Simple need to detect external IP of RDP user
I have someone who is logging into a terminal server via RDP and I need to find out the IP address of the external computer that is making the connection. The terminal server properties shows the internal IP, so how can I easily find out the external IP? I am running a Sonicwall TZ170, so maybe someone knows where to find that info in the router, if not on the terminal server itself.
ASKER
I am needing the clients external ip not the ip that my router has that is accepting the rdp connection. I need the ip of the computer the user is connecting from.
I can provide this for you. Currently scripting it as a batch file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nice Batch! This seems to report the IP when run on the actual session. Is this possible to detect the IP of someone else's active session? Here is my scenario. I have an unauthorized person that is logging into the terminal server. I am able to shadow that person's session without them seeing that I am doing that. I now just need to detect his originating IP so that I can tell whether it is a previous employee, partner, vendor, or just a normal foreign hacker.
Nice Batch = Thanks :)
"...detect the IP of someone else's active session..." = Yes
It will actually log all currently T.S. loged in users
"...so that I can tell whether it is a...", because of most home users have a dynamic IP address, it is difficult to tell who has what Internet IP address. You may try to find at least IP address city by using the following link, where the "x" has to be replaced by the IP address: http://www.geobytes.com/IpLocator.htm?GetLocation&IpAddress=xxx.xxx.xxx.xxx
If it's a company, they most likely, own that IP addredd and doing a reverse lookup "nslookup xxx.xxx.xxx.xxx" will help.
You will need to use some strategy. For example, that remote TS user is logged on using what credentials? Then talk to the person owing these credentials. If it is not him/her, find the ISP owing that IP address then find a convincing way to trace it to the user (the ISP client), by using the IP address, date and time.
"...detect the IP of someone else's active session..." = Yes
It will actually log all currently T.S. loged in users
"...so that I can tell whether it is a...", because of most home users have a dynamic IP address, it is difficult to tell who has what Internet IP address. You may try to find at least IP address city by using the following link, where the "x" has to be replaced by the IP address: http://www.geobytes.com/IpLocator.htm?GetLocation&IpAddress=xxx.xxx.xxx.xxx
If it's a company, they most likely, own that IP addredd and doing a reverse lookup "nslookup xxx.xxx.xxx.xxx" will help.
You will need to use some strategy. For example, that remote TS user is logged on using what credentials? Then talk to the person owing these credentials. If it is not him/her, find the ISP owing that IP address then find a convincing way to trace it to the user (the ISP client), by using the IP address, date and time.
"nslookup xxx.xxx.xxx.xxx"
Actually, in the CSV log file, you should get the company name owing that IP address.
Cheers,
Rene
Actually, in the CSV log file, you should get the company name owing that IP address.
Cheers,
Rene
netstat -ant | find /i "3389"
would have been enough
would have been enough
Glad I could help
Are the users creating a VPN connection first? If so, then it makes sense that is logged.
My Termininal server shows the external IP under Source Network Address in the security log.