GetIP – Exfiltrate IP information using PowerShell

GetIP was something I used a bit more for personal reasons, but could easily be modified for engagements with more dynamic IP allocations.

GetIP will grab the IP address (from IPInfo Security Portal) and hostname of a machine, and then put them in a time stamped text file. Additionally, it was a good start for me to get my hands dirty and use PowerShell instead of Python occasionally.

$invocation = (Get-Variable MyInvocation).Value
$directorypath = Split-Path $invocation.MyCommand.Path

try {
    $ip = Invoke-RestMethod http://ipinfo.io/json | Select -exp ip
    $hostname = $env:COMPUTERNAME.ToLower()
    $date = Get-Date -format "MMM dd \@ HH\:mm"
    Add-Content $directorypath\IPs.txt "$date HOST: $hostname - $ip"
}
catch {
    Write-Output $_
}

It hits their public REST endpoint, and then grabs the IP from that. More information could obviously be grabbed, but I just needed the IP address in this case.

I have this script running as a scheduled task every day at 12:15am, with the output going to my Dropbox folder.

That said, this script could easily be modified to use a different method of exfiltration (Pastebin, Twitter, e-mail, etc.) if the engagement called for it.

As usual, the code and updates can always be found in my GitHub repository as well.

Ray Doyle

Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.