ODINT
← Back to Cyber Tours

Mail Exchange Recon

Ecuador Government Mail & Exchange Server Reconnaissance

SUMMARY OF FINDINGS

Publicly reachable government mail interfaces were identified across multiple Ecuadorian institutions, exposing outdated platforms and internal hostnames.

Target Server Type Version Internal Hostname Status
webmail.ecu911.gob.ec Exchange 2013 15.0.1497.48 ECU911NMAIL02 LIVE -- CRITICALLY OUTDATED
webmail.eppetroecuador.ec Exchange 2016 15.1.2507.6 SPQ-DOMEXCHBRP1 LIVE -- OUTDATED
mail.arcotel.gob.ec Zimbra 10.1.13 (build 20251013.124545) Behind nginx LIVE -- RECENT
mail.eppetroecuador.ec N/A N/A N/A DNS NXDOMAIN
mail.midena.gob.ec Unknown N/A N/A RESOLVES (179.60.191.26) but TLS/HTTP TIMEOUT
mail.fae.mil.ec N/A N/A N/A DNS NXDOMAIN
webmail.fae.mil.ec N/A N/A N/A DNS NXDOMAIN

1. ECU911 -- SERVICIO INTEGRADO DE SEGURIDAD (Emergency Services 911)

Endpoint: webmail.ecu911.gob.ec

  • IP Address: 190.214.21.184
  • Web Server: Microsoft-IIS/8.5
  • Exchange Version: 15.0.1497.48
  • Exchange Product: Exchange Server 2013 CU23 (Cumulative Update 23)
  • ASP.NET Version: 4.0.30319
  • Internal FE Server Hostname: ECU911NMAIL02
  • ALPN: Server did NOT agree on protocol (no HTTP/2)

TLS Certificate

  • Subject: CN=*.ecu911.gob.ec (wildcard)
  • Issuer: Sectigo Public Server Authentication CA DV R36 (GB)
  • Valid: Jan 16, 2026 -- Jan 16, 2027
  • Serial: 4DDC7D35C9A913251BEB34573630C1B6
  • SANs: *.ecu911.gob.ec, ecu911.gob.ec

Exposed Endpoints & Headers

/owa/ (Outlook Web App)

HTTP/1.1 302 Found -> redirects to /owa/auth/logon.aspx
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
X-Powered-By: ASP.NET
Server: Microsoft-IIS/8.5

/owa/auth/logon.aspx (Login Page)

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: Microsoft-IIS/8.5
  • Language: Spanish (domain\username = "Dominio\nombre de usuario")
  • Form Fields: username, password, chkPrvt (private computer), chkBsc (basic auth), showPasswordCheck
  • CSS/Font Version Path: /owa/auth/15.0.1497/themes/resources/
  • Copyright in HTML: Copyright (c) 2003-2006 Microsoft Corporation
  • JS functions exposed: initLogon(), clkLgn(), IsOwaPremiumBrowser()
  • Cookie management: logondata, PrivateComputer cookies
  • JS variables: a_fRC=1, g_fFcs=1, a_fLOff=0, a_fCAC=0, a_fEnbSMm=0

/ecp/ (Exchange Control Panel)

HTTP/1.1 440 Login Timeout
X-AspNet-Version: 4.0.30319
X-FEServer: ECU911NMAIL02
X-Powered-By: ASP.NET
Server: Microsoft-IIS/8.5
  • Page Title: "Centro de administracion de Exchange" (Exchange Administration Center)
  • ECP is publicly accessible (login page renders)

/autodiscover/autodiscover.xml

HTTP/1.1 401 Anonymous Request Disallowed
X-SOAP-Enabled: True
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-OAuth-Enabled: True
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Negotiate, NTLM, Basic realm="webmail.ecu911.gob.ec"

/ews/exchange.asmx (Exchange Web Services)

HTTP/1.1 401 Anonymous Request Disallowed
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-OAuth-Enabled: True
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Negotiate, NTLM

