User:Blablubbs/VPN Verification

This page lists technical fingerprints of VPN providers and ways to manually query and verify them. The verification methods are provided for reference; use them at your own risk, in non-intrusive ways and in compliance with applicable laws and ISP policies. This applies especially to nmap.[a] Verification instructions are written for users of Linux-based operating systems, but should be largely OS-independent. This page focuses on discovery methods in the IPv4 address space, though some may also be adjusted to work with IPv6.

Verification methods

edit
  • Using OpenSSL:
    openssl s_client -connect <host>:<port>
    
  • Using shodan
  • Using nmap:[b]
    sudo nmap -sS --script ssl-cert.nse <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn -v
    
  • Using cURL:
    curl -k -v "https://<host>:<Port>"
    

X-Cache

edit
  • Using shodan
  • Using reqbin: Plug the IP in and check the headers
  • Using cURL:
    curl --head --show-error "http://<host>:<port>"
    
  • Using nmap:[c]
    sudo nmap -A <host or host range> -p<port1,port2,port3...portn OR port1-portn> -Pn
    

IKE Handshake

edit
  • Using ike-scan:[d]
    sudo ike-scan <host>
    

Providers

edit

AirVPN

edit
  • airvpn.org
  • Privacy-focused, tied to the torrenting crowd
  • SSL certificate served on port 89: CN = *.airservers.org

BulletVPN

edit
  • bulletvpn.net
  • Webhost, and occasionally mixed, ranges, sometimes obscure providers.
  • DNS: <cc><number>.bulletvpn.com[e]

Cyberghost/Zenmate

edit
  • cyberghostvpn.com and zenmate.com
  • SSL certificate served on port 9002: blade<n>.<city>-rack<n>.nodes.gen4.ninja
  • Flagged as "Cyberghost/Zenmate" by Spur
  • Shares a parent company (kape) with PIA
  • expressvpn.com
  • No reliable fingerprint, but often hosted on webhosts with WHOIS outputs like VPN-CONSUMER-NETWORK

FlyGateVPN

edit
  • SSL cert: awsprivate.com, flygateaccount.com

FreeVPN

edit
  • freevpn.com
  • Not free, despite the name
  • Mildly dodgy, starting with the fact that the website doesn't support HTTPS
  • Does not appear to be currently flagged by spur, at least not reliably
  • Probably enumerable[f]
  • Webhost ranges
  • Hostnames: cc.freevpn.com
  • SSL certificate: CN = *.ocservvpn.com

HideMyAss

edit
  • hidemyass.com[g]
  • DNS: *.hma.rocks and *.prcdn.net
  • WHOIS: AVAST Software s.r.o.

HotSpot VPN

edit
  • hotspotvpn.org
  • Dodgy-ish[h] VPN provider
  • Running nginx on port 80[i]
  • VPN (IKE) on UDP port 500, fingerprint:[j]
    Main Mode Handshake returned HDR=(CKY-R=8b8ba44921f420b9) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=09002689dfd6b712 (XAUTH) VID=afcad71368a1f1c96b8696fc77570100 (Dead Peer Detection v1.0) VID=12f5f28c457168a9702d9fe274cc0100 (Cisco Unity)
    

Integrity VPN

edit
  • integrity.st
  • Whitelabel service selling to ISPs
  • Hostnames: <cc>-<o3>-<o4>.integrity.st, where cc is the country code, and o3 and o4 are the third and fourth octet of the exit IP address, respectively[k]

IPVanish

edit
  • ipvanish.com
  • Webhost ranges.
  • SSL certificate served on port 443: CN = *.vpn.ipvanish.com
  • (Sometimes) WHOIS: Mudhook Marketing Inc

Ivacy

edit
  • ivacy.com
  • DNS: <cc><number>-<protocol>-<(tcp|udp)>.dns2use.com[l]
  • Offers both a corporate VPN (McAfee Web Gateway Cloud Service) and a personal one (McAfee Safe Connect VPN). The personal VPN appears to be technically indistinguishable from TunnelBear nodes (see there). For the corporate VPN service:
    • SSL certificate served on port 443: CN = *.wps.mcafeesaas.com
    • SSL certificate served on port 8081: CN = *.wgcs.mcafee-cloud.com
  • mullvad.net
  • Large-ish, privacy-focused VPN provider
  • IPv6 and Wireguard support, default connections are OpenVPN (users can choose between TCP and UDP)
  • No good fingerprints, but exclusively on webhost ranges
  • Mostly M247, plus some other hosting providers and some directly owned servers
  • Server list at https://mullvad.net/en/servers/
  • Entry and exit nodes are split
  • nordvpn.com
  • Large provider, often, but not always, on easily identifiable webhost ranges
  • Provides API for queries
  • No reliable fingerprint, but VPN (IKE) on UDP port 500
  • DNS: <cc><number>.nordvpn.com[m]

