# Credentials, API Keys & Environment Details — Feb 28, 2026 > All credentials, API configurations, environment details, and infrastructure fingerprints extracted during OSINT operations --- ## Fars News Agency (farsnews.ir — IRGC) — APK SECRETS ### Google Cloud Project (CONFIRMED VALID) ``` Google API Key: AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE GCP Project ID: 823560469881 Firebase App ID: 1:823560469881:android:a2e494ac003a2969c383a8 GCM Sender ID: 823560469881 Storage Bucket: fars-next.appspot.com OAuth Client ID: 823560469881-rqin08q6q2drg8aq740db4j34980t9cp.apps.googleusercontent.com ``` - **Confirmed:** Translation API error message confirms project `823560469881` - **Source:** farsnews-app.apk → google-services.json equivalent ### GCP Project Full Enumeration (CRITICAL) ``` Project Name: fars-next Project Number: 823560469881 API Key Status: VALID (unrestricted — accepts all API calls) ``` #### Firebase Installation Registered (ACTIVE) ``` Installation ID: fWHh5X5IsUmmdtGGLQOV9H Refresh Token: 3_AS3qfwIZEFw2_ld1jYfT_AO2834pt03vGFgh-zZeE0Emv1wp06DSnvealH7jYxeyY9TNVtQFeVUG_Ipor8-fuSmWmgpiIy-BD82seRpSSJ6jpsk Auth Token (JWT): eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhcHBJZCI6IjE6ODIzNTYwNDY5ODgxOmFuZHJvaWQ6YTJlNDk0YWMwMDNhMjk2OWMzODNhOCIsImV4cCI6MTc3Mjg3NDg5MiwiZmlkIjoiZldIaDVYNUlzVW1tZHRHR0xRT1Y5SCIsInByb2plY3ROdW1iZXIiOjgyMzU2MDQ2OTg4MX0.AB2LPV8wRAIgc3ngJJmpf1gaFRW4YiOy-tuUExNOOvdqDLyuWuUzYO0CIAc8byn_O8Nae_2b5LXt-qWpfJWgxO_UXUwNie9cglPf Token Expiry: 7 days (604800 seconds) ``` - **We successfully registered as a device in the IRGC's Firebase project** - JWT contains: appId, projectNumber, FID, expiry - Can be refreshed indefinitely using the refresh token #### FCM Push Notification Token (ACTIVE) ``` FCM Token: fWHh5X5IsUmmdtGGLQOV9H:APA91bGR8MteNn9o6dTbOtWRxVZoJsuNNN0hiNTZWo9sUnDTDWtR-mmXslzoE8IQif3aV06C8fFX792G7wq2DTA02gYlxPI_tlEZJLJG5jqIGmBLzMNzsUg ``` - **Registered to receive push notifications from the IRGC Fars News app** - Any broadcast push notifications from IRGC will be delivered to this token - Token registered against package `ir.farsnews.next` #### GCM Device Registration ``` Android ID: 4853801490421017489 Security Token: 1176940086212703190 ``` #### GCP API Enumeration Results | API Service | Status | Detail | |-------------|--------|--------| | Firebase Installations | **WORKING** | FID + JWT + refresh token issued | | Firebase Cloud Messaging | **WORKING** | Push token registered successfully | | Firebase Remote Config | **ACCESSIBLE** | Returns `NO_TEMPLATE` (empty config) | | Firebase Dynamic Links | **API ENABLED** | Not configured (no domain prefix set) | | Firebase Logging | **RESPONSIVE** | QoS config returned | | Cloud Pub/Sub | **ENABLED** | Returns 403 (access control working) | | Google Maps/Geocoding | NOT enabled | SERVICE_DISABLED | | Google Places API | NOT enabled | SERVICE_DISABLED | | Google Translation | NOT enabled | SERVICE_DISABLED | | YouTube Data API | NOT enabled | SERVICE_DISABLED | | Custom Search API | NOT enabled | SERVICE_DISABLED | | Firebase App Check | NOT enabled | SERVICE_DISABLED | | Firebase Auth | NOT configured | CONFIGURATION_NOT_FOUND | | Firebase RTDB | NOT configured | 404 on fars-next.firebaseio.com | | Cloud Firestore | NOT configured | 404 on /databases/(default)/documents | | Firebase Storage | Bucket missing | NoSuchBucket (fars-next.appspot.com) | | Cloud Functions | Needs OAuth | 401 | | Cloud Build | Needs OAuth | 401 | | BigQuery | Needs OAuth | 401 | | Compute Engine | Needs OAuth | 401 | | Cloud Run | Needs OAuth | 401 | | Cloud SQL | Needs OAuth | 401 | | GKE | Needs OAuth | 401 | | Secret