Cracked Open Under Fire — Pakistan OSINT Operation

Operation Statistics

On 01 March 2026, during active Pakistan-Afghanistan hostilities (Operation Ghazab Lil Haq), ODINT conducted a 3-hour passive reconnaissance sweep of Pakistani government and academic digital infrastructure. All data was extracted through Tor using entirely open-source methods — no exploits, no authentication bypass.

57+ Domains Scanned

12 Live Targets Enumerated

46 MB Data Extracted

3 hrs Operation Window

65% Gov Infrastructure Offline

340+ Individuals Identified

1,471 Government Datasets Dumped

18,460+ URLs Discovered

The Wartime Context

Pakistan's digital infrastructure cracked in two on 01 March 2026. Core government — the President's Office, Parliament, the Nuclear Commission (PAEC), the State Bank, the Federal Board of Revenue, national railway, NADRA's public services — went completely silent. Whether through deliberate defensive shutdown or genuine infrastructure collapse under the weight of Operation Ghazab Lil Haq, 35+ major .gov.pk domains returned no response.

What remained standing tells its own story. The institutions Pakistan did not protect — its universities, a provincial government, an open data portal, two federal admin panels — were left fully exposed, with no additional WAF deployment, no IP restriction, and in some cases running web servers seven years out of date.

Pakistan prioritized protecting its nuclear and financial infrastructure. It forgot its universities, its poorest province, and its open data platform entirely.

Infrastructure Collapse: What Went Down

Of 57+ Pakistani domains scanned during active hostilities, 65% were completely unreachable, 17% were behind WAFs blocking Tor, and only 21% remained accessible and functional.

Completely Unreachable (>35 domains)

Domain	Organization	Status
pakistan.gov.pk	Federal Government Portal	DOWN
pmo.gov.pk	Prime Minister's Office	DOWN
senate.gov.pk / na.gov.pk	Parliament (both chambers)	DOWN
paec.gov.pk	Pakistan Atomic Energy Commission	DOWN
nescom.gov.pk	Nuclear & Missile Development	DOWN
sbp.org.pk	State Bank of Pakistan	DOWN
fbr.gov.pk / iris.fbr.gov.pk	Federal Board of Revenue / IRIS 2.0	DOWN
mail.ntc.net.pk	Federal Government Email (Zimbra)	DOWN
punjab.gov.pk / sindh.gov.pk	Punjab & Sindh Provinces	DOWN
nadra.gov.pk (e-services)	National Identity Database (public)	DOWN

Behind WAF — Tor Blocked (10 domains)

Domain	WAF	Status
ispr.gov.pk	Cloudflare	403 BLOCKED
paknavy.gov.pk	Cloudflare	403 BLOCKED
nust.edu.pk	Cloudflare	403 BLOCKED
comsats.edu.pk	Cloudflare	403 BLOCKED
gcu.edu.pk	Sucuri/Cloudproxy	403 BLOCKED

Full wartime infrastructure status with all 57+ domains: Wartime Infrastructure Status

Live Targets: What Stayed Open

Twelve domains remained accessible and were subjected to deep enumeration. The institutions left exposed reveal a pattern of neglect that no wartime defensive posture corrected.

qau.edu.pk

Quaid-i-Azam University — Pakistan's #1 ranked university (QS Rankings)

Server: nginx/1.14.1 (7-year-old build) CMS: WordPress — REST API fully exposed Data: 6.6 MB extracted Extras: Roundcube webmail + phpMyAdmin confirmed

pu.edu.pk

University of the Punjab — Pakistan's largest university (est. 1882)

Server: Apache (custom PHP) Sitemap: 18,460 URLs extracted Data: 8.3 MB extracted Admin: /admin/ — HTTP 200, no authentication

balochistan.gov.pk

Government of Balochistan — the only remaining live provincial .gov.pk portal

CMS: WordPress + Elementor — REST API fully exposed Users: admin_bal (ID 4) enumerated with gravatar hash Data: 5.9 MB — 149 pages, 1,297 media items Content: Divisional commissioners, Gwadar Safe City data, budget 2020–2026

sit.balochistan.gov.pk

Science & IT Department, Balochistan — shares admin with balochistan.gov.pk

CMS: WordPress + Elementor Users: 2 accounts — admin (ID 1) with identical gravatar hash as balochistan.gov.pk wp-login.php: Directly accessible Impact: Single person administers both provincial WordPress installations

