# IRAN WAR OSINT — Master Index

> **Campaign:** Real-time OSINT during Israeli strikes on Tehran
> **Date:** February 28, 2026
> **Status:** COLLECTION COMPLETE
> **Total Data Collected:** 61 MB across 2,248 files in 18 subfolders
> **Master Report:** `DUMP_2_28/MASTER-REPORT.md`

---

## Reports

| File | Contents |
|------|----------|
| [IRAN-CRISIS-2025-2026.md](IRAN-CRISIS-2025-2026.md) | Full conflict timeline, June 2025 war, Operation Midnight Hammer, 2026 crisis, Feb 28 strikes |
| [CYBERSPACE-OSINT-REPORT.md](CYBERSPACE-OSINT-REPORT.md) | Domain-by-domain status of 150+ Iranian & proxy sites (clearnet) |
| [INFRASTRUCTURE-SWEEP.md](INFRASTRUCTURE-SWEEP.md) | **NEW** — Mega-sweep of 267 domains: municipalities, universities, hospitals, military, nuclear, space, defense, water |
| [TOR-VERIFICATION.md](TOR-VERIFICATION.md) | Tor probe results confirming sites are TRULY DOWN, not geo-blocked |
| [DNS-ANALYSIS.md](DNS-ANALYSIS.md) | DNS resolution showing military domains have NO records (deleted) |
| [INTERNET-BLACKOUT-CONTEXT.md](INTERNET-BLACKOUT-CONTEXT.md) | Jan 2026 government internet shutdown, two-tiered system, NIN whitelist |
| [FARSNEWS-INTEL.md](FARSNEWS-INTEL.md) | Fars News (IRGC) infrastructure map, API, APK, Matomo analytics |
| [ALMAYADEEN-INTEL.md](ALMAYADEEN-INTEL.md) | **NEW** — Al Mayadeen MangoX CMS, Azure OpenAI GPT-4 AI editor, Docker containers, full API map |
| [SANA-SY-INTEL.md](SANA-SY-INTEL.md) | **NEW** — Syrian Arab News Agency WordPress 6.9, 73 sitemaps, XML-RPC active |
| [SPACE-IR-DUMP.md](SPACE-IR-DUMP.md) | Iran Space Agency WordPress API dump summary |
| [HEZBOLLAH-PROXY-STATUS.md](HEZBOLLAH-PROXY-STATUS.md) | Hezbollah, Iraqi militia, Houthi, Hamas network status |
| [CREDENTIALS-AND-ENV.md](CREDENTIALS-AND-ENV.md) | **NEW** — All credentials, API keys, env details, infrastructure fingerprints |
| [GHOST-DEVICE-FCM-LISTENER.md](GHOST-DEVICE-FCM-LISTENER.md) | **LIVE** — Deployed FCM listener on CT105, captures IRGC push notifications in real-time |

---

## Data Dumps — Organized (C:\Users\Squir\Desktop\IRAN\DUMP_2_28\)

> **Full details:** See `DUMP_2_28/MASTER-REPORT.md` for comprehensive analysis of all data.

