Ecuador Energy, Oil & Telecom — Technical Reconnaissance Report

Summary

Scope: 7 critical infrastructure domains (energy, oil, telecom, water, cybersecurity) Method: Passive web fetching (homepage + exposed service probing)

1. celec.gob.ec — CELEC EP (State Power Generation & Transmission)

Status: ONLINE, accessible

Tech Stack

Web Server: nginx/1.14.1
CMS: WordPress
Security Headers: Good — HSTS present
REST API: Open at /wp-json/

Path Probing

Path	Result
`/.git/config`	403 (not 404) — server distinguishes path, .git directory may exist
`/.env`	404
`/wp-json/`	OPEN — REST API accessible
`/wp-json/wp/v2/users`	Protected

Notable

.git directory returns 403 — unlike a 404, this means the server recognizes the path. The .git directory likely exists on disk but is blocked by nginx config. Directory listing or individual file access (.git/HEAD, .git/config) may still be possible with path manipulation.
Best security posture of the energy sector targets

2. cnel.gob.ec — CNEL EP (State Power Distribution)

Status: ONLINE

Tech Stack

Web Server: Apache 2.4.6 (CentOS)
PHP: 5.4.16 (CRITICAL — 11 YEARS END OF LIFE)
OpenSSL: 1.0.2k-fips (CRITICAL — EOL, multiple known vulnerabilities)
CMS: WordPress
XML-RPC: Fully exposed and accepting POST requests

CRITICAL: Catastrophically Outdated Stack

PHP 5.4.16 reached end-of-life in September 2015 — over 11 years of unpatched vulnerabilities
OpenSSL 1.0.2k reached end-of-life in December 2019 — vulnerable to multiple CVEs
Apache 2.4.6 is from 2013 — missing 10+ years of security patches
This is the power distribution company for all of Ecuador — serves millions of customers
The entire stack is so outdated it would fail any compliance audit

Path Probing

Path	Result
`/xmlrpc.php`	OPEN — accepts POST, system.multicall available (brute-force amplification)
`/wp-login.php`	Accessible — login form served
`/.env`	404
`/.git/config`	404

3. eppetroecuador.ec — EP Petroecuador (State Oil Company)

Status: ONLINE, multiple subdomains accessible

Tech Stack (Main Site)

CMS: WordPress
XML-RPC: Fully exposed and accepting POST requests
User Enumeration: 5 users exposed via /wp-json/wp/v2/users including "oraculo" admin

CRITICAL: Exchange Server 2016 Fully Exposed

mail.eppetroecuador.ec — Microsoft Exchange Server with ALL management endpoints accessible:

Endpoint	Status	Risk
`/owa/`	OPEN — Outlook Web Access login	HIGH
`/ews/`	OPEN — Exchange Web Services	CRITICAL
`/autodiscover/`	OPEN — client auto-configuration	HIGH
`/mapi/`	OPEN — MAPI over HTTP	CRITICAL
`/rpc/`	OPEN — RPC over HTTP	CRITICAL
`/powershell/`	OPEN — Remote PowerShell management	CRITICAL
`/ecp/`	OPEN — Exchange Control Panel (admin)	CRITICAL

Internal hostname leaked: SPQ-DOMEXCHBRP1 — reveals naming convention (SPQ = likely "Server Petroecuador Quito")
Exchange 2016 is approaching end of extended support
PowerShell endpoint exposure is the most dangerous — allows remote administration if credentials are obtained
Combined with user enumeration on the main site, this is an extremely high-value target

Subdomain: contratoscin.eppetroecuador.ec

Apache Tomcat 9.0.52 default page exposed — application server deployed but unconfigured or staging
Tomcat default pages expose version information and sometimes manager endpoints

User Enumeration (Main Site)

Username	Notes
`oraculo`	Shared vendor account — same username found on ARCOTEL and CNEL
(4 others)	Additional users exposed via REST API

4. cnt.gob.ec / cnt.com.ec — CNT EP (State Telecom Operator)

Status: ONLINE, modern stack

Tech Stack

Framework: Nuxt.js (Vue.js SSR)
Security Headers: Good — HSTS with preload directive
Overall: Most modern and well-secured critical infrastructure site tested

Notable

TLS certificate mismatch: cert issued for cnt.com.ec is being served on cnt.gob.ec — browsers may warn
Best security posture among all critical infrastructure targets
Modern JavaScript framework instead of legacy WordPress/PHP

5. ecucert.gob.ec — EcuCERT (National CERT)

Status: COMPLETELY OFFLINE

Critical Finding

Ecuador's national Computer Emergency Response Team website is unreachable
No HTTP or HTTPS response
DNS may still resolve but the web server is down
This is the organization responsible for coordinating cybersecurity incident response for the entire country
During an active armed conflict with 22 designated terrorist organizations, the national CERT is offline

Context

EcuCERT operates under ARCOTEL (telecom regulator)
Established 2014, focused primarily on telecom sector
No dedicated government-wide cybersecurity agency exists
The irony: the entity meant to protect Ecuador's digital infrastructure can't keep its own website online

6. arcotel.gob.ec — ARCOTEL (Telecom Regulator)

Status: ONLINE, fully accessible

Tech Stack

CMS: WordPress
Security Headers: ZERO — no HSTS, no CSP, no X-Frame-Options, no X-Content-Type-Options
XML-RPC: Fully exposed and accepting POST requests

USER ENUMERATION — FULLY EXPOSED (CRITICAL)

/wp-json/wp/v2/users returns all users without authentication:

