Detecting a vpn is the easy part, what should be the approach if we need to detect and identify the real ip address of the user behind the vpn? This is my BE major project and we don’t really know how to do this.
There are very very few ways to do it, and only one of them is, strictly speaking, legal.
1.) You can get the VPN to provide the information. (That’s the legal one)
or
2.) You can get the target to download a file that will cause the system to ping back to you with the IP address when the VPN may not be on. (This is not legal outside of controlled and voluntary circumstances, but technically possible)
Honorable mention for #3- “Hope they mess up and forget to turn on the VPN at some point.”
Extraordinarily difficult, but it can be done if you can profile the user while there on VPN accessing a specific resource which they also happen to access while not using a VPN.
This presupposes two facts though: 1) there is a service the user accesses while both on VPN and off, 2) and you have a sufficiently unique way of fingerprinting or differentiating your target user.
This is one of those open-ended questions that makes you do more research than you would anticipate because you are not just rolling out some feature, you are teaching yourself how to research technologies you don’t understand. THIS IS THE TRUE VALUE OF YOUR EDUCATION - not that you know how to circumvent a VPN.
If you’re lucky, they provided you with the framework around VPNs so you could immerse yourself in the technology. Think “Hack the Gibson” visualization where you’re looking at all the different ways into and out of that computer. I’m talking about a baseline of IP and network connectivity.
Then you build scenarios, such as … does the target frequent a known site, or do you think you could get them to go to a web site? Or do you deploy malware to their system, but how would the malware know when to “phone home”? Would the malware need to be that smart, or could it just keep sending data periodically in the hopes that they turn off the VPN at some point.
You could also read about how VPN providers try to close the loopholes around their products, and imagine a product which maybe doesn’t close all the loopholes. Like they’re using a free VPN product that is not amazing.
The beauty of this project is that there are so many different possible answers, and you’re going to learn a lot more by hammering out all the implausible solutions than you would learn by listening to our advice. Everybody wants someone who can think on their feet, using their knowledge, experience, and research skills to cook up potential solutions.
I’d say probably not, but at the end of the day it really doesn’t matter in terms of preventing communication FROM that IP. That being said, you’d want to use limit geographical locations allowed to log into o365. You can block everyone but the countries you do business in or you can even JUST allow you’re IP and make everyone vpn into the company to access their email and use for mobile mdm and limit access to email to mdm users. I’d honestly disable OWA externally if that is what you use.
In terms of detecting the source, I’d check logs to look for identifying items such as user agent or endpoint details (may be a good way to block bad actors).
I’d also be aware of the nasty stuff you can do on the endpoint after comp without having to comp the actual email creds. You can sit in memory, stay off disk and use the mail client as c2 with the c2 waiting on a specific email subject to initiate. You can even look for key words in emails and blast some stuff out to try compromising the email chain to move to further organizations. These items, not so common but doable.
Reason why I said them is… there are multiple levels of complexity in attacks. Identify some of the easiest wins that make the biggest impact. Certain vendors may have functionality built into their product that assist you with this but may just need to be enabled.
Learn how VPNs work. You’re not asking something feasible
Isn’t that kind of the point of a vpn?
AFAIK if they haven’t correctly configured their VPN or are using a less secure provider there’s the possibility of DNS leaks which would expose that information
A well configured VPN won’t leak data. You might be able to find some exploits to give information about nearby WiFi BSSIDs or Bluetooth addresses, and correlate that with an IP, but that would be imperfect not to mention difficult and unsustainable. It’d also require that you’d have to have access to a number of popular services to give you that corroborating data.
You can get the target to download a file that will cause the system to ping back to you with the IP address when the VPN may not be on
Have seen this used on those YT videos where they go after indian call center scammers
Don’t get caught/admit to doing #2 lol