opendata.com.pk

Pakistan Open Data Portal — CKAN 2.8.3

Server: nginx/1.12.2 (8-year-old build) API: /api/3/action/* — fully accessible without authentication Data: 8.9 MB — 1,471 datasets, 36 user accounts, 22 organizations

lums.edu.pk

Lahore University of Management Sciences

Exposure: phpinfo.php — complete server configuration disclosed Stack: RHEL 8.10, Apache 2.4.66, PHP 8.1.34, SSH2 + LDAP extensions Data: 102 KB including kernel version and all PHP config

fsp.gov.pk

Ministry of National Food Security & Research — Federal Portal

Exposure: /AdminLogin — public admin panel, no WAF, no CAPTCHA Server: Apache Risk: National food supply chain data and policy decisions

ep.gov.pk

Pakistan Post EMTTS — Express Mail Track & Trace System

Exposure: /hq/locationissue.asp — Admin Login, IIS/10.0 + ASP.NET Extras: /trace.axd returns 403 (tracing enabled), /hq/ partial admin interface Risk: HQ-level postal operations management

WordPress REST API: Three Government Installations Fully Exposed

Three Pakistani organizations expose their complete WordPress REST API without authentication: Quaid-i-Azam University, the Government of Balochistan, and Balochistan's Science & IT Department. Combined extraction: 13.4 MB of structured government and academic data.

QAU — 6.6 MB Total Extraction

WORDPRESS

Pages: 200 Posts: 484 Media: 603 items (direct URLs) Search results: 1,545 (43 keyword probes)

Pakistan's #1 ranked university running nginx/1.14.1 (2018 build) with its full WordPress API, Roundcube webmail login, and phpMyAdmin interface publicly accessible. 65+ named staff with direct phone lines, personal email addresses, and organizational positions extracted without authentication.

curl https://qau.edu.pk/wp-json/wp/v2/users → 403 Forbidden (user enum blocked) curl https://qau.edu.pk/wp-json/wp/v2/pages?per_page=100 → 200 OK — 200 pages, 2.4 MB curl https://qau.edu.pk/webmail/ → 200 OK — Roundcube Webmail login curl https://qau.edu.pk/phpmyadmin/ → 302 Redirect — phpMyAdmin confirmed

WordPress API Report University Intelligence

Balochistan.gov.pk — Single Admin, Two Sites

CRITICAL

Pages: 149 Media: 1,297 items (with download URLs) Admin hash: 49d835e800b2f8de...

The only remaining live provincial government portal in Pakistan. One administrator (admin_bal) manages both balochistan.gov.pk and sit.balochistan.gov.pk — confirmed by an identical gravatar hash across both installations. Compromising one email account falls both sites. wp-login.php is directly accessible on the SIT domain.

balochistan.gov.pk → admin_bal (ID 4) → gravatar: 49d835e800b2f8... sit.balochistan.gov.pk → admin (ID 1) → gravatar: 49d835e800b2f8... ↑ IDENTICAL HASH Single person = two provincial government WordPress installations

Balochistan Deep Report

Personnel Intelligence: 340+ Named Individuals

Across all targets, 340+ individuals were identified with varying degrees of personal contact information. All data was extracted from publicly accessible sources without authentication.

65+ QAU Staff (phones, emails)

8 Balochistan Divisional Commissioners

298 Gwadar Safe City Candidates

36 CKAN Platform Accounts

Balochistan Divisional Commissioners

Eight senior provincial administrators were identified by name and division from WordPress page content — including the commissioner for Makran Division (Dawood Khan Khilji), which borders Iran and hosts Gwadar Port, the centerpiece of CPEC.

Gwadar Safe City — 298 Shortlisted Candidates

CPEC INTELLIGENCE

Project: PMU Gwadar / ESCB Safe City Initiative Context: China-Pakistan Economic Corridor (CPEC)

Staffing lists for Gwadar's surveillance and command-and-control infrastructure were published through the Balochistan WordPress API. 298 shortlisted candidates for positions including Software Engineer, Network Engineer, Radio Communication Engineer, and Incharge Command & Control.