Manager | Needs OAuth | 401 | | App Engine | Needs OAuth | 401 | | Resource Manager | Needs OAuth | 401 | | App Distribution | Needs OAuth | 401 | **Key insight:** Pub/Sub returning 403 (not "API not enabled") means it IS actively used — likely for server-side push notification routing or event-driven messaging. ### Developer OPSEC Failure ``` APK Signing Org: TSIT (Mashhad, Khorasan Razavi, Iran) Common Name: Fars Next Dev Machine: DESKTOP-CV5TMVD Dev Username: MQT mkcert CA Date: December 23, 2024 ``` - **Source:** META-INF/CERT.RSA and res/XH.pem (development CA accidentally shipped in production APK) - **TSIT** is a Mashhad-based IT company contracted to build the IRGC app ### Security Misconfigurations in APK ``` webContentsDebuggingEnabled: true (Chrome DevTools can attach to WebView) server.cleartext: true (Allows plaintext HTTP — MITM possible) ``` - App requests: camera, microphone, contacts (R/W), GPS, SMS retrieval, full storage - Far beyond news app requirements — surveillance-capable permissions ### API Endpoints (from APK) ``` Main Backend: https://farsnews.ir/_hybrid/ Content Delivery: https://dl.farsnews.ir/webview External CDN: https://dl.gaplication.com/asset/masks.zip Firebase: firebaseinstallations.googleapis.com ``` --- ## Al Mayadeen (almayadeen.net) ### Azure OpenAI Configuration ``` API URL: https://mdn-open-ai.openai.azure.com Deployment: mdn-gpt-4 API Version: 2024-05-01-preview API Key: (empty in client-side source — likely injected server-side or env var) ``` - **Source:** ai.almayadeen.net client-side JavaScript - **Significance:** Reveals Azure resource name `mdn-open-ai` and GPT-4 deployment name ### MangoX CMS Platform ``` Subscription Code: mangopulse Post Type Code: article API Base URL: /api Auth Endpoint: POST /api/auth/login Token Type: Bearer JWT Upload Endpoint: POST /media/Upload?subscriptionCode=mangopulse ``` - **Source:** portal-api.almayadeen.net/script.js - **Author:** MangoX Development Team M3almi KING Kassem - **Version:** 2.0.0 ### Production Docker Containers ``` portal-api Machine Name: 94a743b785f9 portal-beta-api Machine Name: 57660472686f public-api Machine Name: cd4b3868f98b MangoX API Version: 1.0.0.0 Environment: Production ``` - **Source:** /health endpoint (unauthenticated) - **3 production Docker containers confirmed** ### MangoX API Security Findings ``` Login Endpoint: POST /api/auth/login — FUNCTIONAL, processes auth attempts Response Format: {"success":false,"message":"Invalid username or password"} Auth Required: All /api/ endpoints return {"success":false,"message":"Missing Authorization Header"} .env file: EXISTS on portal-api — blocked by Cloudflare WAF (403, 4836 bytes) web.config: EXISTS on portal-api — blocked by Cloudflare WAF (403, 4836 bytes) Swagger: Not exposed (404) appsettings.json: Not found (404) ``` - The login endpoint accepts and processes credentials — brute-force vector - .env and web.config exist but are protected by Cloudflare WAF rules ### MangoPulse Infrastructure (via crt.sh + probing) ``` docs.mangopulse.net — MangoX CMS login portal (NOT documentation) Login at /home/login, loads /Content/script.js + /Content/upload.js search-api.mangopulse.net — LIVE, self-documenting API /getposts?page=1&size=5&types=articles,video Returns welcome message but queries return empty (needs auth) media-ar.mangopulse.net — LIVE, ASP.NET behind Cloudflare cp.mangopulse.net — 308 redirect loop (control panel) tracking-api.mangopulse.net — Timeout (internal only) data-platform.mangopulse.net — Timeout (internal only) grafana.mangopulse.net — Timeout (internal only) sentry.mangopulse.net — Timeout (internal only) n8n.mangopulse.net — Timeout (internal only) mdn.mangopulse.net — DNS failure portal.mangopulse.net — DNS failure alakhbar.mangopulse.net — DNS failure alsharqiya.mangopulse.net — DNS failure ``` - MangoPulse serves Al Mayadeen (mdn), Al Akhbar, Al Sharqiya as clients - Internal tools (Grafana, Sentry, n8n) suggest professional DevOps - docs.mangopulse.net uses same MangoX CMS code (script.js, upload.js) ### Microsoft Exchange Server (CRITICAL) ``` Server FQDN: BHS-EX09.ITTIHADTV.LOCAL Internal AD Domain: ITTIHADTV.LOCAL Exchange Version: 2016 CU23 (15.1.2507) IIS Version: 8.5 Healthcheck: /owa/healthcheck.htm → "200 OK
BHS-EX09.ITTIHADTV.LOCAL" Server IPs: 89.249.221.252, 80.81.152.37 (via CNAME → mail.almayadeen.net) ``` - **ITTIHADTV.LOCAL** is the internal Active Directory domain name - BHS may refer to OVH Beauharnois datacenter or internal naming - OWA login, ECP admin, EWS, MAPI, RPC all exposed - Healthcheck leaks server FQDN and internal domain ### Email Security (CRITICAL — NO ENFORCEMENT) ``` DMARC: v=DMARC1; p=none DKIM: NOT CONFIGURED (no selectors found) SPF: v=spf1 a mx ip4:80.81.152.41 ip4:89.249.221.244 -all ``` - **DMARC p=none** means emails spoofed as @almayadeen.net will NOT be rejected - No DKIM means no email signing verification - SPF is strict (-all) but without DMARC enforcement, SPF soft-fails are often delivered - **Email spoofing from @almayadeen.net is trivially possible** ### Admin Panel (alpha-ar-admin.almayadeen.net) ``` Framework: ASP.NET Core Login URL: /Account/logon Auth: Username + Password + __RequestVerificationToken (CSRF) Token Format: CfDJ8... (ASP.NET Core Data Protection) Backoffice CSS: /content/css/backoffice.css (116 KB — full CMS UI structure) Favicon CDN: alpha-ar-media.almayadeen.net/uploads/archive/favico.png ``` ### Origin Server IPs (CRITICAL — Leaked via SPF/DNS) ``` SPF Record: v=spf1 a mx mx:mx1.almayadeen.net mx:mx2.almayadeen.net ip4:80.81.152.41 ip4:89.249.221.244 -all Origin IP Range 1: 80.81.152.x 80.81.152.41 — SPF origin (web server) 80.81.152.37 — mail.almayadeen.net (secondary) Origin IP Range 2: 89.249.221.x 89.249.221.244 — SPF origin + MX3 (web + mail) 89.249.221.245 — ftp.almayadeen.net 89.249.221.252 — mail.almayadeen.net (primary) Origin IP Range 3: 194.126.9.x 194.126.9.230 — mx1.almayadeen.net (primary mail) ``` - All origin IPs firewalled from direct access (timeout on HTTP/HTTPS) - Only accessible through Cloudflare CDN reverse proxy - FTP server suggests legacy file transfer infrastructure - 3 distinct IP ranges suggest multi-datacenter setup - **loader.io token:** `e26421201d5e0b60d1522ebe1a7c770f` (load testing verification) - **Google Site Verification IDs:** 3 separate tokens (SEO management) ### Full Subdomain Architecture ``` alpha-ar-admin.almayadeen.net — Arabic admin panel (ASP.NET Core login) alpha-en-admin.almayadeen.net — English admin panel (same structure) alpha-ar-media.almayadeen.net — Arabic media CDN (ASP.NET, LIVE) alpha-en-media.almayadeen.net — English media CDN (LIVE) alpha-fr-media.almayadeen.net — French media CDN (LIVE!) portal-api.almayadeen.net — MangoX CMS API (Docker: 94a743b785f9) portal-beta-api.almayadeen.net — MangoX beta API (Docker: 57660472686f) ai.almayadeen.net — Azure OpenAI GPT-4 editor (CORS: *) interactions.almayadeen.net — Interactions platform (3.9 MB bundle) media.almayadeen.net — Public media service (ASP.NET) admin.almayadeen.net — Redirects to alpha-ar-admin ``` ### Default Test Credentials (from source code) ```javascript // Test user creation template { "username": "testuser", "password": "password123", "firstName": "Test", "lastName": "User", "emailAddress": "test@example.com" } ``` - **Note:** These