/rpc/rpcproxy.dll (Outlook Anywhere/RPC over HTTP)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Negotiate, NTLM, Basic realm="webmail.ecu911.gob.ec"

/oab/ (Offline Address Book)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Negotiate, NTLM

/Microsoft-Server-ActiveSync

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Basic realm="webmail.ecu911.gob.ec"

/mapi/nspi/ (MAPI over HTTP)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Negotiate, NTLM

/powershell/ (Remote PowerShell)

HTTP/1.1 401 Access Denied
X-OWA-Version: 15.0.1497.48
X-FEServer: ECU911NMAIL02
WWW-Authenticate: Kerberos

/api/v2.0/ (REST API)

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
  • REST API endpoint not configured (expected for Exchange 2013)

VULNERABILITY ASSESSMENT -- ECU911

Exchange 2013 CU23 build 15.0.1497.48 is the LAST cumulative update for Exchange 2013, but the specific build .48 is NOT the latest Security Update. Exchange 2013 reached END OF LIFE on April 11, 2023. This server has been unsupported for nearly 3 years.

Known vulnerabilities for Exchange 2013 CU23 without current SUs:

  • CVE-2021-26855 (ProxyLogon) -- SSRF, pre-auth RCE. Patched in KB5000871 (build 15.0.1497.12+). Build .48 should include this fix, BUT no further SUs after EOL.
  • CVE-2021-34473 (ProxyShell) -- Pre-auth RCE chain. Patched in KB5001779 (15.0.1497.15+). Build .48 should include this.
  • CVE-2022-41040/CVE-2022-41082 (ProxyNotShell) -- Authenticated SSRF+RCE. Final SU for Exchange 2013 was Nov 2022.
  • CVE-2023-21529, CVE-2023-21706, CVE-2023-21707 -- Post-EOL Exchange RCE vulnerabilities. NO PATCHES AVAILABLE for Exchange 2013.
  • All post-April 2023 CVEs -- Exchange 2013 receives NO security updates. Any CVE discovered after EOL is permanently unpatched.

Risk Level: CRITICAL -- This is an EOL product on the public internet handling emergency services email for Ecuador's 911 system.

Authentication methods exposed: Negotiate, NTLM, Kerberos, Basic -- NTLM hash relay and brute-force attacks are possible.

2. EP PETROECUADOR (State Oil Company)

Endpoint: webmail.eppetroecuador.ec

  • IP Address: 190.152.15.17
  • Web Server: Microsoft-IIS/10.0
  • Exchange Version: 15.1.2507.6
  • Exchange Product: Exchange Server 2016 CU23 (Cumulative Update 23)
  • ASP.NET Version: 4.0.30319
  • Internal FE Server Hostname: SPQ-DOMEXCHBRP1
  • ALPN: Server accepted HTTP/1.1

NOTE: The original target mail.eppetroecuador.ec returns DNS NXDOMAIN. The correct subdomain is webmail.eppetroecuador.ec.

TLS Certificate

  • Subject: CN=*.eppetroecuador.ec (wildcard)
  • Issuer: Go Daddy Secure Certificate Authority - G2 (US, Arizona, Scottsdale)
  • Valid: Feb 13, 2026 -- Feb 20, 2027
  • Serial: F63561E4B14B3F0D
  • SANs: *.eppetroecuador.ec, eppetroecuador.ec

Internal Hostname Analysis

SPQ-DOMEXCHBRP1 decodes as:

  • SPQ -- likely location code (Sucumbios/Petroecuador Quito?)
  • DOM -- Domain
  • EXCH -- Exchange
  • BRP -- possibly Bridge/Primary
  • 1 -- server number

Exposed Endpoints & Headers

/ (Root)

HTTP/1.1 302 Moved Temporarily -> /owa/
X-FEServer: SPQ-DOMEXCHBRP1
Server: Microsoft-IIS/10.0

/owa/ (Outlook Web App)

HTTP/1.1 302 Found -> /owa/auth/logon.aspx
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
X-Powered-By: ASP.NET
Server: Microsoft-IIS/10.0

