GetIP – Exfiltrate IP information using PowerShell

GetIP was something I used a bit more for personal reasons, but could easily be modified for engagements with more dynamic IP allocations.

GetIP will grab the IP address (from IPInfo Security Portal) and hostname of a machine, and then put them in a time stamped text file. Additionally, it was a good start for me to get my hands dirty and use PowerShell instead of Python occasionally.

$invocation = (Get-Variable MyInvocation).Value
$directorypath = Split-Path $invocation.MyCommand.Path

try {
    $ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
    $hostname = $env:COMPUTERNAME.ToLower()
    $date = Get-Date -format "MMM dd \@ HH\:mm"
    Add-Content $directorypath\IPs.txt "$date HOST: $hostname - $ip"
}
catch {
    Write-Output $_
}

It hits their public REST endpoint, and then grabs the IP from that. More information could obviously be grabbed, but I just needed the IP address in this case.

GetIP - Code

I have this script running as a scheduled task every day at 12:15am, with the output going to my Dropbox folder.

GetIP - Execution

That said, this script could easily be modified to use a different method of exfiltration (Pastebin, Twitter, e-mail, etc.) if the engagement called for it.

As usual, the code and updates can always be found in my GitHub repository as well.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

2 Comments

Filed under Security Not Included

2 Responses to GetIP – Exfiltrate IP information using PowerShell

  1. Trish Murtaugh

    Great post!! Thanks for the article.

    You can also use from PowerShell: Invoke-RestMethod http://ipinfo.io/json

    The command output will already give us the location.

    Extracted from: https://www.sysadmit.com/2019/01/windows-saber-ip-publica-PowerShell.html

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.