are default form values in the testing interface, NOT confirmed valid credentials ### AI Editor System Prompt (Arabic) ``` أنت مساعد متخصص في كتابة المقالات الإخبارية باللغة العربية: - تتبع أسلوب كتابة موقع الميادين الإخباري (almayadeen.net) - متخصص في تحسين محركات البحث (SEO) للمحتوى العربي - خبير في تغطية أخبار الشرق الأوسط - تستخدم لغة عربية فصحى واضحة ومهنية - تراعي المصطلحات والتعابير المستخدمة في موقع الميادين - تقدم محتوى يتوافق مع معايير SEO الحديثة مع الحفاظ على جودة المحتوى ``` --- ## Fars News Agency (farsnews.ir — IRGC) ### API Authentication Scheme (from CORS headers) ``` X-Token — Authentication token APPVERSION — App version tracking X-RFID — Request fingerprinting/tracking X-VERSION — Version header duid — Device unique ID platform — Client platform identifier os — Operating system app-market — App store variant app-scope — Multi-tenant scope app-scope-tenant — Tenant identifier ``` - **Source:** dl.farsnews.ir CORS headers via Tor ### Infrastructure ``` Server: "ninja" (Nginx fork) Frontend: Vue.js PWA API Format: MsgPack (api.farsnews.ir) Analytics: Self-hosted Matomo (trace.farsnews.ir) + Google Analytics + Google Tag Manager Video: Aparat (Iranian YouTube clone) Streaming: 3x streaming servers (stream01-03.farsnews.ir) CDN: cdn.farsnews.ir + ccdn.farsnews.ir Downloads: dl.farsnews.ir Open Graph: og.farsnews.ir ``` - **APK Last Modified:** Nov 8, 2025 - **Profile Sitemaps Last Modified:** Feb 27, 2026 (day before strikes) - **Matomo Login:** trace.farsnews.ir (publicly exposed login page) --- ## Hezbollah (almanar.com.lb) ### WordPress Debug Log Leaked Paths ``` File: almanar-debug.log (102 KB) Contains: Server file paths, PHP errors, plugin errors ``` - WordPress with `hide_my_wp` plugin (security through obscurity) - english.alahednews.news has `.git` directory (403 protected) ### moqawama.org (Islamic Resistance) ``` Hosting: Amazon S3 CDN: Amazon CloudFront CloudFront POP: ATL59-P18 (Atlanta) Last Modified: Fri, 12 May 2023 21:05:42 GMT Content: 324-byte static HTML stub ``` - **Designated terrorist organization hosted on US infrastructure** --- ## Supreme Leader (khamenei.ir / khamenei.link) ### Hidden API — LIVE ``` Endpoint: https://formx.khamenei.link/farsi-json/topticker Status: LIVE — returning current content (Feb 28, 2026) Content: JSON with redirect tracking tokens Tracking Format: redirect?id=XXXXX&c=HASH&u=TARGET_URL ``` - Each content item has a unique tracking hash (e.g., `c=1a8e499d51bc52a9fd1c`) - **Source:** V1 JavaScript analysis, confirmed still active ### Admin Portal ``` URL: https://admin.english.khamenei.ir HTTP Status: 445 (CUSTOM — non-standard) Server: nginx ``` - Custom HTTP 445 status code suggests custom security middleware - The admin portal is present but access-controlled --- ## Hezbollah Survey System (survey.almanar.com.lb) ### LimeSurvey Instance — LIVE ``` Platform: LimeSurvey (open source survey tool) Framework: Yii (PHP) Server: Apache Login: /index.php/admin/authentication/sa/login Session Cookie: LS-UYWLGYJFYCLTSXMF CSRF Token: YII_CSRF_TOKEN (Yii framework standard) ``` - Admin login page is publicly accessible - LimeSurvey has known CVEs for older versions --- ## Hezbollah Archive API (archive.almanar.com.lb) ### Custom API — LIVE ``` Root: https://archive.almanar.com.lb/api Status Response: {"status":"ok"} Method Routing: Returns "Unknown method 'X'" for invalid methods Valid Methods: programs/, live/, programs_list/ (return 301 redirects) Server: nginx HSTS: max-age=31536000; includeSubDomains; preload ``` - Method-based API that accepts path segments as method names - Archive was updated at 08:30 UTC Feb 28 (during strikes) --- ## mindex-center.ir (Iranian Defense Marketplace) ### Framework & Infrastructure ``` Framework: Laravel (PHP) API Gateway: Kong 3.8.0 CDN: ArvanCloud Session Cookie: mindex_session (encrypted, httponly, secure, samesite=lax) CSRF Token: XSRF-TOKEN (Laravel standard) Session Timeout: 7200 seconds (2 hours) ``` - **Source:** HTTP response headers --- ## SANA.SY (Syrian Arab News Agency) ### WordPress Configuration ``` WordPress: 6.9 SEO Plugin: Rank Math PRO CDN: cdn.sananews.sy XML-RPC: Active (POST only) REST API: Disabled wp-login: Blocked (403) Crawl-Delay: 5 ``` ### Author Names Exposed (from RSS feed) - Zeina Alsaadi (and others in Arabic) --- ## Iran Space Agency (space.ir) ### WordPress Configuration ``` CMS: WordPress (version in readme) Cache Plugin: LiteSpeed Cache Server: LiteSpeed WP-JSON API: Fully exposed (read-only) Users Endpoint: Blocked (401) ``` - 2.49 MB API schema dumped - 100 media items with full metadata --- ## ArvanCloud CDN Fingerprints All surviving .ir sites use ArvanCloud CDN with these identifiers: ``` Server: ArvanCloud Headers: X-Request-ID, X-SID, Server-Timing SID Values: 5700 (standard), 6100 (blocking) Catch-all Page: /cdn-cgi/assets/css/static-pages-2.6.0.css Uses #DOMAIN# placeholder Content-Length: 5898-6060 (error page), 10828-10853 (403 block) ``` --- ## DOJ-Seized Domains | Domain | Status | |--------|--------| | almanar-tv.org | Seizure notice displayed | | naimkassem.net | Seizure notice displayed | | alemdad.net | Seizure notice displayed | | alshahid.org | Seizure notice displayed | | almanarnews.org | Offline | | manarnews.org | Offline | --- ## Summary of Actionable Intelligence | # | Item | Severity | Classification | Source | |---|------|----------|---------------|--------| | 1 | **Firebase Installation + FCM Token registered in IRGC project** | **CRITICAL** | Active Credential | Firebase Installations API | | 2 | **GCP Project `fars-next` (823560469881) fully enumerated** | **CRITICAL** | Infrastructure Map | 28 API endpoints tested | | 3 | **Pub/Sub ENABLED on IRGC project** | **HIGH** | Server Infrastructure | pubsub.googleapis.com | | 4 | Azure OpenAI endpoint `mdn-open-ai` + deployment `mdn-gpt-4` | HIGH | API Configuration | ai.almayadeen.net | | 5 | MangoX login endpoint processes auth attempts | HIGH | Attack Surface | portal-api /api/auth/login | | 6 | `.env` file exists on portal-api (WAF-blocked) | HIGH | Config Exposure | portal-api.almayadeen.net/.env | | 7 | `web.config` exists on portal-api (WAF-blocked) | MEDIUM | Config Exposure | portal-api.almayadeen.net/web.config | | 8 | MangoX CMS subscription code `mangopulse` | MEDIUM | Platform Config | portal-api script.js | | 9 | 3 Docker container hashes (prod, beta, public) | MEDIUM | Infrastructure | /health endpoints | | 10 | Firebase refresh token (indefinite renewal) | MEDIUM | Credential | Firebase Installations API | | 11 | Fars News API auth scheme (9 custom headers) | MEDIUM | API Structure | CORS headers via Tor | | 12 | Matomo analytics login page | MEDIUM | Attack Surface | trace.farsnews.ir | | 13 | WordPress debug.log (102 KB) | MEDIUM | Server Paths/Errors | almanar.com.lb | | 14 | moqawama.org on Amazon S3/CloudFront | MEDIUM | US Infrastructure | HTTP headers | | 15 | docs.mangopulse.net is CMS login portal | MEDIUM | Attack Surface | /home/login | | 16 | Kong API Gateway 3.8.0 | LOW | Version Info | mindex-center.ir | | 17 | SANA.SY XML-RPC active (80+ methods) | LOW | Attack Surface | sana.sy/xmlrpc.php | | 18 | 73 SANA.SY sitemaps | LOW | Content Enumeration | sitemap_index.xml | --- *Compiled: Feb 28, 2026 — Updated with GCP enumeration results*