Open In App

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy

TryHackMe – Passive Reconnaissance Solution

Passive reconnaissance is a way of gaining information about targeted computers and networks without actively engaging with that particular system. We mainly gather information based on publicly available information In this article, we are going to solve the Passive Reconnaissance CTF at TryHackMe’s website. 

Steps to solve Passive Reconnaissance Solution Lab

In this step of passive recon, we will look at the information that will be publicly available without interacting directly with the target. So here are some of the tools helping while passive recon.



Step 1: Whois

Whois uses the query and response protocol that is used to search for an object in an RFC 3912 database. It helps us to gather information such as contact information (but can often be “incorrect” when a privacy service is used), registrar, registration date, registration updates and registration expiration dates, and contact emails, among others. 

If we run whois for tryhackme website, we will get the following result: 



whois tryhackme.com

 

 

Using Whois we were able to answer the following question asked on the challenge:

Question 1: When was TryHackMe.com registered?

Answer: 20180705

Question 2: What is the registrar of TryHackMe.com? 

Answer: Namecheap.com

Question 3: Which company is TryHackMe.com using for name servers?

Answer: Cloudflare.com

 Step 2: Nslookup And dig

nslookup (Name Server LookUp) is used to query Domain Name System (DNS) servers to map a domain name to an IP as well as other DNS records. We can use it non-interactively and pass arguments.
We can use the -type flag, to specify the query type.

nslookup -type=A tryhackme.com 1.1.1.1

 

 

We can get all the IPv4 addresses used by tryhackme.com. We can gather a lot more information with nslookup such as email servers and configurations for a particular domain. We can use “nslookup -type=MX tryhackme.com” and see that tryhackme.com’s current email configuration uses Google
 

 

Google Will obviously not give vulnerable server versions but for other cases, we might find mail servers that are not secured or patched.

Question 1: Check the TXT records of thmlabs.com. What is the flag there?

Answer: THM{a5b83929888ed36acb0272971e438d78}

We have solved this question just by repeating similar queries as we saw above for the domain names “thmlabs.com.” and used  -type=txt and got the flag successfully.

nslookup -type=txt thmlabs.com

 

If we want more advanced DNS queries and additional functionality, we can use dig(“Domain Information Groper”).dig will return more information, such as the TTL (Time To Live) by default. 
 

 

Step 3: DNSDumpster

A lot of useful information can be gathered from the tools above but they are not designed for the enumeration of subdomains. Subdomains can have useful information and servers that can be vulnerable.  
DNSDumpster.com can be used to discover subdomains, and their IP addresses and attempt to geolocate them.
 

 

 

From the above graphical view, we found a domain called remote.tryhackme.com which help me to answer the following question:

Question 1: Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that we would discover in addition to www and blog?

Answer: remote

Step 4: Shodan

Shodan.io is used to learn more about our target network. Shodan is like a search engine for devices online, and just because we are not directly connecting to the devices, it will give us a lot of information during the passive research.
If we search for tryhackme.com on shodan we will get the following result.

 

Question 1: According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers

Answer: Germany

 

Question 2: Based on Shodan.io, what is the 3rd most common port used for Apache

Answer: 8080

 

Question 3: Based on Shodan.io, what is the 3rd most common port used for Nginx?

Answer: 8888

Article Tags :
Linux-Unix
Recommended Articles
1. sigurlfind3r - Passive reconnaissance tool for known URLs discovery
2. Th3Inspector - OSINT Tool for Reconnaissance
3. Hawkscan – Reconnaissance and Information Gathering Tool in Kali Linux
4. Google Cloud Platform - Introduction to PhoneInfoga an OSINT Reconnaissance Tool
5. FinalRecon - Automatic Web Reconnaissance Tool
6. Buster - An advanced tool for Email Reconnaissance
7. Reconnaissance Swiss Army Knife - ReconDog in Kali Linux
8. URLextractor - Information gathering and website reconnaissance in Kali Linux
9. Recsech - Web Reconnaissance Tool Developed in PHP
10. Fierce - DNS reconnaissance tool for locating non-contiguous IP space
11. RecoX - Scripts For Web Application Reconnaissance In Kali Linux
12. Gitem - Github organization reconnaissance tool
13. Sublert - Security & Reconnaissance Tool Which Leverages Certificate Transparency
14. Dmitry - Passive Information Gathering Tool in Kali Linux
15. Pdlist - Passive Subdomain Finder
16. DircoverRB - Passive subdomains and web directories recon using Bing