/owa/auth/logon.aspx (Login Page)

HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Server: Microsoft-IIS/10.0
  • Page Title: "Outlook"
  • CSS/Font Version Path: /owa/auth/15.1.2507/themes/resources/
  • Copyright in HTML: Copyright (c) 2003-2006 Microsoft Corporation
  • JS variables: a_fRC=1, g_fFcs=1, a_fLOff=0, a_fCAC=0, a_fEnbSMm=0

/autodiscover/autodiscover.xml

HTTP/1.1 401 Unauthorized
X-SOAP-Enabled: True
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-OAuth-Enabled: True
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: NTLM, Basic realm="webmail.eppetroecuador.ec"
  • NOTE: No Negotiate in autodiscover auth -- only NTLM and Basic

/ews/exchange.asmx (Exchange Web Services)

HTTP/1.1 401 Unauthorized
X-WSSecurity-Enabled: True
X-WSSecurity-For: None
X-OAuth-Enabled: False
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: Negotiate, NTLM, Basic realm="webmail.eppetroecuador.ec"
  • NOTE: X-OAuth-Enabled is False on EWS (different from autodiscover)

/ecp/ (Exchange Control Panel)

HTTP/1.1 440 Login Timeout
X-AspNet-Version: 4.0.30319
X-FEServer: SPQ-DOMEXCHBRP1
X-Powered-By: ASP.NET
Server: Microsoft-IIS/10.0

/Microsoft-Server-ActiveSync

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: Basic realm="webmail.eppetroecuador.ec"

/oab/ (Offline Address Book)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: Negotiate, NTLM

/mapi/nspi/ (MAPI over HTTP)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: Negotiate

/rpc/rpcproxy.dll (Outlook Anywhere)

HTTP/1.1 401 Unauthorized
X-OWA-Version: 15.1.2507.6
WWW-Authenticate: NTLM
  • NOTE: No X-FEServer leaked on this endpoint

/powershell/ (Remote PowerShell)

HTTP/1.1 401 Access Denied
X-OWA-Version: 15.1.2507.6
X-FEServer: SPQ-DOMEXCHBRP1
WWW-Authenticate: Kerberos, Basic realm="webmail.eppetroecuador.ec"

VULNERABILITY ASSESSMENT -- PETROECUADOR

Exchange 2016 CU23 build 15.1.2507.6 maps to a VERY early CU23 build. CU23 for Exchange 2016 was released April 20, 2022 with build 15.1.2507.6. This means this server is running Exchange 2016 CU23 RTM with NO Security Updates applied since April 2022 -- nearly 4 years without patches.

Known unpatched vulnerabilities:

  • CVE-2022-41040/CVE-2022-41082 (ProxyNotShell) -- Authenticated SSRF + RCE. Patched Nov 2022 SU (build 15.1.2507.16+). THIS SERVER IS VULNERABLE.
  • CVE-2023-21529 -- Remote Code Execution. Patched Feb 2023 SU.
  • CVE-2023-36439 -- Remote Code Execution. Patched Nov 2023 SU.
  • CVE-2024-21410 -- NTLM Relay/Elevation of Privilege. Patched Feb 2024 SU.
  • CVE-2024-26198 -- Remote Code Execution. Patched Mar 2024 SU.
  • All 2024-2026 Exchange CVEs are unpatched on this build.

Risk Level: CRITICAL -- State oil company Exchange server with ~4 years of missing security updates. ProxyNotShell and multiple RCE CVEs are unpatched.

