | 401 - **Basic + NTLM + Negotiate** | | **PowerShell** | `https://agdmail.douane.gouv.ht/powershell/` | 401 - Kerberos auth | | **ActiveSync** | `https://agdmail.douane.gouv.ht/Microsoft-Server-ActiveSync` | 401 - **Basic realm="agdmail.douane.gouv.ht"** | | **OAB (Offline Address Book)** | `https://agdmail.douane.gouv.ht/oab/` | 401 - NTLM/Negotiate auth | | **Autodiscover** | `https://autodiscover.douane.gouv.ht/autodiscover/autodiscover.xml` | POST accepted | ### Authentication Methods Available: - **Basic Auth** on RPC/HTTP and ActiveSync (password sent base64 = cleartext without TLS pinning) - **NTLM** on EWS, MAPI, RPC, OAB - **Negotiate/Kerberos** on PowerShell, EWS, MAPI - **WS-Security** enabled on EWS - **OAuth** enabled on EWS ### DMARC Record (Intelligence): ``` v=DMARC1;p=reject;sp=reject;adkim=r;aspf=r;pct=5;fo=1;rf=afrf;ri=86400; rua=mailto:xchgad@douane.gouv.ht,mailto:8f2289ef@mxtoolbox.dmarc-report.com; ruf=mailto:xchgad@douane.gouv.ht,mailto:8f2289ef@forensics.dmarc-report.com ``` - **Exchange Admin email:** `xchgad@douane.gouv.ht` - DMARC only at 5% enforcement (`pct=5`) - Uses MXToolbox DMARC reporting ### SPF Record: ``` v=spf1 ip4:162.210.99.100 ip4:162.210.99.101 +a +mx +ip4:190.115.189.36/32 +ip4:200.113.223.92/32 ~all ``` - **Primary mail:** 190.115.189.36 (agdmail) - **Secondary mail:** 200.113.223.92 (digimx.douane.gouv.ht) - **Additional senders:** 162.210.99.100, 162.210.99.101 ### Douane Main Website: - **IP:** 190.115.189.37 (adjacent to mail server) - **Server:** Apache/2.4.62 (Win64) OpenSSL/3.1.7 PHP/8.3.14 - **CMS:** WordPress - **OS:** Windows Server (confirmed from Apache build string) - **Nameservers:** ns1/ns2/ns3.web.ht ### Risk Assessment: - Exchange 2016 with ALL remote access endpoints exposed to internet - Basic Auth available on two endpoints (credential spray target) - NTLM auth exposed (relay/hash capture potential) - OWA login page fully accessible (phishing landing confirmation) - ECP exposed (admin panel for Exchange) - PowerShell remoting exposed (post-auth RCE path) - Build 15.1.2507.61 needs verification against latest patches - Windows Server hosting both web and mail on adjacent IPs --- ## ACTIVE CPANEL ADMIN PANELS ### 1. INFP (Institut National de Formation Professionnelle) - **cPanel URL:** `https://cpanel.infp.gouv.ht:2083/` - **ACTIVE** - **Webmail:** `https://cpanel.infp.gouv.ht:2096/` - **ACTIVE** - **WHM:** `https://cpanel.infp.gouv.ht:2087/` - **ACTIVE** - **Direct Webmail:** `https://webmail.infp.gouv.ht/` - **ACTIVE (200 OK)** - **IP:** 173.254.104.158 - **Hosting:** **Bluehost** (ns1/ns2.bluehost.com, host-header: shared.bluehost.com) - **Server:** Apache - **SSL Cert:** CN=webdisk.infp.gouv.ht (Let's Encrypt R12, Jan 10 - Apr 10 2026) - **SAN:** autodiscover.infp.gouv.ht, cpanel.infp.gouv.ht, hr.infp.gouv.ht, infp.gouv.ht, **infp.gouv.ht.jlv.egd.mybluehost.me**, mail.infp.gouv.ht, webdisk.infp.gouv.ht, webmail.infp.gouv.ht, www.hr.infp.gouv.ht, www.infp.gouv.ht - **Main Site:** Laravel app (XSRF-TOKEN, infp_session cookies) - **MX:** mail.infp.gouv.ht (173.254.104.158 - same server) - **SPF:** `v=spf1 ip4:173.254.104.158 a mx include:websitewelcome.com ~all` - **DMARC:** None - **Bluehost Internal:** `infp.gouv.ht.jlv.egd.mybluehost.me` (staging/internal reference in cert) ### 2. La Poste (Haitian Postal Service) - **cPanel URL:** `https://cpanel.laposte.gouv.ht:2083/` - **ACTIVE** - **Webmail:** `https://cpanel.laposte.gouv.ht:2096/` - **ACTIVE** - **WHM:** `https://cpanel.laposte.gouv.ht:2087/` - **ACTIVE** - **Direct Webmail:** `https://webmail.laposte.gouv.ht/` - **ACTIVE (200 OK)** - **IP:** 142.214.186.131 - **Hosting:** **KVCHosting** (ns2004/ns2005.kvchosting.com, ns1000/ns1001.kvchosting.com) - **Server:** Apache - **SSL Cert:** CN=laposte.gouv.ht (Let's Encrypt R12, Jan 25 - Apr 25 2026) - **SAN:** *.laposte.gouv.ht, laposte.gouv.ht (wildcard!) - **Main Site:** WordPress with The Events Calendar plugin - **MX:** laposte.gouv.ht (self-referential - mail on same server) - **SPF:** `v=spf1 ip4:142.214.186.131 ip4:142.214.186.132 +a +mx +ip4:38.57.3.40 +ip4:216.122.171.82 +ip4:38.123.253.90 ~all` - **DMARC:** None - **Note:** SPF includes 5 different IPs - mail sent from multiple locations ### 3. OREPA Nord (Office Regional d'Eau Potable et d'Assainissement - North) - **cPanel URL:** `https://cpanel.orepanord.gouv.ht:2083/` - **ACTIVE** - **Webmail:** `https://cpanel.orepanord.gouv.ht:2096/` - **ACTIVE** - **WHM:** `https://cpanel.orepanord.gouv.ht:2087/` - **ACTIVE** - **IP:** 192.249.121.88 (shared with orepasud, orepacentre, orepaouest) - **Hosting:** **HostGenial** (ns1/ns2.hostgenial.com) - **Server:** nginx/1.29.4 (fronting cPanel) - **SSL Cert:** CN=*.orepanord.gouv.ht (Let's Encrypt R12, Jan 14 - Apr 14 2026) - **SAN:** *.orepanord.gouv.ht, orepanord.gouv.ht (wildcard) - **MX:** orepanord.gouv.ht (self-referential) ### 4. OREPA Sud (Office Regional d'Eau Potable - South) - **cPanel URL:** `https://cpanel.orepasud.gouv.ht:2083/` - **ACTIVE** - **Webmail:** `https://cpanel.orepasud.gouv.ht:2096/` - **ACTIVE** - **WHM:** `https://cpanel.orepasud.gouv.ht:2087/` - **ACTIVE** - **IP:** 192.249.121.88 (same server as orepanord) - **Hosting:** **HostGenial** - **Server:** nginx/1.29.4 - **SSL Cert:** CN=*.orepasud.gouv.ht (Let's Encrypt R12, Jan 15 - Apr 15 2026) - **SAN:** *.orepasud.gouv.ht, orepasud.gouv.ht (wildcard) - **MX:** orepasud.gouv.ht (self-referential) ### 5. OREPA Centre (Office Regional d'Eau Potable - Centre) - **cPanel URL:** `https://cpanel.orepacentre.gouv.ht:2083/` - **ACTIVE** (bonus discovery) - **IP:** 192.249.121.88 (same server) - **Hosting:** **HostGenial** ### 6. OREPA Ouest (Office Regional d'Eau Potable - West) - **cPanel URL:** `https://cpanel.orepaouest.gouv.ht:2083/` - **ACTIVE** (bonus discovery) - **IP:** 192.249.121.88 (same server) - **Hosting:** **HostGenial** ### 7. Tourisme (Ministry of Tourism) - **cPanel