Full Personnel Report

QAU Staff Directories — Sample

The following is a partial sample of data extracted from publicly accessible QAU staff pages. Direct phone extensions, institutional and personal email addresses, and organizational positions were recovered for 65+ individuals.

Open Data Portal: 1,471 Government Datasets

Pakistan's Open Data Portal (opendata.com.pk) runs CKAN 2.8.3 on a server dating from October 2017. Despite declaring /api/ off-limits in robots.txt, the entire API is freely accessible without authentication.

CKAN 2.8.3 — Full Platform Dump (8.9 MB)

OPEN DATA

Datasets: 1,471 User accounts: 36 (including 2 sysadmins) Organizations: 22 Tags: 2,349

All 1,471 datasets were dumped including 121 election datasets (1970–2024), 30 census datasets, and 661 Pakistan Bureau of Statistics entries. 36 user accounts were enumerated with gravatar hashes, edit counts, and organizational affiliations. Two sysadmin accounts share email hashes indicating credential reuse.

curl https://opendata.com.pk/api/3/action/package_search?rows=1000 → 200 OK — 1,471 datasets curl https://opendata.com.pk/api/3/action/user_list → 200 OK — 36 accounts including sysadmins

Full CKAN Report

Exposed Federal Admin Panels

Two federal government websites expose administrative login panels directly to the internet with no WAF, no IP restriction, and no CAPTCHA — during an active military conflict.

fsp.gov.pk/AdminLogin — Food Security Portal

EXPOSED

Ministry of National Food Security & Research administrative login is publicly accessible. Standard POST form, no rate limiting or brute-force protection observed. The ministry oversees national food supply chains, crop forecasting, and import/export regulation.

ep.gov.pk/hq/locationissue.asp — Pakistan Post HQ

EXPOSED

Express Mail Track & Trace System administrative panel on IIS/10.0 + ASP.NET. /trace.axd returns a 403 (not a 404), confirming ASP.NET request tracing is enabled on the server. HQ-level operations management accessible without restriction.

Admin Panel Report

Server Configuration Disclosure: LUMS phpinfo.php

Lahore University of Management Sciences exposes a phpinfo.php page (96 KB) revealing the complete server stack: hostname, kernel, OS version, PHP extensions, database config, and file system paths — a complete fingerprint for targeted exploitation.

lums.edu.pk/phpinfo.php — Complete Server Stack Disclosure

HIGH

Complete server fingerprint extracted including: hostname lumswebsite-websrv1, kernel 5.4.17-2136.350.3.2.el8uek.x86_64 (Oracle UEK), RHEL 8.10, Apache 2.4.66, PHP 8.1.34. PHP SSH2 and LDAP extensions confirm the server connects to other LUMS infrastructure — potential pivot paths.

System: Linux lumswebsite-websrv1 5.4.17-2136.350.3.2.el8uek.x86_64 OS: Red Hat Enterprise Linux 8.10 (Ootpa) Apache: 2.4.66 (codeit) OpenSSL/3.5.4 PHP: 8.1.34 (FPM/FastCGI) — built Dec 16 2025 Extensions: SSH2, LDAP, mysqlnd, mcrypt, SOAP, cURL, Sodium, GD

Server Disclosure Report

Balochistan: Province in the Crosshairs

Balochistan is Pakistan's largest province by area (44% of Pakistan's territory), its strategic corridor for CPEC, and the host of Gwadar Port — China's Indian Ocean access point. During the Pakistan-Afghanistan war, it became a critical frontline zone. It was also the only remaining live provincial government.

The provincial WordPress API exposed divisional commissioner appointments across all 8 Balochistan divisions, complete budget documents from 2020 to 2026, legislation from 14+ departments, and the staffing list for Gwadar's surveillance infrastructure. The dual-TLD situation (.gov.pk and .gob.pk) creates additional impersonation risk.

Budget Documents 2020–2026 — Exposed via Media API

PROVINCIAL DATA

Direct download URLs for PSDP documents, White Papers, Budget Speeches, Annual Budget Statements (Volumes I–VIII), and revenue breakdowns for all 6 years were extracted from the WordPress media endpoint. Provincial spending priorities, development allocations, and fiscal capacity are fully public.

Balochistan Deep Report

Government Digital Infrastructure

Pakistan's government digital infrastructure is centralized around a small number of critical systems. During wartime, all were either offline or locked down. The following represents the post-war targeting landscape.