| Subfolder | Files | Size | Contents |
|-----------|-------|------|----------|
| `irgc-farsnews/` | 1,929 | 30 MB | APK binary + decompiled (1,907 files), DefaPress (Tor), ParsToday, sitemaps, RSS |
| `sana-sy/` | 97 | 17 MB | All 40 post sitemaps, 27 tag sitemaps, video/news sitemaps, RSS, webmail, XML-RPC |
| `space-ir/` | 40 | 6.1 MB | Complete WordPress API dump: posts, pages, media, categories, taxonomies |
| `almayadeen-cms/` | 60 | 5.8 MB | AI editor, interactions SPA (3.9MB), portal scripts, Docker health, admin, DNS |
| `hezbollah/` | 19 | 558 KB | Debug log (102KB), LimeSurvey, archive API, Al Nour sitemaps, moqawama |
| `exchange/` | 22 | 279 KB | OWA login, federation metadata, healthcheck, SSRF proofs, origin IP dumps |
| `ifpnews/` | 2 | 288 KB | WordPress API root + posts |
| `mindex-center/` | 3 | 189 KB | Defense marketplace (Laravel + Kong), login page |
| `exchange-full-dump/` | 20 | 156 KB | Backend enumeration, NTLM decode, federation analysis, all endpoint headers |
| `khamenei/` | 8 | 116 KB | Youth portal, API JSON, CDN responses, Tor probes |
| `credentials/` | 17 | 93 KB | All credential JSONs, CVE analysis, crt.sh results, origin IP mapping, GCP enum |
| `alnour-lb/` | 4 | 44 KB | Al Nour Radio sitemaps (news, images, video) |
| `almayadeen-admin/` | 8 | 16 KB | Admin panel login, backoffice assets |
| `mangopulse/` | 6 | 13 KB | CMS platform docs, search API |
| `mdn-tv/` | 2 | 12 KB | URL shortener headers |
| `qudsnews/` | 4 | 11 KB | Parked GoDaddy domain (not actual target) |
| `misc/` | 3 | 10 KB | Gerdab, IQNA, Kayhan sitemaps |
| `felesteen/` | 3 | 7 KB | Hamas probes (all empty) |
| **TOTAL** | **2,248** | **61 MB** | |

---

## Key Findings Summary

### Iranian Infrastructure (267 domains swept)
1. **99.25% blackout** — Only 2 of 267 .ir government/infrastructure domains serve real content
2. **Military DNS deleted** — irgc.ir, artesh.ir, basij.ir have NO DNS records (deliberate defensive action)
3. **100% military/nuclear/intelligence blackout** — Zero accessible sites
4. **space.ir is the lone survivor** — WordPress API wide open, 3.87 MB extracted
5. **mindex-center.ir operational** — Defense marketplace on Laravel + Kong 3.8.0
6. **ArvanCloud CDN catch-all** — Returns fake 200s for all paths (false positive generator)
7. **Government blackout since Jan 8** — Two-tiered system, $35.7M/day cost

### Proxy Network
8. **Hezbollah sites partially operational** — 7 LIVE, 3 DOWN
9. **moqawama.org on Amazon S3/CloudFront** — US infrastructure for designated terrorist org
10. **All Iraqi militia sites down** — Infrastructure routes through Iran
11. **Houthi sites fully operational** — Independent infrastructure
12. **almanar.com.lb leaks debug.log** — 102 KB of server paths and errors

### Al Mayadeen (NEW — Major Findings)
13. **Azure OpenAI GPT-4 AI editor exposed** — `mdn-open-ai.openai.azure.com`, deployment `mdn-gpt-4`
14. **MangoX CMS API fully mapped** — Login, posts, users, menus, widgets, file upload endpoints
15. **Production Docker containers leaked** — Machine names `94a743b785f9` and `57660472686f`
16. **Subscription code: `mangopulse`** — Hardcoded in client-side JavaScript

### SANA.SY (NEW)
17. **WordPress 6.9 with XML-RPC active** — Potential brute-force vector
18. **73 sitemaps enumerate entire content** — Complete article history accessible
19. **REST API fully disabled** — Security-conscious but XML-RPC left open

### APK Reverse Engineering (NEW — Major Findings)
20. **IRGC Google Cloud Project ID confirmed** — `823560469881` with valid API key `AIzaSyDp9K7YksfYf-JvGOS7YCNv7JbA9P-XemE`
21. **Developer identity exposed** — TSIT company (Mashhad), developer MQT on DESKTOP-CV5TMVD
22. **WebView debugging enabled in production** — Chrome DevTools can attach to the IRGC app
23. **Surveillance-capable permissions** — Camera, mic, contacts, GPS, SMS, full storage

