THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Find VPN destination IP address over WiFi

Hi gang,

Need some help here from experts because my experience with WireShark is not that great and I've hit a brick wall.

I want to find the IP addresses of several VPN servers used in a popular VPN App ( VPN Super Unlimited Proxy by Mobile Jump Pte Ltd) so that I can block them. Unfortunately the PC app uses different servers so even though I got their address using WireShark and blocked them on the firewall, the phone App still connects to a few.

I understand that once the VPN connects all traffic is encrypted but there should be some initial unencrypted request via IP where I can find the destination IP address, Am I mistaken?

If so, is there any way to find the destination IP? The only packet from the phone I see is an MDNS request and I wonder if it has something to do with the VPN. I wanted to upload the capture and MDNS screenshot but it doesn't let me because I'm a newbie to the forum (need 60 points to upload file) :-(((

Any help will be greatly appreciated!

Here's the link to the files (thanks Chuckc for the suggestion): https://www.dropbox.com/scl/fo/y2jo5a...

I also included a pcap in monitor mode that has all the RF data but I cannot find any IP addresses.

The device initiating the VPN is Apple Iphone 90:81:58:55:A2:43 or 192.168.9.31.

Cheers, Andres

andres@fastweb.com.mx's avatar
1
[email protected]
asked 2024-03-19 20:16:06 +0000, updated 2024-03-19 21:50:00 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Place the capture file on a public file share then update the question with a link to it.

Chuckc's avatar Chuckc (2024-03-19 20:54:28 +0000) edit
more
  • delete

Thanks! I've uploaded the files to a public folder on Dropbox and put the link in the original question.

andres@fastweb.com.mx's avatar [email protected] (2024-03-19 21:31:51 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

You can track hostname in TLS traffic with fields like:

tls.handshake.extensions_server_name
ssl.handshake.extensions_server_name
x509sat.printableString

If you know what name to match in the query then you find what is used. However it seems you are in for a game of "whack a mole".

hugo.vanderkooij's avatar
76
hugo.vanderkooij
answered 2024-03-20 13:02:29 +0000, updated 2024-03-20 13:03:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

"whack a mole" - example of a commercial product (GeoIP2 - Anonymous IP Database) with frequent updates to handle this.

Chuckc's avatar Chuckc (2024-03-20 13:34:12 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer