Police and Security

Executive Summary
Cross-Domain Findings (Ranked by Severity)
Domain: ministeriodelinterior.gob.ec
Domain: policia.gob.ec
Domain: bomberos.gob.ec
Domain: atencionintegral.gob.ec (SNAI)
Domain: ant.gob.ec
Domain: ecu911.gob.ec
Infrastructure Patterns
Oraculo Vendor Pattern

EXECUTIVE SUMMARY

Scope: 6 domains covering police, interior ministry, fire service, prison service, transit agency, and emergency services Method: Passive web probing only (homepage, standard paths, REST API enumeration, header analysis, SSL inspection)

Of the six target domains, four were fully accessible and returned detailed reconnaissance data. Two domains had issues:

Domain	Status	CMS	WAF	Severity
ministeriodelinterior.gob.ec	LIVE (unstable)	WordPress 6.9.1	None detected	MEDIUM
policia.gob.ec	LIVE	WordPress (Yoast 27.0)	Sucuri/Cloudproxy	HIGH (internal IP leak)
bomberos.gob.ec	LIVE	WordPress 6.9.1	None (nginx)	CRITICAL (user enum + exposed services)
atencionintegral.gob.ec (SNAI)	LIVE (unstable)	WordPress	None detected	MEDIUM
ant.gob.ec	DOWN (timeout)	Unknown	N/A	N/A
ecu911.gob.ec	LIVE	WordPress 6.8.3	None (Apache)	CRITICAL (user enum + XML-RPC + OWA + oraculo)

Key findings: 100% WordPress monoculture across all live sites. "oraculo" vendor account confirmed on ecu911.gob.ec. Two domains expose full user enumeration. ECU 911 has XML-RPC with system.multicall enabled (brute-force amplification vector). Exchange Server 2013 OWA exposed on ecu911 webmail. Internal IP leak in policia.gob.ec Feature-Policy header. Bomberos exposes internal Biotime/intranet IPs and Moodle on non-standard port.

CROSS-DOMAIN FINDINGS

CRITICAL

#	Finding	Domain(s)	Detail
C-1	WP User Enumeration via REST API	ecu911.gob.ec
C-4	Exchange Server 2013 OWA Exposed	webmail.ecu911.gob.ec	Outlook Web App login page at `/owa/`, Exchange build 15.0.1497 (2013-era, likely unpatched), domain\username auth format
C-5	Exposed Internal IPs and Services	bomberos.gob.ec	Public homepage links to internal services at `181.198.122.46:80` (Biotime attendance) and `181.198.122.46:8069` (Intranet/ERP, likely Odoo)

HIGH

#	Finding	Domain(s)	Detail
H-1	Internal IP Leak in Feature-Policy Header	policia.gob.ec	HTTP header contains: `Feature-Policy: microphone 'self' http://192.168.80.156/` -- leaks origin server IP behind Sucuri WAF
H-2	"oraculo" Vendor/Admin Account	ecu911.gob.ec	User ID 1 slug `oraculo` with display name "SIS ECU911" -- appears to be a shared vendor/contractor account (see Oraculo section)
H-3	wp-login.php Exposed Without Captcha	ecu911.gob.ec, bomberos.gob.ec, ministeriodelinterior.gob.ec, atencionintegral.gob.ec	Standard WordPress login pages with no CAPTCHA, no 2FA indicators, no rate limiting visible
H-4	Server Version Disclosure	ecu911.gob.ec	Headers expose: `Apache/2.4.62 (AlmaLinux) OpenSSL/3.5.1` and `PHP/8.4.17`
H-5	Moodle LMS on Non-Standard Port	moodlev5.bomberos.gob.ec:9090	Moodle 5 instance (YUI 3.18.1, jQuery 3.7.1) for firefighter training, 8-hour session timeout
H-6	Test/Debug Post Published Publicly	policia.gob.ec	Post ID 23032, title "sssss", published 2025-12-13, author ID 2 -- test content visible to public
H-7	xmlrpc.php Active (405 Method Not Allowed on GET)	ecu911.gob.ec	Responds 405 on GET but fully functional on POST -- confirms XML-RPC is processing requests

MEDIUM

#	Finding	Domain(s)	Detail
M-1	Missing Security Headers	bomberos.gob.ec, ecu911.gob.ec	Missing: CSP, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, X-XSS-Protection
M-2	Ninja Forms Submissions API Exposed	bomberos.gob.ec
ecu911.gob.ec	tecnologiaecu911
bomberos.gob.ec	admin_9hkvwa61

DOMAIN NAME DISCREPANCIES