### Additional Targets
24. **formx.khamenei.link still ALIVE** — Supreme Leader's hidden API serving live redirect tracking data
25. **admin.english.khamenei.ir returns HTTP 445** — Custom status code, admin portal present
26. **Al Mayadeen admin panels captured** — alpha-ar-admin / alpha-en-admin with ASP.NET Core login
27. **Al Mayadeen has French edition** — alpha-fr-media.almayadeen.net
28. **LimeSurvey on survey.almanar.com.lb** — Hezbollah runs surveys, admin login accessible
29. **archive.almanar.com.lb has live API** — Method-based routing, updated during strikes
30. **almanar cPanel username: `manarnet`** — From exposed debug.log

### GCP Project Enumeration (CRITICAL — NEW)
31. **Firebase Installation registered in IRGC project** — Valid FID, JWT (7-day), refresh token obtained
32. **FCM push token obtained** — Registered to receive IRGC Fars News push notifications
33. **Project name confirmed: `fars-next`** — Via Pub/Sub 403 response accepting project name
34. **Pub/Sub ENABLED** — Only GCP service returning 403 (not "API disabled") — suggests server-side messaging
35. **Firebase Remote Config accessible** — Returns `NO_TEMPLATE` (empty but accessible)
36. **28 GCP APIs tested** — 5 responsive, 6 explicitly disabled, 17 need OAuth

### MangoX/MangoPulse Platform
37. **MangoX login endpoint functional** — Processes auth attempts, returns valid JSON errors
38. **`.env` files exist on ALL subdomains** — Blocked by Cloudflare WAF (403, 4836 bytes)
39. **6 Docker containers discovered** — prod, beta, staging environments all exposed
40. **docs.mangopulse.net is CMS login portal** — /home/login with username/password form
41. **MangoPulse serves multiple clients** — Al Mayadeen, Al Akhbar, Al Sharqiya
42. **search-api.mangopulse.net self-documenting** — `/getposts?page=1&size=5&types=articles,video`

### Al Mayadeen Subdomain Discovery (40 subdomains via crt.sh — CRITICAL)
43. **Exchange healthcheck leaks AD domain** — `BHS-EX09.ITTIHADTV.LOCAL` (internal Active Directory!)
44. **Origin IPs leaked via SPF** — 80.81.152.41, 89.249.221.244 + 3 more across 3 ranges
44b. **DMARC p=none + no DKIM** — @almayadeen.net email spoofing trivially possible
45. **corona-form.almayadeen.net HIJACKED** — JS redirect to Australian painting website
46. **6 Docker containers mapped** — 94a743b785f9, 57660472686f, cd4b3868f98b, 63d26ec15c1d, 0314cab697ec, 5b0c704d44be
47. **14 LIVE subdomains** — prod, staging, beta APIs, Next.js, Exchange, AI editor, interactions
48. **react.almayadeen.net** — Abandoned Vercel deployment (402 DEPLOYMENT_DISABLED)

### Khamenei.ir Subdomain Discovery (40 subdomains via crt.sh)
49. **nojavan.khamenei.ir LIVE** — Supreme Leader youth portal (43 KB), still serving content
50. **idc0-cdn0/cdn1 LIVE** — Internal CDN infrastructure responding
51. **virastar.nojavan returns HTTP 445** — Editor portal, same custom security middleware
52. **13 live streaming nodes** — live.idc0-cdn1 through cdn13 + live1 through live5

### Fars News Subdomain Discovery (21 subdomains via crt.sh)
53. **IRGC has Jira + Confluence + Chat** — All 000 (Iran blackout) but infrastructure exists
54. **my-api-tlg.farsnews.ir** — Private Telegram bot API subdomain discovered
55. **All 19 subdomains 000** — Total IRGC internal infrastructure blackout

### SANA.SY Additional
56. **webmail.sana.sy LIVE** — Roundcube on Plesk/Kolab, full login page with CSRF token
57. **Roundcube session cookie exposed** — `roundcube_sessid`, nginx, secure+HttpOnly