3. ARCOTEL (Telecommunications Regulator)

Endpoint: mail.arcotel.gob.ec

  • IP Address: 186.47.207.196
  • Web Server: nginx (reverse proxy) -> Zimbra backend
  • Mail Server Type: Zimbra Collaboration Suite (Open Source)
  • Zimbra Version: 10.1.13 (build timestamp: 20251013.124545 = October 13, 2025 at 12:45:45)
  • CSS Build Tag: v=260203181337 (Feb 3, 2026 at 18:13:37 -- likely last restart/deploy date)

TLS Certificate

  • Subject: CN=*.arcotel.gob.ec (wildcard)
  • Issuer: GoGetSSL RSA DV SSL CA 2 (Latvia)
  • Valid: Nov 11, 2025 -- Dec 12, 2026
  • Serial: 219A2AF9E1B37AA399A4CB8AEC0F73D2
  • SANs: *.arcotel.gob.ec, arcotel.gob.ec

Version Fingerprinting Details

Zimlet Version Strings (from publicly accessible zimlet XML manifests):

  • com_zimbra_url: version 2.5_10.1.13.20251013.124545
  • com_zimbra_date: version 2.7_10.1.13.20251013.124545
  • com_zimbra_email: version 11.12_10.1.13.20251013.124545
  • com_zimbra_cert_manager: version 6.0.6

The format is <zimlet_ver>_<zimbra_ver>.<build_date>, confirming Zimbra 10.1.13 built Oct 13, 2025.

Exposed Endpoints & Headers

/ (Login Page)

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html;charset=utf-8
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=edge
Set-Cookie: ZM_TEST=true; Secure
Set-Cookie: ZM_LOGIN_CSRF=<token>; Secure; HttpOnly
  • Page Title: "Zimbra Web Client Sign In"
  • Skin/Theme: harmony
  • Copyright: Copyright 2005-2025 Synacor, Inc.
  • Login options: Default, Classic (advanced), Modern (responsive)
  • Language: English
  • Password policy references: zimbraPasswordMinLength, zimbraPasswordMinUpperCaseChars, zimbraPasswordAllowUsername
  • JS functions exposed: clientChange(), forgotPassword(), showPassword(), handleNewPasswordChange(), parseCharsFromPassword()

/zimbraAdmin/ (Admin Console)

HTTP/1.1 500 Internal Server Error
  • Admin console path exists but returns 500 (may be intentionally blocked via nginx)

/service/soap (SOAP API)

HTTP/1.1 400 Bad Request
Server: nginx
Cache-Control: must-revalidate,no-cache,no-store

SOAP GetVersionInfo Request

<soap:Fault>
  <soap:Code><soap:Value>soap:Sender</soap:Value></soap:Code>
  <soap:Reason><soap:Text>permission denied: Version info is not available.</soap:Text></soap:Reason>
  <Error xmlns="urn:zimbra">
    <Code>service.PERM_DENIED</Code>
    <Trace>qtp350068407-293636:1772607912487:27de5a623ce443d9</Trace>
  </Error>
</soap:Fault>
  • Version info blocked via SOAP (good security practice), but version leaked through zimlet manifests (bad)
  • Thread ID leaked: qtp350068407-293636 (Jetty thread pool)
  • Timestamp leaked: 1772607912487 (epoch ms)
  • Request trace ID: 27de5a623ce443d9

/zimbraAdmin/ on port 7071

ECONNREFUSED -- Admin port is not publicly exposed (good)

/robots.txt

User-agent: *
Allow: /
  • Permissive -- allows full crawling

VULNERABILITY ASSESSMENT -- ARCOTEL

Zimbra 10.1.13 (build Oct 13, 2025) is a relatively recent version. Zimbra 10.1.x is the current LTS line.

Potential concerns:

  • The build is approximately 5 months old. Check for any Zimbra CVEs published after October 2025.
  • The zimlet XML manifests are publicly accessible and leak the exact version -- should be restricted.
  • Admin console (port 7071) is properly firewalled -- not publicly accessible.
  • SOAP version info is properly restricted.
  • Nginx reverse proxy adds a layer of protection.

Risk Level: LOW-MODERATE -- Current software, but zimlet version leakage should be addressed.

