recently we had a stolen laptop, and though we were able to figure out that it was online via the agent checking in, its IP was only the one of our Firewall since it was outside our LAN perimeter. Obviously, that was useless in tracking it down.
So, I wrote a small script, similar to the one for listing local admins, to query for the public IP and storing it in a text file, then shooting that text file over in the next inventory. I thought I’d share the process:
- Create an online Shell Script:
VBS:
Dim o
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile("C:\windows\PublicIP.txt",True)
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", "http://ifconfig.me/ip", False
o.send objFile.WriteLine "Public IP: " & o.responseText
KIXTART:
BREAK ON $ = SetConsole("Hide") $web=createobject("MSXML2.XMLHTTP") $web.open("GET","http://ifconfig.me/ip",not) $web.send $response = $web.responseText if len($response) for each $line in split($response,chr(10)) if len($line) $ = RedirectOutput("C:\Windows\PublicIP.txt",1) "Public IP: " + $line $ = RedirectOutput("") endif next endif
- Set this to run daily at some point, and target machines of interest (in my case, it was laptops only)
- Create a Custom Inventory Rule, i.e: (CIR)Public IP with the following:
ShellCommandTextReturn(type C:\windows\PublicIP.txt)
Alternatively you can also use the site http://checkip.dyndns.org, which returns a result faster than the above, but will require a couple string manipulation function clean up the output, though not much.
And that’s it. Works like a charm.
For Linux or Mac this one would do the same:
ShellCommandTextReturn(curl -s checkip.dyndns.org|grep -Eo '[0-9\.]+') or
ShellCommandTextReturn(curl -s ifconfig.me/ip) - Nico_K 11 years ago
http://curl.haxx.se/latest.cgi?curl=win64-nossl
unzip it into c:\windows\system32\ or upgrade the path-variable to get if from anywhere else. - Nico_K 11 years ago
Thanks for the tip. I had thought about getting a port of curl for windows, but I was trying to keep the script self contained without needing any dependencies. But it's definitely an option.
Also thanks for the Linux and Mac command lines.... So much simpler when you have curl huh :) - gkhairallah 11 years ago
But both solutions may have a "little" problem:
If the client is stolen, and is checking in (stupid thief, normally everybody would install it new) we need to bring the info to the client itself.
(in theory because: if even 52330 open, there should be also other connections open) - Nico_K 11 years ago
However, also, in my experience, and assuming that the thief will bootup the machine at least once while connected to the internet, the more complexity there is in the process, the less likely the thief will be able to figure it out from the first boot. (what I'm referring to is, what are the chances that the thief will immediately know:
1- The a KACE agent is there
2- That a script is running upon bootup
3- A file is being written --somewhere to the OS --
4- That inventory is being taken and uploaded back to a source.
Also, It's likely that a thief will power it on somewhere they feel safe, (their home, or their aunt's house :) ), both of which will be useful for me to track things down... all you need is an initial lead. - gkhairallah 11 years ago