Solved

Simple need to detect external IP of RDP user

Posted on 2011-09-19
10
466 Views
Last Modified: 2012-05-12
I have someone who is logging into a terminal server via RDP and I need to find out the IP address of the external computer that is making the connection.  The terminal server properties shows the internal IP, so how can I easily find out the external IP?  I am running a Sonicwall TZ170, so maybe someone knows where to find that info in the router, if not on the terminal server itself.
0
Comment
Question by:murryc
10 Comments
 
LVL 6

Expert Comment

by:JRaster
ID: 36563881
Thats interesting that is hows the internal ip.
Are the users creating a VPN connection first?  If so, then it makes sense that is logged.

My Termininal server shows the external IP under Source Network Address in the security log.  
0
 
LVL 7

Expert Comment

by:lewisg
ID: 36563972
0
 

Author Comment

by:murryc
ID: 36564359
I am needing the clients external ip not the ip that my router has that is accepting the rdp connection. I need the ip of the computer the user is connecting from.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 10

Expert Comment

by:ReneGe
ID: 36564412
I can provide this for you. Currently scripting it as a batch file.
0
 
LVL 10

Accepted Solution

by:
ReneGe earned 500 total points
ID: 36564639
The following batch file (.bat) will output:
date, time,remote FQDN,remote IP address

Hope this helps,
Rene


@ECHO OFF

SETLOCAL enabledelayedexpansion

SET TerminalServicesPortNumber=3389
SET LogFile=LogFile.csv

::LISTING TERMINAL SERVICES CONNECTIONS
FOR /F "tokens=3" %%A IN ('NETSTAT ^| FINDSTR %TerminalServicesPortNumber%') DO (
	::ISOLATING FULLY QUALIFIED DOMAIN NAME [FQDN]
	FOR /F "tokens=1 delims=:" %%B IN ("%%A") DO (
		::GETTING IP ADDRESSES
		FOR /F "tokens=2 delims=: " %%C IN ('NSLOOKUP %%B') DO SET IP=%%C
			::SOME TIMES, THERE MAY BE MORE THAN ONE IPs FOR ONE FQDN. WILL OUTPUT THE FIRST IP
			FOR /F "tokens=1 delims=, " %%D IN ("!IP!") DO (
				CLS
				ECHO %date%,%time%,%%B,%%D
				ECHO %date%,%time%,%%B,%%D>>"%LogFile%"
			)
	)
)

PAUSE

Open in new window

0
 

Author Comment

by:murryc
ID: 36564764
Nice Batch!  This seems to report the IP when run on the actual session.  Is this possible to detect the IP of someone else's active session?  Here is my scenario.  I have an unauthorized person that is logging into the terminal server.  I am able to shadow that person's session without them seeing that I am doing that.  I now just need to detect his originating IP so that I can tell whether it is a previous employee, partner, vendor, or just a normal foreign hacker.
0
 
LVL 10

Expert Comment

by:ReneGe
ID: 36564852
Nice Batch = Thanks :)

"...detect the IP of someone else's active session..." = Yes
It will actually log all currently T.S. loged in users

"...so that I can tell whether it is a...", because of most home users have a dynamic IP address, it is difficult to tell who has what Internet IP address. You may try to find at least IP address city by using the following link, where the "x" has to be replaced by the IP address: http://www.geobytes.com/IpLocator.htm?GetLocation&IpAddress=xxx.xxx.xxx.xxx

If it's a company, they most likely, own that IP addredd and doing a reverse lookup "nslookup xxx.xxx.xxx.xxx" will help.

You will need to use some strategy.  For example, that remote TS user is logged on using what credentials? Then talk to the person owing these credentials. If it is not him/her, find the ISP owing that IP address then find a convincing way to trace it to the user (the ISP client), by using the IP address, date and time.

0
 
LVL 10

Expert Comment

by:ReneGe
ID: 36564856
"nslookup xxx.xxx.xxx.xxx"

Actually, in the CSV log file, you should get the company name owing that IP address.

Cheers,
Rene
0
 
LVL 10

Expert Comment

by:ddiazp
ID: 36919903
netstat -ant | find /i "3389"

would have been enough
0
 
LVL 10

Expert Comment

by:ReneGe
ID: 36920453
Glad I could help
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Can Cisco resolve internet address internally 4 44
Setting up a VPN 60 140
Classlful vs Classless subneting 18 67
Using VBScript. How to obtain the recomended paging file size? 8 51
In this article, I'll explain how to setup a Plex Media Server (https://plex.tv/) on a Redhat (Centos) 7 based NAS with screenshots to help those looking for assistance.  What is Plex? If you aren't familiar with Plex, it’s a DLNA media serv…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question