4. MIDENA -- Ministry of National Defense (mail.midena.gob.ec)

Status: PARTIALLY REACHABLE

  • IP Address: 179.60.191.26 (resolves via DNS)
  • HTTPS (443): TLS handshake fails -- Recv failure: Connection was reset during SSL/TLS negotiation
  • HTTP (80): Connection timeout after 10 seconds
  • TLS Certificate: Could not be extracted (connection reset before handshake completion)

Analysis

The server is behind a firewall or load balancer that is actively resetting TLS connections. This could indicate:

  1. IP-based access control (geo-blocking or whitelist)
  2. The mail server has been taken offline or migrated
  3. A WAF/IPS is blocking non-Ecuadorian IP ranges
  4. Port 443 is open but the service is misconfigured

Risk Level: UNKNOWN -- Cannot assess from this network position.

5. FAE -- Ecuadorian Air Force (mail.fae.mil.ec / webmail.fae.mil.ec)

Status: DNS NXDOMAIN

  • Both mail.fae.mil.ec and webmail.fae.mil.ec return Non-existent domain from DNS
  • These subdomains either never existed, have been decommissioned, or use split-horizon DNS (internal only)

Risk Level: N/A -- Not publicly accessible.

6. EP PETROECUADOR -- Original Target (mail.eppetroecuador.ec)

Status: DNS NXDOMAIN

  • mail.eppetroecuador.ec does not resolve in public DNS
  • The correct mail subdomain is webmail.eppetroecuador.ec (documented in section 2 above)
  • correo.eppetroecuador.ec also returns NXDOMAIN

ATTACK SURFACE SUMMARY

ECU911 (webmail.ecu911.gob.ec) -- 7 exposed endpoints

Endpoint Auth Methods Status
/owa/ Form-based 302->login
/ecp/ Form-based 440 (accessible)
/autodiscover/ Negotiate, NTLM, Basic 401
/ews/ Negotiate, NTLM 401
/oab/ Negotiate, NTLM 401
/rpc/rpcproxy.dll Negotiate, NTLM, Basic 401
/Microsoft-Server-ActiveSync Basic 401
/mapi/nspi/ Negotiate, NTLM 401
/powershell/ Kerberos 401

Petroecuador (webmail.eppetroecuador.ec) -- 7 exposed endpoints

Endpoint Auth Methods Status
/owa/ Form-based 302->login
/ecp/ Form-based 440 (accessible)
/autodiscover/ NTLM, Basic 401
/ews/ Negotiate, NTLM, Basic 401
/oab/ Negotiate, NTLM 401
/rpc/rpcproxy.dll NTLM 401
/Microsoft-Server-ActiveSync Basic 401
/mapi/nspi/ Negotiate 401
/powershell/ Kerberos, Basic 401

ARCOTEL (mail.arcotel.gob.ec) -- 4 exposed endpoints

Endpoint Status
/ (login) 200 (Zimbra login page)
/service/soap 400 (SOAP API)
/zimbraAdmin/ 500 (blocked)
/zimlet/*.xml 200 (version leakage)

KEY INTELLIGENCE EXTRACTED

Internal Hostnames

Target Internal Hostname Naming Convention
ECU911 ECU911NMAIL02 ORG + N(ew?) + MAIL + ##
Petroecuador SPQ-DOMEXCHBRP1 SITE-DOMEXCH(role)##

Version-to-CVE Mapping

Server Version ProxyLogon ProxyShell ProxyNotShell CVE-2023+ CVE-2024+
ECU911 15.0.1497.48 Likely patched Likely patched Unknown UNPATCHED (EOL) UNPATCHED (EOL)
Petroecuador 15.1.2507.6 Patched Patched VULNERABLE UNPATCHED UNPATCHED
ARCOTEL Zimbra 10.1.13 N/A N/A N/A Check Zimbra CVEs Check Zimbra CVEs

Authentication Protocol Exposure

  • Both Exchange servers expose NTLM authentication -- vulnerable to relay attacks and hash capture
  • Both Exchange servers expose Basic authentication on multiple endpoints -- credentials transmitted in base64 (not encrypted beyond TLS)
  • ECU911 also exposes Kerberos authentication on the PowerShell endpoint
  • Petroecuador exposes Basic on PowerShell -- particularly risky endpoint for brute-force

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms