TryHackMe: Passive Reconnaissance- Writeup

In this room, we will delve into the first module of Network Security, focusing on Passive Reconnaissance. The module covers several vital areas, but here, we will focus on passive reconnaissance tools and techniques, such as whois, nslookup, dig, and online services like DNSDumpster and Shodan.io.

Task 1: Introduction to Reconnaissance

Reconnaissance is the crucial first step in penetration testing. It involves gathering information about the target. There are two types of reconnaissance: passive and active.

Passive Reconnaissance: Gathering information from publicly available resources without directly engaging with the target.

Examples:

  • Looking up DNS records.

  • Checking job ads related to the target.

  • Reading news articles about the target company.

Active Reconnaissance: Direct engagement with the target to gather information.

Examples:

  • Connecting to company servers (HTTP, FTP, SMTP).

  • Social engineering (e.g., calling the company for information).

  • Physical engagement (e.g., entering company premises).

Task Questions:

  1. You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this?

    Answer: P (Passive)

  2. You ping the IP address of the company web server to check if ICMP traffic is blocked. What kind of reconnaissance activity is this?

    Answer: A (Active)

  3. You meet the IT administrator of the target company at a party and use social engineering to get information about their systems. What kind of reconnaissance activity is this?

    Answer: A (Active)

Task 3: Whois

The whois (https://who.is/) protocol allows us to query information about domain names. This information can include the registrar, contact information, domain creation/expiration dates, and name servers.

Task Questions:

  1. When was TryHackMe.com registered?

    Answer: 20180705 (Format: YYYY-MM-DD)

  2. What is the registrar of TryHackMe.com?

    Answer: namecheap.com

  3. Which company is TryHackMe.com using for name servers?

    Answer: Cloudflare cloudflare.com

Task 4: NSlookup and dig

nslookup and dig are command-line tools used to query DNS servers for information about domain names.

nslookup Example:

nslookup -type=A tryhackme.com 1.1.1.1

Dig Example:

dig @1.1.1.1 tryhackme.com MX

Task Questions:

  1. Check the TXT records of thmlabs.com. What is the flag there?

nslookup -type=txt thmlabs.com

Ans: THM{a5b83929888ed36acb0272971e438d78}

Task 5: DNSDumpster

DNSDumpster (https://dnsdumpster.com/) is an online tool that helps discover subdomains and gather DNS information about a target.

  1. Visit [DNSDumpster](https://dnsdumpster.com).

  2. Enter the domain (e.g., tryhackme.com) to search for DNS information.

Task Question:

  1. Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

    Answer: remote

Thank you for reading my article. Please leave any questions or comments