MEDIUM · regulator

Petroleum and Natural Gas Regulatory Board

edev.* dev environment exposed in CT; IIS ETag fingerprint leak

pngrb.gov.inbaseline scan 2026-04-27 · daily passive check 2026-06-13 · Phase 2 active scan 2026-04-28

Daily passive check · 2026-06-13

score 8

Availability

HTTP 200

TLS

2026-12-07 · 177d

Headers

2 missing · 0 permissive

Email auth

SPF soft · DMARC quarantine

64

Security score

Watch

Headline findings

  • 01edev.pngrb.gov.in subdomain in CT logs — internal/dev environment named publicly
  • 02IIS Server header restricted but ETag visible — partial fingerprint leak
  • 03Soft-fail SPF (~all) allows downgrade attacks
  • 04All 6 hardening headers present

TLS security

pass

Issuer
GlobalSign nv-sa
Expires
2026-12-07(177d)

Email authentication

SPF
soft
DKIM
unknown
DMARC
quarantine

Hardening headers

4 / 0 / 2present/permissive/missing

  • HSTSpresent
  • CSPmissing
  • X-Framepresent
  • X-Content-Typepresent
  • Referrer-Policypresent
  • Permissions-Policymissing

Lookalike domains

  • pngrb.gov.com50.16.218.27 (AWS — typosquat cluster)

Public topology · CT logs

6 total · 1 sensitive

pngrb.gov.in
Dev / Test / UAT
  • edev.pngrb.gov.in

Certificate-transparency logs are immutable and public. Sensitive subdomains advertised here cannot be retracted; the mitigation is forward-only — new internal services route through a private CA that does not submit to public CT.

Phase 2 · Active scan complete

Authorised ethical-hacking assessment ran on 2026-04-28. Active fingerprinting, CVE matching, Mythos-class adversary simulation, and CISO patch list below.

Single-question version for MD

Why does PNGRB maintain a publicly DNS-indexed development environment (edev.pngrb.gov.in), and what is the incident response if dev configuration data has been harvested?

Active fingerprints · per host

  • pngrb.gov.inEOL × 1

    Microsoft IIS (Server header restricted) on Windows + likely .NET backend, GlobalSign OV TLS

    • IIS version concealed; if Windows Server 2016, mainstream EOL Jan 2022
  • edev.pngrb.gov.inEOL × 1

    Same IIS as parent; explicitly named development environment

    • dev subdomain in public CT — should not be externally indexed

Attack-path simulation

Mythos-class adversary analytical chain · paths ranked by exploitability × access value.

#1

Path A: Public edev subdomain → dev-environment configuration leak

effort hours
detect low (bad)
Entry
edev.pngrb.gov.in publicly registered in CT; typical dev exposes /web.config, /debug, test creds, /.env.example.
Pivot
Harvest connection strings, API keys, test admin accounts; pivot from dev to prod via shared credentials.
Objective
Compromise prod via dev path; exfiltrate dev DB which often mirrors prod schema/data.
#2

Path B: IIS ETag fingerprint → version inference → CVE-targeted exploit

effort days
detect medium
Entry
ETag visible in HTTP responses leaks IIS version pattern.
Pivot
Parse ETag → enumerate CVEs (CVE-2023-36434 HTTP/2 Rapid Reset; CVE-2023-21809 HTTP.sys memory corruption).
Objective
RCE; SYSTEM-level access on Windows IIS host.
#2

Path C: Soft-fail SPF + DMARC p=quarantine → email spoofing for regulator impersonation

effort hours
detect low (bad)
Entry
DMARC p=quarantine (not reject); SPF soft-fail.
Pivot
Spoof PNGRB director-level emails to MoPNG/DGH/CMD audiences with urgent regulatory request.
Objective
Credential harvest, policy-decision interference.

Mythos compression

Discovery-time compression: pre-AI adversary vs Mythos-class adversary, per attack path.

Path A · Public edev subdomain → dev-environment configuration leak
factor ~6×
pre-AI
3 hours (edev enumeration + endpoint discovery + config harvest)
Mythos
30 min (subdomain fuzzing, common dev paths, parallel config-file extraction)

The compression factor is reasoned, not measured. Mythos-class capability changes the tempo of attack-path traversal; the topology of the chain is unchanged.

CISO patch list

Tier 1 · within 7 days

  • critical

    Remove edev.pngrb.gov.in from public DNS; migrate to internal-only

    Host
    edev.pngrb.gov.in
    Fix
    Delete or NXDOMAIN the edev DNS record. Provision new dev on edev-internal.pngrb.local accessible only via VPN. Revoke public cert. Audit CT for any unauthorised edev certs issued.
    Owner
    Infrastructure / DevOps
    Validation
    nslookup edev.pngrb.gov.in returns NXDOMAIN externally
  • critical

    Upgrade DMARC from p=quarantine to p=reject

    Host
    pngrb.gov.in (email)
    Fix
    Monitor 30 days of rua reports for legitimate-sender failures; then change DMARC TXT to p=reject.
    Owner
    IT / Email Security
    Validation
    dig +short TXT _dmarc.pngrb.gov.in returns p=reject
  • critical

    Confirm Windows + IIS patch level; apply current monthly cumulative updates

    Host
    pngrb.gov.in
    CVE
    CVE-2023-36434, CVE-2023-21809
    Fix
    Get-ItemProperty HKLM:\Software\Microsoft\InetStp for IIS version. wmic qfe list for KB inventory. Apply current Windows monthly cumulative.
    Owner
    Infrastructure / Windows Administration
    Validation
    wmic qfe list shows current month's KB; Microsoft Update history clean

Tier 2 · within 30 days

  • high

    Suppress IIS ETag header or randomise to prevent fingerprinting

    Host
    pngrb.gov.in
    Fix
    web.config customHeaders: <add name='ETag' value='' /> or use opaque ETag pattern.
    Owner
    Infrastructure / IIS Administration
    Validation
    curl -i pngrb.gov.in | grep -i etag returns empty or opaque
  • high

    Audit .NET deserialization usage; replace BinaryFormatter with JSON

    Host
    pngrb.gov.in
    Fix
    grep -r BinaryFormatter | LosFormatter | NetDataContractSerializer in codebase. Migrate to System.Text.Json with strict type binding. ysoserial.net testing.
    Owner
    Backend Engineering
    Validation
    ysoserial.net payloads rejected

Tier 3 · within 90 days

  • medium

    Implement CT monitoring for all PNGRB subdomains

    Host
    *.pngrb.gov.in
    Fix
    CAA records: 'CAA 0 issue "globalsign.com"'. Censys/SSLMate/certspotter monitoring on *.pngrb.gov.in.
    Owner
    Infrastructure / PKI
    Validation
    dig pngrb.gov.in CAA shows GlobalSign restriction; CT monitor active

Methodology is reproducible by any visitor with curl, dig, and openssl. Phase 1 (passive) findings are unconditional; Phase 2 (active) findings require per-entity ethical-hacking authorisation.

Sibling: Sanjaya — fuel pricing transparency on the same Ministry portfolio. Sanjaya narrates; Sanket warns.