This article discusses how to use OSINT tools like Google Hacking to detect OpenVPN vulnerabilities and find security flaws that allow unauthorized use of paid VPNs due to ovpn file leakages. 

OVPN Files Required for OpenVPN

An OVPN file is a required configuration file that uses OpenVPN protocol to connect to VPN. The file contains a VPN server address and encryption key, making it a very important file to start VPN. 

Because of this, the exposure of the OVPN file to outsiders is an OpenVPN vulnerability that allows not only assigned users but everyone else to use VPN without any authorization. 

Detect Paid OpenVPN Vulnerabilities With Google Hacking (OSINT) 

You can find OpenVPN vulnerabilities by using Google Hacking. If you search for the following keywords in the Google search engine, the web page, as the image below, will be exposed at the top.

Index of /servers/openvpn

Google Hacking Search Results for OpenVPN Vulnerability using "Index of /servers/openvpn" on Google Search Engine
Google Hacking Search Results for OpenVPN Vulnerability using “Index of /servers/openvpn” on Google Search Engine

The exposed webserver’s URL, with the same title and description as ‘Index of /server/openvpn”, can be narrowed down to a particular VPN company’s webserver.

If you access the following website, you will be able to see a folder list with all OVPN files displayed. 

OVPN file leaked webpages detected by Google Hacking
OVPN file leaked webpages detected by Google Hacking

As explained earlier, if the OVPN files are exposed to outsiders, anyone can access the VPN, making it a severe security flaw. Even after checking the results with the VPN company and service, it was found that paid VPN was being provided. 

License Purchase Page of VPN company with an OpenVPN Vulnerability found by Google Hacking
License Purchase Page of VPN company with an OpenVPN Vulnerability found by Google Hacking

Users usually have to complete their purchases in order to download OVPN files and use VPN. However, this paid VPN’s OVPN file can be downloaded without any payments or subscriptions by searching for it on Google Hacking (OSINT). 

This problem is presumed to be because of the fact that permissions aren’t properly set on the server. 

Exposed Paid Open VPN Server Address Information 

We used another OSINT tool, Criminal IP, to search for VPN server address information in exposed OVPN files.

As a result of searching Criminal IP with the IP address ‘46.23.72.15’  exposed in the listed OVPN file name, it was confirmed that the IP address used for VPN, as shown in the image below.

Search Results for Exposed OVPN file’s VPN Server Address Using Criminal IP: Confirmed as a VPN IP
 Search Results for Exposed OVPN file’s VPN Server Address Using Criminal IP: Confirmed as a VPN IP
Search Results for Exposed OVPN file’s VPN Server Address Using Criminal IP: Confirmed as a VPN IP
 Search Results for Exposed OVPN file’s VPN Server Address Using Criminal IP: Confirmed as a VPN IP

Vulnerabilities in Webserver Exposure, Need Inspection Before Exploitation 

In addition to VPN services, there are many sites that allow users to download files after payment. Services such as P2P file sharing and video streaming also should be regularly inspected to ensure that internal servers are not exposed due to poor management.

The VPN company’s server in question appears to be self-built, but the same problems can occur when using AWS S3 buckets and other cloud servers, so always be careful.

Please refer to our article on how to find exposed security vulnerabilities using OSINT tools like Google Hacking and Criminal IP.

Source : Criminal IP (https://www.criminalip/io) , Google (https://www.google.com) 

Related Articles : 

Google Hacking vs Criminal IP: Comparative Analysis of 2 filters