Ask Your Question
0

Find VPN destination IP address over WiFi

asked 2024-03-19 20:16:06 +0000

andres@fastweb.com.mx gravatar image

updated 2024-03-19 21:50:00 +0000

Hi gang,

Need some help here from experts because my experience with WireShark is not that great and I've hit a brick wall.

I want to find the IP addresses of several VPN servers used in a popular VPN App ( VPN Super Unlimited Proxy by Mobile Jump Pte Ltd) so that I can block them. Unfortunately the PC app uses different servers so even though I got their address using WireShark and blocked them on the firewall, the phone App still connects to a few.

I understand that once the VPN connects all traffic is encrypted but there should be some initial unencrypted request via IP where I can find the destination IP address, Am I mistaken?

If so, is there any way to find the destination IP? The only packet from the phone I see is an MDNS request and I wonder if it has something to do with the VPN. I wanted to upload the capture and MDNS screenshot but it doesn't let me because I'm a newbie to the forum (need 60 points to upload file) :-(((

Any help will be greatly appreciated!

Here's the link to the files (thanks Chuckc for the suggestion): https://www.dropbox.com/scl/fo/y2jo5a...

I also included a pcap in monitor mode that has all the RF data but I cannot find any IP addresses.

The device initiating the VPN is Apple Iphone 90:81:58:55:A2:43 or 192.168.9.31.

Cheers, Andres

edit retag flag offensive close merge delete

Comments

Place the capture file on a public file share then update the question with a link to it.

Chuckc gravatar imageChuckc ( 2024-03-19 20:54:28 +0000 )edit

Thanks! I've uploaded the files to a public folder on Dropbox and put the link in the original question.

andres@fastweb.com.mx gravatar image[email protected] ( 2024-03-19 21:31:51 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-20 13:02:29 +0000

hugo.vanderkooij gravatar image

updated 2024-03-20 13:03:09 +0000

You can track hostname in TLS traffic with fields like:

tls.handshake.extensions_server_name
ssl.handshake.extensions_server_name
x509sat.printableString

If you know what name to match in the query then you find what is used. However it seems you are in for a game of "whack a mole".

edit flag offensive delete link more

Comments

"whack a mole" - example of a commercial product (GeoIP2 - Anonymous IP Database) with frequent updates to handle this.

Chuckc gravatar imageChuckc ( 2024-03-20 13:34:12 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-03-19 20:16:06 +0000

Seen: 253 times

Last updated: Mar 20

Related questions

Why is the MSS not the same?

Checking if the VPN connection is working

Wireshark shows some vpn servers a UDP and othersAS OPENVPN, UDP would be unencrypted, Correct?

How to detect packets only from devices connected to my wifi

Can I capture WIFI Direct P2p packets?

Detect non-connected devices in range of WiFi (for counting purposes)

View the encryption domain in an IPsec VPN?

Capture TCP traffic from other machines over WiFi

Sniffing (forwarded) wifi packets using promiscuous mode

How do I find my SIP call to my cell phone over VPN? Not listed under Telephony > VoIP calls