MEDIUM · gas

Petronet LNG

0/6 hardening headers despite strong email auth; ADFS exposed in CT

petronetlng.combaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 20

Availability

HTTP 405

TLS

2026-09-10 · 89d

Headers

5 missing · 0 permissive

Email auth

SPF strict · DMARC reject

58

Security score

Watch

Headline findings

  • 01All 6 hardening headers missing (HTTP 405 response on root)
  • 02ADFS endpoint visible in CT logs
  • 03Strong email-auth controls (SPF strict, DMARC p=reject)
  • 04Cert expires September 2026

TLS security

pass

Issuer
GoDaddy.com, Inc.
Expires
2026-09-10(89d)

Email authentication

SPF
strict
DKIM
present
DMARC
reject

Hardening headers

1 / 0 / 5present/permissive/missing

  • HSTSmissing
  • CSPmissing
  • X-Framemissing
  • X-Content-Typepresent
  • Referrer-Policymissing
  • Permissions-Policymissing

Lookalike domains

  • petronetlng.net15.197.225.128 (AWS, entity-owned alternate)

Public topology · CT logs

6 total · 2 sensitive

petronetlng.com
Authentication
  • adfs.petronetlng.com
Infrastructure
  • smtpdahej.petronetlng.com
  • smtpdelhi.petronetlng.com

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Is the ADFS metadata endpoint at adfs.petronetlng.com publicly accessible without authentication, and is MFA enforced on all user accounts?

Active fingerprints · per host

  • petronetlng.comEOL × 2

    Application server returning HTTP 405 on root; ADFS endpoint adfs.petronetlng.com; SMTP infra (smtpdahej, smtpdelhi)

    • TLS expires 2026-09-12 (136 days)
    • All 6 hardening headers MISSING on root response

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: ADFS metadata exposure → SAML token forgery / NTLM relay

effort days
detect medium
Entry
ADFS endpoint at adfs.petronetlng.com publicly named in CT; metadata at /FederationMetadata/2007-06/FederationMetadata.xml may be unauthenticated.
Pivot
Harvest signing certificates and token endpoints; craft forged SAML/OIDC tokens or initiate NTLM relay (CVE-2025-33073).
Objective
Unauthorised access to Petronet systems; impersonate employees; SAP / ERP access.
#2

Path B: NTLM relay targeting ADFS-backed Windows infrastructure

effort days
detect medium
Entry
Hybrid Azure AD with NTLM auth typical for corporate; attacker on network or via compromised app.
Pivot
Capture NTLM exchange; relay to ADFS or internal service without SMB signing.
Objective
Privilege escalation; MFA bypass if NTLM is primary factor.
#2

Path C: SMTP recon + sector-themed phishing

effort days
detect low (bad)
Entry
smtpdahej / smtpdelhi named in DNS; SPF strict / DMARC reject blocks direct spoofing but enables intel.
Pivot
Craft convincing internal-looking emails to Petronet employees with SideCopy-style oil-and-gas regulatory lures.
Objective
Initial compromise via email malware (CurlBack / Spark / Xeno RAT).
#3

Path D: Missing hardening headers → clickjacking + reflected XSS

effort hours
detect medium
Entry
0/6 hardening headers; HTTP 405 on root suggests app server with no header middleware.
Pivot
Frame login pages in iframe overlay; reflected XSS via user-input parameters.
Objective
Session hijacking; phishing amplification.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · ADFS metadata exposure → SAML token forgery / NTLM relay
factor ~10–20× (ADFS = crown jewel of Microsoft identity stack; LNG pricing/logistics is strategic IP)
pre-AI
ADFS metadata + NTLM relay → admin token forgery → SAP access
Mythos
Energy-company ADFS becomes attacker's authentication oracle; impersonate CFO; access LNG shipment schedules, pricing, supply agreements; pivot to OT via SAP-connected SCADA
Path C · SMTP recon + sector-themed phishing
factor ~2–4×
pre-AI
SMTP recon + crafted phishing → credential harvest before relay attempted
Mythos
Phishing low-cost; high ROI if employee training weak

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Restrict ADFS metadata endpoint; require authentication

    Host
    adfs.petronetlng.com
    Fix
    PowerShell: Set-AdfsProperties -AllowAnonymousAccess $false. IIS URL Rewrite: block /FederationMetadata unless from whitelisted partner federation IPs.
    Owner
    Petronet Identity / ADFS Admin
    Validation
    curl /FederationMetadata returns 403 from external IP
  • critical

    Enforce MFA on all ADFS-backed accounts; disable legacy NTLM

    Host
    Petronet AD users
    CVE
    CVE-2024-21410, CVE-2025-33073
    Fix
    Azure AD Conditional Access → MFA required all users. ADFS auth providers → Forms + Microsoft Identity. Group Policy → 'Restrict NTLM: Incoming NTLM traffic' → Deny all.
    Owner
    Petronet IAM
    Validation
    Login without MFA rejected; NTLM auth attempts in event log show denials
  • critical

    Patch Windows DCs for CVE-2025-33073; enforce SMB signing

    Host
    Internal AD infra
    CVE
    CVE-2025-33073
    Fix
    Apply current Microsoft Security Update on all DCs. Group Policy SMB signing → Required.
    Owner
    Petronet Windows Admin
    Validation
    Get-SmbServerConfiguration | RequireSecuritySignature → True

Tier 2 · within 30 days

  • high

    Add all 6 hardening headers to petronetlng.com

    Host
    petronetlng.com
    Fix
    HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy.
    Owner
    Petronet Web Ops
    Validation
    securityheaders.com returns A+
  • high

    Document and harden SMTP infra (smtpdahej, smtpdelhi)

    Host
    smtpdahej.petronetlng.com / smtpdelhi.petronetlng.com
    Fix
    Restrict SMTP relay to authenticated internal users. Enforce SMTP TLS. nmap on 25/465/587 should show filtered or auth-required.
    Owner
    Petronet Mail / IT Ops
    Validation
    External SMTP test rejected; mxtoolbox shows no open relay
  • high

    TLS renewal scheduled for July 2026 (ahead of 2026-09-12 expiry)

    Host
    petronetlng.com
    Fix
    Calendar alert 2026-07-01. Generate CSR; submit to GoDaddy or alternate CA.
    Owner
    Petronet TLS Admin
    Validation
    openssl x509 -enddate post-renewal shows notAfter > 2027

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.