### Al Mayadeen Additional
58. **mdn.tv URL shortener** — en.mdn.tv (English), es.mdn.tv (Spanish), CORS: * (wide open)
59. **Admin theme builder URL leaked** — `/Manage/Designer/OpenThemeBuilder/1424017` in Next.js source
60. **Exchange build 15.1.2507.59** — Exact build from X-OWA-Version header on login attempt
61. **OWA accepts ITTIHADTV\username format** — Login reason codes: 0=none, 1=timeout, 2=invalid, 3=locked

### Exchange Deep Dive (CRITICAL — NEW)
62. **6 Exchange servers enumerated** — BHS-EX01 through EX05 (backends) + BHS-EX09 (frontend CAS)
63. **SSRF path leaks backend servers** — Autodiscover JSON path exposes X-BEServer, X-CalculatedBETarget, X-DiagInfo
64. **Federation metadata public** — Reveals BHS-EX05 on port 444, auth cert thumbprint, OAuth2 config
65. **NTLM Type 2 challenge decoded** — Confirms ITTIHADTV.local forest/domain, BHS-EX09 NetBIOS name, server timestamp
66. **6 UNPATCHED CVEs** — Missing Oct25SU, Dec25SU, Feb26SU (CVE-2025-59249 CVSS 8.8, CVE-2025-53782 CVSS 8.4)
67. **Windows Server 2012 R2 (EOL)** — IIS 8.5 confirms unsupported OS since Oct 2023
68. **MRS Proxy enabled** — WS-Security + OAuth enabled, mailbox migration endpoint public
69. **PowerShell remoting endpoint** — Returns BackEndServer info, WSMAN accessible
70. **ActiveSync uses Basic auth** — Cleartext credential transmission if HTTP downgrade
71. **Auth cert expires Jan 2027** — Created Jan 2022, 5-year cert, server-to-server OAuth
72. **mail.almayadeen.net = BHS-EX09** — Primary mail FQDN redirects to OWA on same server
73. **7 Exchange servers confirmed (not 6)** — BHS-EX01-05 (backends) + BHS-EX08 + BHS-EX09 (frontends), EX06-07 still unseen
74. **SSRF leaks X-CalculatedBETarget, X-DiagInfo, X-BEServer** — Autodiscover JSON SSRF path reveals all backend servers per-request

### Hezbollah WordPress (almanar.com.lb)
75. **debug.log STILL exposed (102KB)** — cPanel user: `manarnet`, theme: `ar-manar`, plugins: `hide_my_wp`, `debug-bar`
76. **hide_my_wp blocks wp-json** — But rest_route parameter partially exposed (301 redirect)
77. **LimeSurvey API endpoint (CORS: *)** — survey.almanar.com.lb, RemoteControl API exists but returns empty

### SANA.SY Complete Content Dump
78. **ALL 40 post sitemaps downloaded (10 MB)** — Complete article URL history of Syrian state news agency
79. **27 tag sitemaps downloaded** — Full taxonomy enumeration
80. **80+ XML-RPC methods active** — wp.*, blogger.*, metaWeblog.*, pingback.*, system.*
81. **Pingback SSRF vector** — pingback.ping method available for internal network scanning

### Data Collection
82. **Total extraction: 60+ MB across 175+ organized files** — Now organized into 10 subfolders by target: exchange, exchange-full-dump, almayadeen-cms, almayadeen-admin, sana-sy (16MB), hezbollah, khamenei, irgc-farsnews, mangopulse, credentials

### Ghost Device — LIVE COLLECTION (NEW)
83. **FCM listener DEPLOYED on CT105** — Python service maintaining persistent TCP connection to `mtalk.google.com:5228`
84. **Receiving all IRGC Fars News push notifications** — Every notification sent to all app users is captured as JSON
85. **Service auto-starts on boot** — `irgc-fcm-listener.service` enabled via systemd, auto-reconnects on failure
86. **Passive and undetectable** — One device among millions, no analytics sent, no API calls, receive-only

---

*Last Updated: Feb 28, 2026 — 23:05 UTC*