Username	Notes
`oraculo`	Shared vendor account — same as Petroecuador and CNEL
(3 others)	Additional users with full display names exposed

Internal IP Leaked

172.20.1.172 — internal/private IP address leaked via response headers or page content
Reveals internal network addressing scheme (172.20.x.x range)

Email Infrastructure

Zimbra mail server exposed at mail subdomain
Zimbra webmail login accessible

Path Probing

Path	Result
`/xmlrpc.php`	OPEN — system.multicall available
`/wp-json/wp/v2/users`	OPEN — user enumeration (CRITICAL)
`/wp-json/`	OPEN — full API map
`/.env`	404
`/.git/config`	404

Notable

ARCOTEL is the telecom regulator and parent organization of EcuCERT
The organization responsible for telecommunications security has zero security headers on its own website
User enumeration and XML-RPC both open on the regulator's site

7. aguaquito.gob.ec — EPMAPS (Quito Water Utility)

Status: ONLINE, behind WAF

Tech Stack

WAF: Imperva/Incapsula
All requests pass through Imperva's cloud WAF
Limited technical data extractable due to WAF

Notable

Only critical infrastructure target with enterprise-grade WAF protection
Significantly better protected than energy or telecom sector targets

Cross-Domain Summary

CMS & Stack Distribution

Domain	CMS/Framework	Server	PHP	Security
celec.gob.ec	WordPress	nginx/1.14.1	Unknown	Good (HSTS)
cnel.gob.ec	WordPress	Apache 2.4.6	5.4.16 (EOL)	None
eppetroecuador.ec	WordPress + Exchange	Multiple	Unknown	None
cnt.gob.ec	Nuxt.js	Modern	N/A	Good (HSTS+preload)
ecucert.gob.ec	OFFLINE	—	—	—
arcotel.gob.ec	WordPress	Unknown	Unknown	Zero headers
aguaquito.gob.ec	Unknown	Imperva WAF	Unknown	Good (WAF)

"Oraculo" Vendor — Single Point of Failure (CRITICAL)

The username "oraculo" appears as a WordPress admin user on at least 3 critical infrastructure sites:

ARCOTEL (telecom regulator)
EP Petroecuador (national oil company)
CNEL (power distribution)

This indicates a single vendor/contractor managing WordPress deployments across multiple critical infrastructure organizations. If the "oraculo" account is compromised on any one site, credential reuse could grant access to all three. This represents a systemic supply chain risk across Ecuador's most critical digital infrastructure.

Findings by Severity

CRITICAL:

CNEL PHP 5.4.16 — power distribution company running 11-year EOL PHP with OpenSSL 1.0.2k
Petroecuador Exchange Server fully exposed — EWS, MAPI, RPC, PowerShell, ECP all accessible
EcuCERT completely offline — national CERT unreachable during active armed conflict
ARCOTEL user enumeration — telecom regulator exposes all WP users including shared "oraculo" vendor account
"Oraculo" shared vendor account — single contractor across 3 critical infrastructure orgs (supply chain risk)

HIGH: 6. Petroecuador user enumeration — 5 users exposed including "oraculo" 7. ARCOTEL XML-RPC open — brute-force amplification via system.multicall on telecom regulator 8. CNEL XML-RPC open — brute-force amplification on power distribution 9. Petroecuador internal hostname leaked — SPQ-DOMEXCHBRP1 reveals naming convention 10. ARCOTEL internal IP leaked — 172.20.1.172 reveals internal network schema

MEDIUM: 11. CELEC .git returns 403 — directory may exist on disk, potential source code exposure 12. Petroecuador Tomcat default page — contratoscin subdomain exposes unconfigured app server 13. CNT TLS cert mismatch — cnt.com.ec cert served on cnt.gob.ec 14. ARCOTEL Zimbra mail exposed — webmail login accessible

SYSTEMIC:

Zero security headers on ARCOTEL, CNEL, Petroecuador — no HSTS, CSP, X-Frame-Options
WordPress monoculture — 4 of 6 accessible sites run WordPress, all with REST API exposed
XML-RPC enabled on multiple sites — enables credential brute-force amplification attacks
Single vendor risk — "oraculo" account across critical infrastructure = one compromise affects all

Energy, Oil and Telecom

Ecuador Energy, Oil & Telecom — Technical Reconnaissance Report

Summary

1. celec.gob.ec — CELEC EP (State Power Generation & Transmission)

Tech Stack

Path Probing

Notable

2. cnel.gob.ec — CNEL EP (State Power Distribution)

Tech Stack

CRITICAL: Catastrophically Outdated Stack

Path Probing

3. eppetroecuador.ec — EP Petroecuador (State Oil Company)

Tech Stack (Main Site)

CRITICAL: Exchange Server 2016 Fully Exposed

Subdomain: contratoscin.eppetroecuador.ec

User Enumeration (Main Site)

4. cnt.gob.ec / cnt.com.ec — CNT EP (State Telecom Operator)

Tech Stack

Notable

5. ecucert.gob.ec — EcuCERT (National CERT)

Critical Finding

Context

6. arcotel.gob.ec — ARCOTEL (Telecom Regulator)

Tech Stack

USER ENUMERATION — FULLY EXPOSED (CRITICAL)

Internal IP Leaked

Email Infrastructure

Path Probing

Notable

7. aguaquito.gob.ec — EPMAPS (Quito Water Utility)

Tech Stack

Notable

Cross-Domain Summary

CMS & Stack Distribution

"Oraculo" Vendor — Single Point of Failure (CRITICAL)

Findings by Severity