Loading…

Welcome to Farley Forensics

Start exploring

Forensic Analysis of OpenVPN on iOS

OpenVPN is an average VPN client app that allows a user to connect to other OpenVPN protocol compatible Server.

This is going to be a quick analysis of what I found in the few files that were backed up from OpenVPN.

Analysis Methodology

For this analysis I used an iPhone XS running iOS 13 Beta 1 with OpenVPN version 894. The acquisition was generated by performing an unencrypted iTunes Backup. The iTunes Backup was then restructured into a more human readable filesystem by using my iTunes_Backup_Analyzer tool. The following artifacts were examined:

  • \AppDomainGroup-group.net.openvpn.connect\openvpn-current.ovpnlog
  • \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3Alogs
  • \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3AprivateTunnel
  • \AppDomain-net.openvpn.connect.app\Library\unified\reduxPersist%3Astatus

Analysis

openvpn-current.ovpnlog & reduxPersist%3Alogs

These files are pretty standard log files for the application. We can see details such as:

  • Connection start times
  • Disconnect times
  • Bytes in
  • Bytes out
  • Packets in
  • Packets out
  • IP address connecting to
  • Host name connecting to
  • IP routes
  • CPU Usage
  • Network bytes per CPU second
  • Tunnel bytes per CPU second
  • Peer hardware address in the form of an 128 bit UUID

This is what the logs actually look like:

OpenVPN Log

It’s important to note that in these log files, the usernames and passwords are just “Username” and “Password”. Which is good, but there’s some bad news about how OpenVPN manages passwords, which we will get into later…

The data in these logs can actually be seen inside the application by pressing the the top right icon as seen below:

How to access OpenVPN log file through app

reduxPersist%3AprivateTunnel

There’s not too much relevant information in this log file, but what is in here is the following:

  • Host names, ports, and IP addresses of OpenVPN
  • Blank username and password fields
Example of the reduxPersist%3AprivateTunnel file

reduxPersist%3Astatus

This is where the fun artifacts come into play:

  • Private keys
  • Usernames
  • Profile names
  • PASSWORDS IN PLAINTEXT
reduxPersist%3Astatus file containing usernames and passwords in plaintext

Conclusion

There’s not a ton of artifacts, but the main point to take away is that OpenVPN stores usernames, passwords, and private keys unencrypted which can be easily accessible inside an unencrypted iTunes Backup and restructured using my iTunes_Backup_Analyzer tool (or any other iTunes Backup tool).

 

On a side note, this is definitely worrying to me as my college, Champlain College, uses this service!

Leave a Reply