Ask Your Question
0

Find VPN destination IP address over WiFi

asked 2024-03-19 20:16:06 +0000

updated 2024-03-19 21:50:00 +0000

Hi gang,

Need some help here from experts because my experience with WireShark is not that great and I've hit a brick wall.

I want to find the IP addresses of several VPN servers used in a popular VPN App ( VPN Super Unlimited Proxy by Mobile Jump Pte Ltd) so that I can block them. Unfortunately the PC app uses different servers so even though I got their address using WireShark and blocked them on the firewall, the phone App still connects to a few.

I understand that once the VPN connects all traffic is encrypted but there should be some initial unencrypted request via IP where I can find the destination IP address, Am I mistaken?

If so, is there any way to find the destination IP? The only packet from the phone I see is an MDNS request and I wonder if it has something to do with the VPN. I wanted to upload the capture and MDNS screenshot but it doesn't let me because I'm a newbie to the forum (need 60 points to upload file) :-(((

Any help will be greatly appreciated!

Here's the link to the files (thanks Chuckc for the suggestion): https://www.dropbox.com/scl/fo/y2jo5a...

I also included a pcap in monitor mode that has all the RF data but I cannot find any IP addresses.

The device initiating the VPN is Apple Iphone 90:81:58:55:A2:43 or 192.168.9.31.

Cheers, Andres

edit retag flag offensive close merge delete

Comments

Place the capture file on a public file share then update the question with a link to it.

Chuckc gravatar imageChuckc ( 2024-03-19 20:54:28 +0000 )edit

Thanks! I've uploaded the files to a public folder on Dropbox and put the link in the original question.

andres@fastweb.com.mx gravatar image[email protected] ( 2024-03-19 21:31:51 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-20 13:02:29 +0000

hugo.vanderkooij gravatar image

updated 2024-03-20 13:03:09 +0000

You can track hostname in TLS traffic with fields like:

tls.handshake.extensions_server_name
ssl.handshake.extensions_server_name
x509sat.printableString

If you know what name to match in the query then you find what is used. However it seems you are in for a game of "whack a mole".

edit flag offensive delete link more

Comments

"whack a mole" - example of a commercial product (GeoIP2 - Anonymous IP Database) with frequent updates to handle this.

Chuckc gravatar imageChuckc ( 2024-03-20 13:34:12 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-03-19 20:16:06 +0000

Seen: 290 times

Last updated: Mar 20