ODINT
← Back to Cyber Tours

Military Infrastructure

Ecuador Military Domains — Technical Reconnaissance Report

Summary

Scope: 6 military/defense domains Method: Passive web fetching (homepage + exposed service probing)

1. defensa.gob.ec — Ministry of Defense

Status: ONLINE, fully accessible

Tech Stack

  • CMS: WordPress
  • Theme: Sitio-32 (custom government theme)
  • Caching: W3 Total Cache
  • Security Plugin: Wordfence (REST API endpoints exposed)
  • File Manager: file-manager-advanced plugin (REST API exposed)
  • Analytics: Google Site Kit with GA4 tag G-MWC005FF4B
  • Other Plugins: Popup Builder v3.3.1, Download Monitor

REST API Exposure (SIGNIFICANT)

WordPress REST API at /wp-json/ fully accessible:

  • Wordfence endpoints: /wordfence/v1/config (GET/POST/PUT/PATCH), /wordfence/v1/scan/issues (GET), /wordfence/v1/scan (POST/DELETE), /wordfence/v1/authenticate
  • File Manager Advanced: /file-manager-advanced/v1/hide-banner, /file-manager-advanced/v1/minimize-maximize-banner
  • Google Site Kit: Full endpoint map including /core/site/data/reset, /core/user/data/nonces, /core/user/data/get-token
  • WP Core: Posts, pages, media all publicly readable
  • User enumeration: Blocked (401 on /wp/v2/users) — good

Exposed Infrastructure

Subdomain Purpose
mail.midena.gob.ec Zimbra webmail
intranet.midena.gob.ec Internal intranet
servicios.midena.gob.ec/Transparencia/ LOTAIP transparency portal (collects cedula)

Path Probing

Path Result
/robots.txt Standard WP robots, sitemap at /wp-sitemap.xml
/.env 404 (not exposed)
/.git/config 404 (not exposed)
/wp-json/ OPEN — full API map
/xmlrpc.php 403 (blocked — good)
/wp-json/wp/v2/users 401 (protected — good)

Contact Info

  • Calle la Exposicion S4-71 y Benigno Vela, Quito 170403
  • Phone: 593-2 298-3200 / 593-2 295-1951

2. ccffaa.mil.ec — Joint Armed Forces Command (COMACO)

Status: BLOCKED — 403 Forbidden on all requests

  • Both HTTPS and HTTP return 403
  • /robots.txt returns 403
  • Likely geo-blocking or aggressive WAF
  • No technical data extractable

3. ejercitoecuatoriano.mil.ec — Ecuadorian Army

Status: ONLINE but behind aggressive WAF/bot protection

WAF Details

  • JavaScript challenge page: "One moment, please... Please wait while your request is being verified..."
  • Bot detection: WebDriver checking, headless browser detection, plugin/MIME validation
  • Auto-reloads after 5 seconds with XMLHttpRequest form submission
  • Encoded endpoint: /z0f76a1d14fd21a8fb5fd0d03e0fdc3d3cedae52f
  • Appears to be Sucuri, Imperva, or similar commercial WAF
  • All paths return same challenge page

4. armada.mil.ec — Ecuadorian Navy

Status: SSL CERTIFICATE ERROR / CONNECTION REFUSED

  • https://www.armada.mil.ec/ — "unable to verify the first certificate" (broken SSL chain)
  • http://www.armada.mil.ec/ — SSL verification error (forced HTTPS redirect)
  • http://armada.mil.ec/ — ECONNREFUSED
  • Navy website unreachable due to broken certificate chain
  • Significant finding: military domain with improper TLS configuration

5. fae.mil.ec — Ecuadorian Air Force

Status: ONLINE, fully accessible

Tech Stack

  • CMS: WordPress
  • Theme: Astra (commercial WP theme)
  • Page Builder: Elementor + ElementsKit + Premium Addons
  • Security: Really Simple Security (with 2FA endpoints)
  • Performance: Jetpack Boost, Image Optimizer
  • Analytics: Slimstat, Burst Analytics, Google Site Kit
  • E-commerce: WooCommerce detected (but API returns 404)
  • Social: Instagram Feed plugin

REST API Exposure (EXTENSIVE — 70+ namespaces)

Namespace Risk Details
jetpack/v4 HIGH 43 endpoints: sync, connection, licensing, remote provisioning
really-simple-security/v1/two-fa/v2 MEDIUM 2FA configuration endpoints
slimstat/v1 HIGH Analytics API — query by IP, browser, OS, country, referrer
image-optimizer/v1 MEDIUM 17 endpoints: bulk operations, stats, backup restore
wp-site-health/v1 MEDIUM 6 diagnostic endpoints + directory-sizes
google-site-kit/v1 MEDIUM Module management, analytics config

Slimstat Analytics API (NOTABLE)

/slimstat/v1/get accepts:

  • function: count, count-all, recent, recent-all, top, top-all
  • dimension: IP, browser, OS, country, resource, referer, language, resolution
  • token: Required (schema is publicly visible)

Path Probing

Path Result
/robots.txt Standard WP robots
/.env 403 (not 404) — server distinguishes this path, file may exist
/.git/config 404
/wp-json/ OPEN — massive API surface
/xmlrpc.php Empty response (possibly disabled)
/wp-json/wp/v2/users 401 (protected — good)

6. issfa.mil.ec — Military Social Security Institute

Status: ONLINE, fully accessible

Tech Stack

  • CMS: WordPress v6.2.2 (OUTDATED — current is 6.7+, missing 2+ years of security patches)
  • Theme: html5blank-stable
  • Analytics: MonsterInsights v9.9.0 with GA4 G-GDVYZLBKHR
  • Forms: Contact Form 7
  • Search: Ivory Search with AJAX

USER ENUMERATION — FULLY EXPOSED (CRITICAL)

/wp-json/wp/v2/users returns all users without authentication:

ID Username Display Name Role
1 webmasterft webmasterft Primary admin
2 gestion Gestion Publicidad Content/advertising
5 issfa-editor-1-anita Anita Villarruel Editor
6 issfa-editor-2-sebastian Sebastian Cardenas Editor

User sitemap at /wp-sitemap-users-1.xml also indexes all 4 author archive pages.

Internal Applications (ias.issfa.mil.ec)

Path Service SSL Status
/sesionv2/ Virtual Office (login) BROKEN
/certificados/ Certificate issuance BROKEN
/saludv2/ Medication query BROKEN
/QuejasYReclamos/ Complaints portal BROKEN

eDoc System (edoc.issfa.mil.ec)

  • Application: eDoc by Innova Files (Quipux successor)
  • Auth: Username/password with client-side RSA encryption (JSEncrypt, 1024-bit key — weak)
  • Session timeout: 10 minutes
  • Backend: PHP-based
  • Citizen self-registration with electronic signature certificate requirement

Exposed Documents via Media API

  • corregida-resolucion-de-adjudicacion-final-costanera-del-rio.pdf (procurement)
  • Informacion-Estadistica-General-de-2026-a-enero.pdf (statistics)
  • politica-de-seguridad-de-la-informacion.pdf (security policy, authored by "Luis Gualtuna", March 2025)

Path Probing

Path Result
/.env 404
/.git/config 404
/wp-json/ OPEN — full API with user enumeration
/wp-json/wp/v2/users OPEN — returns all 4 users (CRITICAL)

Cross-Domain Summary

CMS Distribution

Domain CMS Status
defensa.gob.ec WordPress Accessible
ccffaa.mil.ec Unknown 403 Blocked
ejercitoecuatoriano.mil.ec Unknown Behind WAF
armada.mil.ec Unknown SSL Broken
fae.mil.ec WordPress Accessible
issfa.mil.ec WordPress 6.2.2 Accessible (OUTDATED)

Findings by Severity

CRITICAL:

  1. ISSFA user enumeration — 4 WP users with full usernames exposed via REST API + sitemap
  2. ISSFA WordPress 6.2.2 — 2+ years out of date, dozens of missing security patches
  3. Navy SSL certificate chain broken — entire website unreachable

HIGH: 4. Defense Ministry Wordfence API exposed — scan results, config, auth endpoints enumerable 5. Defense Ministry File Manager Advanced — file management plugin API on defense site 6. Air Force Slimstat analytics API — can potentially query visitor IPs, browsers, countries 7. Air Force 43 Jetpack endpoints — sync, remote provisioning, connection management 8. ISSFA ias.issfa.mil.ec SSL broken — multiple internal apps have broken SSL chains

MEDIUM: 9. eDoc RSA 1024-bit encryption — weak by modern standards (2048-bit minimum) 10. Air Force .env returns 403 not 404 — server distinguishes path, file may exist 11. Defense Ministry Google Site Kit — full endpoint map including site reset, token retrieval 12. contactweb.issfa.mil.ec — 500 Internal Server Error

SYSTEMIC:

  • Zero security headers across all accessible military sites — no HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy on any domain

© 2026 Observatory for Digital Infrastructure and Network Transparency. Independent nonprofit.

Home | Privacy | Terms