URL:** `https://cpanel.tourisme.gouv.ht:2083/` - **ACTIVE** - **Webmail:** `https://cpanel.tourisme.gouv.ht:2096/` - **ACTIVE** - **WHM:** `https://cpanel.tourisme.gouv.ht:2087/` - **TIMEOUT** (blocked) - **IP:** 91.234.195.40 - **Hosting:** **DNSHostServices** (ns1-4.dnshostservices.com) - **SSL Cert:** CN=*.tourisme.gouv.ht (Let's Encrypt R13, Feb 7 - May 8 2026) - **SAN:** *.tourisme.gouv.ht, **ad-tourisme.mdthaiti.com**, tourisme.gouv.ht, www.ad-tourisme.mdthaiti.com - **MX:** Google Workspace (ALT1/ALT2/ALT3.ASPMX.L.GOOGLE.COM) - **SPF:** `v=spf1 ip4:91.234.195.40 ip4:91.234.195.41 include:premiumsmtp.dnshostservices.com +a +mx include:_spf.google.com ~all` - **DMARC:** `v=DMARC1;p=none` (monitoring only, no enforcement) - **Linked domain:** `mdthaiti.com` resolves to same IP (91.234.195.40), same nameservers - **Note:** `ad-tourisme.mdthaiti.com` in cert SAN suggests admin panel hosted on mdthaiti.com ### 8. MAE (Ministry of Foreign Affairs) - **cPanel URL:** `https://mae.gouv.ht:2083/` - **ACTIVE** (discovered via autodiscover probe) - **Webmail (2096):** `https://mae.gouv.ht:2096/` - **ACTIVE** - **Direct Webmail:** `https://webmail.mae.gouv.ht/` - **500 Internal Server Error** - **IP:** 162.241.217.12 - **Hosting:** **Bluehost** (ns1/ns2.bluehost.com, host-header: shared.bluehost.com) - **SSL Cert:** CN=cpcalendars.mae.gouv.ht (Let's Encrypt R13, Jan 11 - Apr 11 2026) - **SAN:** autodiscover.mae.gouv.ht, cpanel.mae.gouv.ht, cpcalendars.mae.gouv.ht, cpcontacts.mae.gouv.ht, mae.gouv.ht, mail.mae.gouv.ht, webdisk.mae.gouv.ht, webmail.mae.gouv.ht, www.mae.gouv.ht - **Main Site:** WordPress (with wpdiscuz plugin) - **MX:** mail.mae.gouv.ht (same server) - **SPF:** `v=spf1 a mx include:websitewelcome.com ~all` - **DMARC:** None ### 9. DZF (Direction du Zonage Foncier) - **cPanel URL:** `https://dzf.gouv.ht:2083/` - **ACTIVE** (discovered via autodiscover probe) - **WHM:** `https://dzf.gouv.ht:2087/` - **ACTIVE** - **Direct Webmail:** `https://webmail.dzf.gouv.ht/` - **ACTIVE (200 OK)** - **IP:** 142.214.191.140 - **Hosting:** **KVCHosting** (ns1019/ns1020.kvchosting.com) - **SSL Cert:** CN=dzf.gouv.ht (Let's Encrypt R12, Jan 26 - Apr 26 2026) - **SAN:** *.dzf.gouv.ht, dzf.gouv.ht (wildcard) - **MX:** dzf.gouv.ht (self-referential) - **SPF:** None configured - **DMARC:** None - **Autodiscover:** Returns "autodiscovery must be provided a valid email address" (cPanel autodiscover active) --- ## BEHIND REVERSE PROXY (PARTIALLY ACCESSIBLE) ### 10. MTPTC (Ministry of Public Works) - **cPanel URL:** `https://cpanel.mtptc.gouv.ht:2083/` - **415 Unsupported Media Type** - **Webmail:** `https://cpanel.mtptc.gouv.ht:2096/` - **415** - **WHM:** `https://cpanel.mtptc.gouv.ht:2087/` - **415** - **IP:** 50.28.87.47 (shared with ute, ciat) - **Proxy:** openresty/1.27.1.1 - **Hosting:** **HaitiHosting** (ns3/ns4.haitihosting.ht) - **SSL Cert:** CN=*.mtptc.gouv.ht (Let's Encrypt R12, Jan 24 - Apr 24 2026) - **MX:** Rackspace (mx1/mx2.emailsrvr.com) - **SPF:** `v=spf1 ip4:50.28.87.47 include:emailsrvr.com -all` (hard fail - good) - **DMARC:** None - **Note:** Infrastructure exists behind openresty WAF/proxy; cPanel access blocked ### 11. UTE (Unite Technique d'Execution) - **cPanel URL:** `https://cpanel.ute.gouv.ht:2083/` - **415 Unsupported Media Type** - **Webmail:** `https://cpanel.ute.gouv.ht:2096/` - **415** - **WHM:** `https://cpanel.ute.gouv.ht:2087/` - **415** - **IP:** 50.28.87.47 (same server as mtptc) - **Proxy:** openresty/1.27.1.1 - **Hosting:** **HaitiHosting** - **SSL Cert:** CN=www.caracol.ute.gouv.ht (Let's Encrypt R12, Jan 17 - Apr 17 2026) - **SAN:** *.ute.gouv.ht, www.caracol.ute.gouv.ht, www.hueh.ute.gouv.ht - **MX:** Google Workspace (aspmx.l.google.com) - **SPF:** `v=spf1 ip4:50.28.87.47 +a +mx +ip4:64.91.231.151 ~all` - **Sub-sites:** caracol.ute.gouv.ht, hueh.ute.gouv.ht (in cert SAN) ### 12. CIAT (Comite Interministeriel d'Amenagement du Territoire) - **Autodiscover:** `https://autodiscover.ciat.gouv.ht/` - **415 Unsupported Media Type** - **Main Site:** `https://ciat.gouv.ht/` - **415 but WordPress headers present** - **IP:** 50.28.87.47 (same server as mtptc/ute) - **Hosting:** **HaitiHosting** - **SSL Cert:** CN=alertehaiti.com (SAN: *.alertehaiti.com, alertehaiti.com) - **MX:** Google Workspace - **Note:** SSL cert is for `alertehaiti.com` not ciat.gouv.ht - likely shared IP/SNI misconfiguration. AlerteHaiti appears to be CIAT's alert system. --- ## ACTIVE AUTODISCOVER / EMAIL ENDPOINTS ### autodiscover.douane.gouv.ht (Customs) - **Status:** FULLY ACTIVE - Microsoft Exchange 2016 (see Critical Finding above) - **IP:** 190.115.189.36 ### autodiscover.dzf.gouv.ht (Land Zoning) - **Status:** ACTIVE - cPanel autodiscovery - **Response:** "autodiscovery must be provided a valid email address" - **IP:** 142.214.191.140 (KVCHosting) ### autodiscover.mae.gouv.ht (Foreign Affairs) - **Status:** ACTIVE - cPanel autodiscovery (Bluehost) - **Response:** 400 Bad Request + "autodiscovery must be provided a valid email address" - **host-header:** `shared.bluehost.com` (base64 encoded) - **IP:** 162.241.217.12 ### autodiscover.md.gouv.ht (Ministry of Digital) - **Status:** ACTIVE - Hostinger email service - **CNAME:** autodiscover.mail.hostinger.com (34.120.251.119) - **SSL Cert:** *.mail.hostinger.com (DigiCert/RapidSSL) - **MX:** mx1/mx2.hostinger.com - **Response:** 405 Method Not Allowed (via Google Cloud/nginx) ### autodiscover.incah-haiti.gouv.ht (INCAH) - **Status:** ACTIVE - Hostinger email service - **CNAME:** autodiscover.mail.hostinger.com (34.120.251.119) - **SSL Cert:** *.mail.hostinger.com (DigiCert/RapidSSL) - **MX:** mx1/mx2.hostinger.fr - **Response:** 405 Method Not Allowed ### autodiscover.ciat.gouv.ht (CIAT) - **Status:** ACTIVE (behind openresty proxy) - 415 response - **IP:** 50.28.87.47 (HaitiHosting) --- ## NXDOMAIN / DECOMMISSIONED CPANEL TARGETS The following cPanel subdomains were found in certificate transparency logs but their DNS has been removed. The certificates prove these organizations **previously** had cPanel hosting: | Target | Notes | |--------|-------| | cpanel.deliveryunit.gouv.ht | Delivery Unit - decommissioned | | cpanel.dinepa.gouv.ht | DINEPA (Water Authority) - DNS removed | | cpanel.douane.gouv.ht | Customs - migrated to Exchange | | cpanel.haititourisme.gouv.ht | Haiti Tourism (separate from tourisme) - NS: transversal.ht | | cpanel.mairiecitesoleil.gouv.ht | Cite Soleil City Hall - decommissioned | | cpanel.mairiededelmas.gouv.ht | Delmas City Hall - decommissioned | | cpanel.md.gouv.ht | Ministry of Digital - migrated to Hostinger | | cpanel.ministeredeladefense.gouv.ht | Ministry of Defense - decommissioned | | cpanel.mpce.gouv.ht | MPCE (Planning Ministry) - decommissioned | | cpanel.ofatma.gouv.ht | OFATMA (Workers Insurance) - NS: ns.ofatma.gouv.ht only | | cpanel.ofnac.gouv.ht | OFNAC (Civil Aviation) - NS: domaincontrol.com (GoDaddy) | | cpanel.postehaiti.gouv.ht | Haiti Post (different from laposte) - decommissioned | | cpanel.pwoteksyonsivil.gouv.ht | Civil Protection - decommissioned | --- ## NXDOMAIN / DECOMMISSIONED AUTODISCOVER TARGETS | Target | Notes | |--------|-------| | autodiscover.bhda.gouv.ht | BHDA - DNS exists (web.ht NS) but autodiscover NXDOMAIN | | autodiscover.bmpad.gouv.ht | BMPAD - DNS exists (66.102.135.39) but no HTTPS, redirects to SafeBrowse | | autodiscover.cgmiami.gouv.ht | Consulate General Miami - NXDOMAIN (MX: smtp.google.com) | | autodiscover.cscca.gouv.ht | CSCCA (Court of Accounts) - DNS exists (207.58.175.95) but no HTTPS | | autodiscover.ema.gouv.ht | Military General Staff - COMPLETE NXDOMAIN (no NS records!) | | autodiscover.forumcivitax.gouv.ht | Forum CiviTax - NXDOMAIN | | autodiscover.lnbtp.gouv.ht | LNBTP (Construction Lab) - NXDOMAIN | | autodiscover.mci.gouv.ht | MCI (Commerce Ministry) - NXDOMAIN | | autodiscover.ministeredeladefense.gouv.ht | Ministry of Defense - NXDOMAIN | | autodiscover.misprimature.gouv.ht | Prime Minister's Office - NXDOMAIN | | autodiscover.mspp.gouv.ht | MSPP (Health Ministry) - NS: haitihosting.ht but autodiscover NXDOMAIN | | autodiscover.mtptc.gouv.ht | MTPTC - DNS exists but autodiscover removed | | autodiscover.ofatma.gouv.ht | OFATMA - NXDOMAIN | | autodiscover.ofnac.gouv.ht | OFNAC - NXDOMAIN | | autodiscover.orepacentre.gouv.ht | OREPA Centre - NXDOMAIN (but cpanel works!) | | autodiscover.orepanord.gouv.ht | OREPA Nord - NXDOMAIN | | autodiscover.orepaouest.gouv.ht | OREPA Ouest - NXDOMAIN | | autodiscover.orepasud.gouv.ht | OREPA Sud - NXDOMAIN | | autodiscover.secretariat-techniquehd.gouv.ht | Technical Secretariat HD - NXDOMAIN | | autodiscover.securitepublique.gouv.ht | Public Security - COMPLETE NXDOMAIN (no NS!) | | autodiscover.ucp.gouv.ht | UCP - NXDOMAIN | | autodiscover.ucref.gouv.ht | UCREF (Financial Intelligence) - NXDOMAIN | | autodiscover.ute.gouv.ht | UTE - NXDOMAIN | --- ## HOSTING PROVIDER MAP ### Bluehost (Newfold Digital) - US - **IPs:** 173.254.104.158, 162.241.217.12 - **Domains:** infp.gouv.ht, mae.gouv.ht - **Indicator:** host-header `shared.bluehost.com`, SPF includes `websitewelcome.com` - **cPanel:** Active with WHM access ### KVCHosting - **IPs:** 142.214.186.131, 142.214.191.140 - **Domains:** laposte.gouv.ht, dzf.gouv.ht - **cPanel:** Active with WHM access ### HostGenial - **IP:** 192.249.121.88 - **Domains:** orepanord.gouv.ht, orepasud.gouv.ht, orepacentre.gouv.ht, orepaouest.gouv.ht - **cPanel:** Active (nginx/1.29.4 fronting cPanel), WHM accessible - **Note:** All 4 OREPA regional offices on single shared server ### HaitiHosting (haitihosting.ht) - **IP:** 50.28.87.47 - **Domains:** mtptc.gouv.ht, ute.gouv.ht, ciat.gouv.ht - **Proxy:** openresty/1.27.1.1 WAF in front - **cPanel:** Behind proxy, 415 errors ### DNSHostServices - **IP:** 91.234.195.40 - **Domains:** tourisme.gouv.ht, mdthaiti.com - **cPanel:** Active, WHM blocked ### Hostinger - **Autodiscover CNAME:** autodiscover.mail.hostinger.com - **Domains:** md.gouv.ht (Hostinger.com), incah-haiti.gouv.ht (Hostinger.fr) - **Email only** - no cPanel found for these ### web.ht (Local Haiti) - **Domains:** douane.gouv.ht, bhda.gouv.ht - **IPs:** 190.115.189.36/37 (douane), 200.113.223.92 (douane backup) - **Note:** Self-hosted Exchange 2016 on Windows Server --- ## EMAIL INFRASTRUCTURE SUMMARY ### Self-Hosted Exchange | Organization | Mail Server | IP | Version | Risk | |-------------|------------|-----|---------|------| | **Douane (Customs)** | agdmail.douane.gouv.ht | 190.115.189.36 | Exchange 2016 CU23 (15.1.2507.61) | **CRITICAL** - all endpoints exposed | ### Self-Hosted cPanel Mail (Roundcube/Horde) | Organization | Mail Server | IP | Provider | |-------------|------------|-----|----------| | INFP | mail.infp.gouv.ht | 173.254.104.158 | Bluehost | | MAE (Foreign Affairs) | mail.mae.gouv.ht | 162.241.217.12 | Bluehost | | La Poste | laposte.gouv.ht | 142.214.186.131 | KVCHosting | | DZF | dzf.gouv.ht | 142.214.191.140 | KVCHosting | | OREPA Nord | orepanord.gouv.ht | 192.249.121.88 | HostGenial | | OREPA Sud | orepasud.gouv.ht | 192.249.121.88 | HostGenial | ### Google Workspace | Organization | Domain | MX | |-------------|--------|-----| | Tourisme | tourisme.gouv.ht | ASPMX.L.GOOGLE.COM | | UTE | ute.gouv.ht | aspmx.l.google.com | | CIAT | ciat.gouv.ht | aspmx.l.google.com | | BMPAD | bmpad.gouv.ht | aspmx.l.google.com | | CG Miami | cgmiami.gouv.ht | smtp.google.com | ### Rackspace Email | Organization | Domain | MX | |-------------|--------|-----| | MTPTC | mtptc.gouv.ht | mx1/mx2.emailsrvr.com | ### Hostinger Email | Organization | Domain | MX | |-------------|--------|-----| | MD (Digital Ministry) | md.gouv.ht | mx1/mx2.hostinger.com | | INCAH | incah-haiti.gouv.ht | mx1/mx2.hostinger.fr | --- ## EMAIL SECURITY POSTURE | Domain | SPF | DMARC | Risk | |--------|-----|-------|------| | douane.gouv.ht | ~all (softfail) | p=reject (BUT pct=5!) | Medium - only 5% enforced | | mae.gouv.ht | ~all | **NONE** | **HIGH** - spoofable | | infp.gouv.ht | ~all | **NONE** | **HIGH** - spoofable | | laposte.gouv.ht | ~all | **NONE** | **HIGH** - spoofable | | dzf.gouv.ht | **NONE** | **NONE** | **CRITICAL** - no email auth | | tourisme.gouv.ht | ~all | p=none | **HIGH** - monitoring only | | mtptc.gouv.ht | -all (hard fail) | **NONE** | Medium - SPF good, no DMARC | | ute.gouv.ht | ~all | **NONE** | **HIGH** - spoofable | --- ## CROSS-ORGANIZATION INTELLIGENCE ### Shared Infrastructure Clusters 1. **OREPA Cluster:** 4 regional water offices (Nord, Sud, Centre, Ouest) ALL on single HostGenial server (192.249.121.88) - compromise one = compromise all 2. **HaitiHosting Cluster:** MTPTC + UTE + CIAT on same IP (50.28.87.47) behind openresty 3. **Bluehost Cluster:** INFP + MAE on separate IPs but same provider 4. **KVCHosting Cluster:** La Poste + DZF on separate IPs but same provider 5. **Douane Standalone:** Self-hosted Exchange on local Haiti infrastructure (web.ht) ### WHM (Web Host Manager) Access The following targets have WHM (root-level hosting admin) accessible on port 2087: - cpanel.infp.gouv.ht:2087 - cpanel.laposte.gouv.ht:2087 - cpanel.orepanord.gouv.ht:2087 - cpanel.orepasud.gouv.ht:2087 - dzf.gouv.ht:2087 ### Webmail Login Pages (Direct Access) - `https://webmail.infp.gouv.ht/` - 200 OK - `https://webmail.laposte.gouv.ht/` - 200 OK - `https://webmail.dzf.gouv.ht/` - 200 OK - `https://cpanel.infp.gouv.ht:2096/` - Webmail login - `https://cpanel.laposte.gouv.ht:2096/` - Webmail login - `https://cpanel.orepanord.gouv.ht:2096/` - Webmail login - `https://cpanel.orepasud.gouv.ht:2096/` - Webmail login - `https://cpanel.tourisme.gouv.ht:2096/` - Webmail login - `https://mae.gouv.ht:2096/` - Webmail login - `https://agdmail.douane.gouv.ht/owa/auth/logon.aspx` - Exchange OWA login ### Notable Linkages - **tourisme.gouv.ht** cert contains **mdthaiti.com** domain (same IP) - MDT Haiti manages tourism web - **haititourisme.gouv.ht** uses different NS (transversal.ht) from tourisme.gouv.ht - different organizations? - **alertehaiti.com** cert served on ciat.gouv.ht IP - CIAT runs Haiti's alert system - **INFP** Bluehost internal hostname leaked: `infp.gouv.ht.jlv.egd.mybluehost.me` - **Douane** Exchange admin email: `xchgad@douane.gouv.ht` (from DMARC record) --- ## PRIORITY TARGETS FOR FURTHER ASSESSMENT ### Tier 1 (Critical) 1. **agdmail.douane.gouv.ht** - Exchange 2016 with all endpoints exposed, Basic auth on ActiveSync/RPC 2. **All 4 OREPA regional offices** - Single server compromise = 4 government agencies ### Tier 2 (High) 3. **mae.gouv.ht** - Ministry of Foreign Affairs, no DMARC, webmail errors (500) 4. **dzf.gouv.ht** - No SPF, no DMARC, all admin ports open 5. **infp.gouv.ht** - Bluehost shared hosting, all admin ports open 6. **laposte.gouv.ht** - All admin ports open, multiple sending IPs in SPF ### Tier 3 (Medium) 7. **tourisme.gouv.ht** - cPanel active but WHM blocked, linked to mdthaiti.com 8. **mtptc.gouv.ht / ute.gouv.ht** - Behind openresty proxy (harder target) 9. **ciat.gouv.ht** - Behind proxy, cert mismatch reveals alertehaiti.com --- *Report generated 2026-03-04. All probes were passive HTTP/HTTPS requests only.*