Obtain IP from username

I just figured it out

net send <username> ""

this establishes the connection, but does not popup anything on their screen. If anyone else can find another solution, I will give them the whopping 75 points.

try the finger command as well

That is next to impossible. A user can be logged in almost anywhere on the network. If you know their computer name it is much easier. What exactly is it that you are tying to accomplish? Wanting to be a little sneaky?

Sneaky, yes. I do IT security on a 13,000+ computer network. Our naming convention should have the user's name as part of the NetBIOS name, but this is not always the case. We also don’t want to ask, or wait for the domain admins to get it for us. We also don't want the user to know we just need their IP so we can thumb through their URL logs when someone tells us the user has been surfing porn.

The net send / netstat hack works great for getting the computer name and then IP.

If you have that large of a network you might want to look at something like Websense to monitor web traffic.

http://www.websense.com

Or network scanners- GFI Languard: http://www.gfi.com/lannetscan/
That is a little reverse of what your asking, it obtains the ip 1st, then the username. Another good util, among his many: http://ntsecurity.nu/toolbox/winfo/
Firewall log's, and some grep'ing can narrow porn finding down.

if the user disabled the messager service, is it still possible to get the IP?

The information is in WINS all you need is to be able to request it (as NET SEND does).  Sure I've got an example somewhere, will have a look.

I'd do it the other way around normally.... put a line in the login script along the lines of

echo %USERNAME% %MACHINENAME% >> \\server\share\%username%.txt
echo %USERNAME% %MACHINENAME% >> \\server\share\%machinename%.txt

(actually I use a small Auto-It script which also records the use by date, PC, OS, and User).

but of course you can't do that if not an admin but as a one off change it gets you the info you need maybe you could get it implemented?

Auto-It script below.

regards

Steve


;This script logs the usage of PC's as they login.  Data is recorded by date, user, PC, and OS.  Works for NT/2K for username, if win9x aswell need to get from registry and/or aswell and/or use PUTINENV.EXE

RegRead,CompName,REG_SZ,HKEY_LOCAL_MACHINE,System\\CurrentControlSet\\control\\ComputerName\\ComputerName,ComputerName

  FileAppend, %A_YEAR%-%A_MON%-%A_MDAY% %A_HOUR%:%A_MIN%:%A_SEC% - %A_OSVERSION% - %COMPNAME% - %USERNAME%\n, \\\\server\\root\\info\\USER\\%username%.txt
  FileAppend, %A_YEAR%-%A_MON%-%A_MDAY% %A_HOUR%:%A_MIN%:%A_SEC% - %A_OSVERSION% - %COMPNAME% - %USERNAME%\n, \\\\server\\root\\info\\PC\\%compname%.txt
  FileAppend, %A_YEAR%-%A_MON%-%A_MDAY% %A_HOUR%:%A_MIN%:%A_SEC% - %A_OSVERSION% - %COMPNAME% - %USERNAME%\n, \\\\server\\root\\info\\DATE\\%A_YEAR%-%A_MON%-%A_MDAY%.txt
  FileAppend, %A_YEAR%-%A_MON%-%A_MDAY% %A_HOUR%:%A_MIN%:%A_SEC% - %A_OSVERSION% - %COMPNAME% - %USERNAME%\n, \\\\server\\root\\info\\OS\\%A_OSVERSION%.txt

This produces three output files, ie:

2002-02-14 14:48:41 - WIN_2000 - MANGALORE - stevek

Auto-It : http://www.hiddensoft.com/autoit/

Here you go...

http://www.clever-consulting.com/docs/finduser.html

This is a batch file script using the WINSCL.EXE tool found in the NT resource kit (downloadable from MS here
http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp )

Supply it a username and it will give out an IP address querying the WINS database (assuming you are using WINS on the network still, this is where NET SEND gets it from).

hth

Steve

Nice one, Steve!

winscl is not working for me.

qn            - query name
joeuser       - username
1             - yes for 16th char
03            - 16th char for username
0             - no scope

After pressing enter for no scope i get
Status returned is (FAILURE - 5)

I am using 2000 server Resource kit on a 2000 pro with the winrpc.dll copied from a server box. I don't have any special rights to the Wins server.

VincentWong,

Yes this will still work if the user turns off the messenger service. You will just get an error instead of a success.

Q: What happens if the user is logged into more than one machine?

A: The message only goes to the first machine the user logged into.

>>Q: What happens if the user is logged into more than one machine?

That will be the same with a WINS query aswell of course since you can only register the name once ...

I don't run WINS on my home network so it is a little difficult to test here (which is why I didn't before I posted).  Did you try the finduser batch file or just the command line tool directly?

Steve

Yes I used the command line tool, I looked at the batch file to see what options to use. All the other commands within the tool yielded the same result "FAILURE - 5" I guess I should research what a failure 5 means, I guessing its access denied.

No comment has been added lately, so it's time to clean up this TA.            
I will leave a recommendation in the Cleanup topic area that this question is:            

Answered by: dragon-it            

Please leave any comments here within the next seven days.            

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!            

JulianCrawford            
EE Cleanup Volunteer