Phantom Avira VPN

edit
  • avira.com
  • Owned by an antivirus developer; users may not necessarily be attempting to obfuscate their IP
  • SSL certificate served on port 443: CN = *.phantom.avira-vpn.com
  • privateinternetaccess.com
  • SSL certificate served on port 443: CN = *.privateinternetaccess.com
  • Large provider, usually on webhost ranges, but there have been unusual occurences like this one, where the servers are on seemingly non-webhost ranges (in this case, an Israeli public WiFi provider)
  • Shares a parent company (kape) with Cyberghost/Zenmate
  • DNS: <cc>.privacy.network or <cc>-<city>.privacy.network. [n]
  • protonvpn.com
  • Large-ish provider
  • Provides API for queries
  • No reliable fingerprint, but VPN (IKE) on UDP port 500
  • Entry and exit nodes are split
  • Webhost ranges
  • purevpn.com
  • WHOIS: pointtoserver.com, ptoserver.com, PureVPN-NET, GZ Systems Limited
  • DNS: <cc><(optional) number>-<VPN-protocol>-<optional: (udp|tcp)>.ptoserver.com[o]

RapidVPN

edit
  • rapidvpn.com
  • SSL certificate served on port 443: CN = *.rapidvpn.com
  • surfshark.com
  • SSL certificate served on port 443: CN = *.prod.surfshark.com
  • Large-ish VPN company. Usually on webhosts, but there is a large number of different ones involved and many of them have slightly annoying range assignment patterns
  • Many end nodes with activity on Wikipedia
  • Often blocks of a handful adjacent IPs, e.g. 127.0.0.1-127.0.0.5
  • Some clearly designated ranges, often /24s with netnames like SURFSH-<o1>-<o2>-<o3>-0, where o1, o2 and o3 are the first through third octet of the base IP[p]
  • ASN209854 (SURFSHARK, VG) is tracked at User:AntiCompositeBot/ASNBlock

Urban VPN

edit
  • urban-vpn.com
  • Squid HTTP proxy on ports 80 and 3128:
    X-Cache: MISS from p-$cc.biscience.com 
    X-Cache-Lookup: NONE from p--$cc.biscience.com:3128
    
  • Dodgy "free" VPN service provided by biscience, a "digital intelligence" company
  • Supposedly P2P, but that does not seem to be the case
  • Webhost ranges
  • Parent company also runs a large residential proxy service

VPN Gate

edit
  • See vpngate.net
  • Uses the SoftEther VPN protocol
  • Port 5555 serves a page over HTTPS with SoftEther VPN text
    curl -v -k https://<ip>:5555
    
  • Some nodes: WHOIS: SoftEther Corporation
  • Some nodes: SSL certificate served on port 443: CN = *.opengw.net

WorldVPN

edit

Notes

edit
  1. ^ See also nmap#Legal issues.
  2. ^ -sS (stealth scan) is the default scanning method for scans executed as root. If more detailed results are required, -sV can be used to determine (or guess) the operating system and service versions of the target host. The -Pn switch makes nmap skip host discovery, meaning that it will execute the specified scanning functions without sending initial pings to determine whether the target machine is online. In most cases, using this switch will be necessary because most modern machines block ping probes. Nmap scans may be sped up by using the -T parameter with numeric values between 0 and 5 (e.g. by appending -T4), with 5 providing the quickest, and 0 providing the slowest scan speeds. Note that faster scans tend to be more intrusive and may not detect open ports when used against slow or unreliable networks. If only the execution of the certificate script is desired and no port scan should be executed, the -sn switch can be used.
  3. ^ Note that nmap -A is a relatively aggressive and easily detectable scan.
  4. ^ Hosts can be specified in multiple ways; either as a single IP (127.0.0.1), a CIDR block (127.0.0.1/24), a start-end range (127.0.0.1-127.10.10.10) or in IPNetwork:NetMask format (127.0.0.1:255.255.255.0). The default for both the source and destination port is 500 UDP; if a different one is desired, this can be specified with the -s (source) and -d (destination) switches, e.g. sudo ike-scan -d450 -s450 127.0.0.1/24.
  5. ^ <cc> stands for "country code. E.g. cai03.bulletvpn.com, ann01.bulletvpn.com
  6. ^ Current data is based on a single datapoint, but if the fingerprints are consistent, they are easy to query.
  7. ^ Blacklisted link.
  8. ^ It appears that clicking "Contact Us" on the website does nothing but append /# to the URL without actually sending you anywhere.
  9. ^ Not certain if this is universal.
  10. ^ The output of the HDR=(CYK-R= [...]) field varies.
  11. ^ E.g. The Swedish exit node 85.24.253.12 has the hostname se-253-12.integrity.st
  12. ^ E.g. hk-ovpn-udp2.dns2use.com, my2-ovpn-udp.dns2use.com. Outliers exist, e.g. vlbr-usvc1.dns2use.com.
  13. ^ E.g. tr46.nordvpn.com.
  14. ^ E.g. us-california.privacy.network.
  15. ^ E.g. lv-ipsec.ptoserver.com, no2-ovpn-udp.pointtoserver.com
  16. ^ E.g. SURFSH-62-197-148-0 for the 62.197.148.0/24 IP block