220M+ Citizens in NADRA Database

500+ NITB Digital Initiatives

213 Pakistani ASNs

5.6M IP Addresses (Global #51)

NADRA — National Identity Under Wartime Lockdown

NADRA's Nishan API platform — which powers Verisys (demographic verification), Biosys (biometric fingerprint), Multi-biometric (fingerprint + facial), and Proof-of-Life services for 220+ million Pakistani citizens — went completely dark. All six public-facing NADRA endpoints returned errors ranging from 403 to 500.

NADRA's CNIC number format encodes province, district, tehsil, union council, family lineage, and gender in 13 digits. A compromised CNIC dataset does not just expose an ID number — it maps a person's entire administrative geography.

NTC Zimbra (mail.ntc.net.pk) — Federal Email, Single Point of Failure

POST-WAR PRIORITY

The National Telecommunication Corporation hosts all federal government email on a single Zimbra server. During wartime it was offline. When it returns: inter-agency communications, ministerial correspondence, and internal coordination traffic all flow through one system.

Infrastructure Map

Historical Breach Timeline

Pakistan's current exposure sits on top of a documented history of serious incidents.

Date	Incident	Impact
2019–2023	NADRA insider data theft by employees	2.7M citizen records sold (Argentina, Romania)
2024	NADRA breach public disclosure	Fraudulent IDs issued to Afghan nationals
2025	Global credential breach	180M Pakistani internet user credentials
2025	SIM data leak	Federal ministers' call records exposed
2025	Afghan Cyber Army campaign	100 high-profile .gov.pk sites defaced

Data Inventory

Category	Size	Key Contents
qau-full-dump/	6.6 MB	200 pages, 484 posts, 603 media, staff directories
pu-full-dump/	8.3 MB	101 files, 18,460 URLs, 19 departments
ckan-dump/	8.9 MB	1,471 datasets, 36 users, 22 organizations
balochistan-wp-dump/	5.9 MB	149 gov pages, 1,297 media, commissioners, budgets
pak-wp-dumps/	6.3 MB	SIT WP, LUMS phpinfo, admin pages
pak-universities/	2.5 MB	7 university probes (LUMS, AIOU, UOS, others)
pak-deep-probe/	957 KB	Initial target reconnaissance
pak-priority/	216 KB	NADRA, NTC, NITB, FBR probes
pak-admin-panels/	32 KB	FSP, EP admin login analysis
TOTAL	46 MB	9 target categories

Detailed Technical Annexes

Nine specialized reports cover each area of the operation in full technical depth.

Wartime Infrastructure Status57+ domains, status matrix, NADRA lockdown, infrastructure collapse analysis

View

WordPress REST API ExposureQAU, Balochistan, SIT — 13.4 MB combined, admin correlation, user enumeration

View

University IntelligenceQAU, PU, LUMS, AIOU, UOS — full dump analysis, credential attack surface

View

Personnel Intelligence340+ named individuals, QAU staff tables, Gwadar Safe City candidates, PBX mapping

View

Open Data CKAN1,471 datasets, 36 accounts, 22 organizations, election & census data

View

Exposed Admin Panelsfsp.gov.pk and ep.gov.pk — attack vectors, ASP.NET trace exposure

View

Server Configuration DisclosureLUMS phpinfo.php — full stack fingerprint, CVE surface, all server version leaks

View

Balochistan Province Deep IntelligenceSingle-admin vulnerability, commissioners, Gwadar CPEC data, budget docs, legislation

View

Government Digital Infrastructure MapNADRA, NTC, NITB, FBR, SBP, PTA, SUPARCO, post-war priority targets

View

Methodology & Scope

All data documented in this report was obtained through passive open-source intelligence techniques using publicly accessible interfaces. No authentication was bypassed, no vulnerability was exploited, and no unauthorized access was performed. All data was available without credentials at the time of collection.

Reconnaissance was conducted via proxychains4/Tor from anonymized infrastructure (CT105, 10.0.0.99). The operation window was 07:27–09:45 UTC on 01 March 2026.

ODINT publishes this research to support transparency, journalistic accountability, and informed public discourse on government digital security posture. Disclosure of this material is consistent with ODINT's Ethics Policy and Methodology.

Operation date: 01 March 2026 — ODINT Internal Classification: OSINT — CT105 → Tor → targets