/build/static/layout/Breadcrumb_cap_w.png

Custom Inventory Rule to Populate Public IP

recently we had a stolen laptop, and though we were able to figure out that it was online via the agent checking in, its IP was only the one of our Firewall since it was outside our LAN perimeter. Obviously, that was useless in tracking it down.

So,  I wrote a small script, similar to the one for listing local admins, to query for the public IP and storing it in a text file, then shooting that text file over in the next inventory. I thought I’d share the process:

  • Create an online Shell Script:

VBS:  

Dim o 
Set objFSO = CreateObject("Scripting.FileSystemObject") 
Set objFile = objFSO.CreateTextFile("C:\windows\PublicIP.txt",True) 
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", "http://ifconfig.me/ip", False
o.send objFile.WriteLine "Public IP: " & o.responseText

KIXTART:

BREAK ON
$ = SetConsole("Hide")
$web=createobject("MSXML2.XMLHTTP")
$web.open("GET","http://ifconfig.me/ip",not)
$web.send
$response = $web.responseText
if len($response)
 for each $line in split($response,chr(10))
   if len($line)
      $ = RedirectOutput("C:\Windows\PublicIP.txt",1)
         "Public IP: " + $line
          $ = RedirectOutput("")
      endif
    next
endif
  • Set this to run daily at some point, and target machines of interest (in my case, it was laptops only)
  • Create a Custom Inventory Rule, i.e: (CIR)Public IP with the following:
    ShellCommandTextReturn(type C:\windows\PublicIP.txt)

Alternatively you can also use the site http://checkip.dyndns.org, which returns a result faster than the above, but will require a couple string manipulation function clean up the output, though not much. 

 And that’s it.  Works like a charm.

 

 


Comments

  • nicely done.
    For Linux or Mac this one would do the same:
    ShellCommandTextReturn(curl -s checkip.dyndns.org|grep -Eo '[0-9\.]+') or
    ShellCommandTextReturn(curl -s ifconfig.me/ip) - Nico_K 10 years ago
  • Would work the same under Windows if you download the curl for windows here:
    http://curl.haxx.se/latest.cgi?curl=win64-nossl
    unzip it into c:\windows\system32\ or upgrade the path-variable to get if from anywhere else. - Nico_K 10 years ago
    • Hey Nico,
      Thanks for the tip. I had thought about getting a port of curl for windows, but I was trying to keep the script self contained without needing any dependencies. But it's definitely an option.

      Also thanks for the Linux and Mac command lines.... So much simpler when you have curl huh :) - gkhairallah 10 years ago
      • Correct. It is a pity that Microsoft tries since 30 years to "reinvent" an UNIX-system but completely fails. Not only curl or an alternate to that is missing. The easiest option to work fast and effective with Windows from the command line (also PowerShell is not a real option) ist to install cygwin or many many many many many many many small tools. (If I look at my usual 50 post install tasks for fitting a windows machine versus only one under my Debian test machines ...) - Nico_K 10 years ago
  • I hear ya... I've actually made it a habit to put into newly deployed images to put UNIX Tools (http://unxutils.sourceforge.net/) , though this doesn't unfortunately have curl, but rather wget, which would work as well.. but again, it's all not built in, so providing the script for the general public, lack of dependencies is more universal. - gkhairallah 10 years ago
    • I fully agree with you. Just wanted to give an alternative.
      But both solutions may have a "little" problem:
      If the client is stolen, and is checking in (stupid thief, normally everybody would install it new) we need to bring the info to the client itself.
      (in theory because: if even 52330 open, there should be also other connections open) - Nico_K 10 years ago
      • For sure... this solution isn't fully reliable, but in my experience, most thieves are really not that smart (fortunately for us) , but obviously, if a thief immediately removes/formats the hard drive, well, there goes our hope :)

        However, also, in my experience, and assuming that the thief will bootup the machine at least once while connected to the internet, the more complexity there is in the process, the less likely the thief will be able to figure it out from the first boot. (what I'm referring to is, what are the chances that the thief will immediately know:
        1- The a KACE agent is there
        2- That a script is running upon bootup
        3- A file is being written --somewhere to the OS --
        4- That inventory is being taken and uploaded back to a source.

        Also, It's likely that a thief will power it on somewhere they feel safe, (their home, or their aunt's house :) ), both of which will be useful for me to track things down... all you need is an initial lead. - gkhairallah 10 years ago
This post is locked

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