Obtain Client IP Connecting to the Mailbox

With brute force attack in today’s time, mailboxes are no longer safe with an average password. When you have a hunch that your mailbox may have been compromised, firstly reset the password to the mailbox. Secondly, you may want to obtain the client IP connecting to the mailbox. How to achieve getting that information. NOTE: If you are using a Load Balancer, the client IP may not reflect due to NAT policies being applied.

You will need to run the command in Exchange Management Shell.

The Get-LogonStatistics  provides the following logon-related information:

AdapterSpeed :
ClientIPAddress :
ClientMode :
ClientName :
ClientVersion :
CodePage :
CurrentOpenAttachments :
CurrentOpenFolders :
CurrentOpenMessages :
FolderOperationCount :
FullMailboxDirectoryName :
FullUserDirectoryName :
HostAddress :
LastAccessTime :
Latency :
LocaleID :
LogonTime :
MACAddress :
MessagingOperationCount :
OtherOperationCount :
ProgressOperationCount :
RPCCallsSucceeded :
StreamOperationCount :
TableOperationCount :
TotalOperationCount :
TransferOperationCount :
UserName :
Windows2000Account :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

The two main attributes you going to need is the Identity and Client IP. You can run the following for a single user mailbox information:

Get-LogonStatistics -Identity user@domain.com | Select Identity,ClientIP

Run the above and it should display the information.

 

The command is when you’d like to connect a specific mailbox database

(Get-LogonStatistics -Database “MyDatabase” | fl)

 

To get information based on a mailbox server

(get-logonstatistics -Server “MyServer”)

 

Here is another variance of a script line to get the Client IP;

get-logonstatistics <user@domain.com> | sort-object clientipaddress | format-table username,clientipaddress,logontime,clientversion</user@domain.com>

 

NOTE: If you are using Exchange 2010, the client IP maybe blank. You will then have to look through the following logs:

\Program Files\Microsoft\Exchange Server\v14\Logging\RPC Client Access

For these logs, you may want to use the log parser which can downloaded from the Microsoft Center:

Log Parser Download

While looking for mailbox information, you can use Get-MailboxStatistics User@domain.com and get the following attributes:

AssociatedItemCount :
DeletedItemCount :
DisconnectDate :
DisplayName :
ItemCount :
LastLoggedOnUserAccount :
LastLogoffTime :
LastLogonTime :
LegacyDN :
MailboxGuid :
ObjectClass :
StorageLimitStatus :
TotalDeletedItemSize :
TotalItemSize :
Database :
ServerName :
StorageGroupName :
DatabaseName :
Identity :

The attributes to locate the amount of data in a mailbox is TotalItemsize.

You can then run Get-MailboxStatistics <User@domain.com>

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.