Skip to content

Scanning Engine v2 - Module - VPN Detect

Overview

This module sends a series of probes to the service in an attempt to fingerprint VPN software in use.

Targeting

This module targets TCP ports by IP address or hostname.

Schemas

The schema for the body object of all results generated with .task.module_name equal to vpn-detect can be found here. The schema for results is available both in standalone and bundled form.

Examples

These are examples of the .body object for results with .task.module_name equal to vpn-detect.

Live Host

This example was generated with a live host on the internet.

{
  "sniffers": [
    "all"
  ],
  "vpn": "anyconnect"
}

Changelog

v1.2.0 (2025-12-12)

  • Refactored module to follow updated architecture patterns
  • Moved Worker class to separate helpers/worker.py file
  • Workers now use daemon threads with task_done() synchronization
  • Added thread startup error handling for PID exhaustion
  • Error results (timeout, SSL errors, DNS lookup failed, no match) no longer produce output
  • Fixed IPv6 support by wrapping addresses in brackets
  • Target now passed as address:port format to what-vpn

v1.1.0 (2025-09-18)

  • Updated to use the new targeting library (pkg/targeting) instead of the old external targeting library

v1.0.0 (2025-07-08)

  • Initial release of versioning for each module. All modules are being tagged with version number 1.0.0. Going forward:
  • Major version should be changed when there are changes that impact consumers or clients of the modules.
  • Minor version should be changed when there are additions which enrich or enhance the module but shouldn't affect consumers or clients.
  • Patch version should be changed when there are bugfixes.