MEDIUM · ministry

Ministry of Petroleum & Natural Gas

SPF broken (rejects all senders despite live MX); otherwise hardened

mopng.gov.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 72

Availability

read ECONNRESET

TLS

2026-07-21 · 38d

Headers

6 missing · 0 permissive

Email auth

SPF strict · DMARC reject

68

Security score

Watch

Headline findings

  • 01SPF v=spf1 -all with no includes is broken — outbound mail from @mopng.gov.in fails authentication at every receiver
  • 02All 6 hardening headers present (HSTS, CSP, X-Frame, X-Content-Type, Referrer, Permissions)
  • 03DMARC p=reject — strict
  • 04AWS typosquat cluster (50.16.218.27) bulk-registers .org/.net/.co/.com

TLS security

warn

Issuer
eMudhra Technologies Limited
Expires
2026-07-21(38d)

certificate expires in 38 days

Email authentication

SPF
strict
DKIM
unknown
DMARC
reject

Hardening headers

0 / 0 / 6present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typemissing
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • mopng.gov.com50.16.218.27 (AWS — typosquat cluster)
  • mopng.gov.org50.16.218.27 (AWS — typosquat cluster)
  • mopng.gov.net50.16.218.27 (AWS — typosquat cluster)
  • mopng.gov.co50.16.218.27 (AWS — typosquat cluster)

Public topology · CT logs

4 total · 2 sensitive

mopng.gov.in
Portals
  • dashboard.mopng.gov.in
  • pariyojana.mopng.gov.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Given the broken SPF and the publicly indexed dashboard subdomain, how is MoPNG currently detecting spoofed emails claiming to be from the ministry, and is Pariyojana project data encrypted at rest?

Active fingerprints · per host

  • mopng.gov.in

    Nginx reverse proxy + Java/Spring backend, eMudhra DV TLS

  • dashboard.mopng.gov.in

    Nginx + custom backend with ST01* session cookies

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: SPF bypass → email spoofing → cross-ministry phishing

effort hours
detect low (bad)
Entry
SPF v=spf1 -all rejects all senders; mgovcloud.in MX is live so legitimate mail fails. Attacker spoofs Secretary/CMD identity from external IPs unchallenged.
Pivot
Phishing campaign targeting subordinate ministries; DMARC p=reject blocks recovery for legitimate users; SideCopy-class TTPs documented for HPCL/OISD lures since 2024.
Objective
Credential harvest, malware delivery, lateral movement into dghindia.gov.in or pngrb.gov.in.
#2

Path B: Public dashboard enumeration → sensitive data exposure

effort hours
detect medium
Entry
dashboard.mopng.gov.in publicly indexed; pariyojana.mopng.gov.in is project-portal subdomain.
Pivot
Enumerate Pariyojana API endpoints; ST01* session tokens may be deterministic.
Objective
Exfiltrate project status, budget data, stakeholder lists; identify procurement schedules.
#2

Path C: AWS typosquat cluster → domain-takeover staging

effort hours
detect low (bad)
Entry
Phase 1 confirmed mopng.gov.org/.net/.co/.com all on 50.16.218.27.
Pivot
Pre-stage lookalike with attacker-issued TLS; phishing links to mopng-secure.com.
Objective
Harvest credentials, bypass mail filters, persistent backdoor via typosquat MTA.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · SPF bypass → email spoofing → cross-ministry phishing
factor ~2.7×
pre-AI
4 hours (SPF audit + recon + domain registration + phishing template)
Mythos
1.5 hours (automated domain generation + header crafting + .gov.in template cache)
Path B · Public dashboard enumeration → sensitive data exposure
factor ~4×
pre-AI
3 hours (dashboard enumeration + API fuzzing + token analysis)
Mythos
45 min (multi-threaded discovery, JWT pattern cracking, schema-aware filtering)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Fix broken SPF (currently -all without authorised senders)

    Host
    mopng.gov.in
    Fix
    Replace 'v=spf1 -all' with 'v=spf1 include:mgovcloud.in -all' covering actual mail infrastructure. Audit all MX records. Test 100+ legitimate-sender deliveries before enforcement.
    Owner
    Network Engineering / Email Security
    Validation
    mxtoolbox SPF check shows no soft-fail; spoofed mail hard-bounces
  • high

    Restrict dashboard.mopng.gov.in to VPN / IP-allowlist

    Host
    dashboard.mopng.gov.in
    Fix
    Move dashboard off public DNS or restrict access to ministry gateway IPs. Add WAF rules for enumeration probes; rate-limit session-token endpoint.
    Owner
    Application Security
    Validation
    external nmap times out or returns 403; ministry IPs succeed

Tier 2 · within 30 days

  • high

    Strengthen CSP — add upgrade-insecure-requests + block-all-mixed-content

    Host
    mopng.gov.in
    Fix
    Add 'upgrade-insecure-requests' and 'block-all-mixed-content'. Migrate inline scripts to nonce-based execution.
    Owner
    Frontend Engineering / Security
    Validation
    curl -i mopng.gov.in | grep CSP shows new directives
  • high

    Audit Pariyojana API authentication and rate limiting

    Host
    pariyojana.mopng.gov.in
    Fix
    OAuth 2.0 / API token auth on all endpoints. 100 req/min rate limit per IP/user. HMAC-signed responses.
    Owner
    Application Development
    Validation
    curl without auth returns 401; 101 reqs/min triggers 429
  • medium

    Implement DNS CAA records to restrict cert issuance

    Host
    mopng.gov.in
    Fix
    Publish: 'CAA 0 issue "emudhra.com"; CAA 0 issuewild "emudhra.com"'. Subscribe to CT monitoring (Censys, certspotter).
    Owner
    Infrastructure / PKI
    Validation
    dig mopng.gov.in CAA shows eMudhra restrictions

Tier 3 · within 90 days

  • medium

    Audit ST01* session-token generation entropy

    Host
    dashboard.mopng.gov.in / pariyojana.mopng.gov.in
    Fix
    Confirm tokens generated via cryptographic RNG (≥128-bit entropy). Implement 15-min idle / 8-hr absolute timeout.
    Owner
    Backend Engineering
    Validation
    1000-token entropy check (Shannon ≥7.9 bits/byte); zero collisions over 7-day run

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.