Tryhackme - Passive Reconnaissance

Tryhackme – Passive Reconnaissance

In this walk through, we will be going through the Passive Reconnaissance room from Tryhackme. After completing this room, you will be able to perform passive foot-printing on the targets using numerous techniques. So, let’s get started.

Tryhackme - Passive Reconnaissance

Task 1 – Introduction

Task 1 - Introduction
Task 1 - Introduction

Task 2 – Passive Versus Active Recon

Question 1 – You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive)

 P

Question 2 – You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive)

A

Question 3 – You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive)

A
Task 2 - Passive Versus Active Recon

Task 3 – Whois

Question 1 – When was TryHackMe.com registered?

Tryhackme Whois
20180705

Question 2 – What is the registrar of TryHackMe.com?

namecheap.com

Question 3 – Which company is TryHackMe.com using for name servers?

Tryhackme name servers
cloudflare.com

Task 4 – nslookup and dig

Question 1 – Check the TXT records of thmlabs.com. What is the flag there?

nslookup
THM{a5b83929888ed36acb0272971e438d78}
Task 4 - nslookup and dig

Task 5 – DNSDumpster

Question 1- Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

DNS Dumpster Host Records
remote
Task 5 - DNSDumpster

Task 6 – Shodan.io

Question 1 – According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?

Shodan Apache Servers
Germany

Question 2 – Based on Shodan.io, what is the 3rd most common port used for Apache?

8080

Question 3 – Based on Shodan.io, what is the 3rd most common port used for nginx?

Top Ports
8888
Task 6 - Shodan.io

Task 7 – Summary

Task 7 - Summary

Also Read: Tryhackme – OWASP Top 10 (2021)

So that was “Passive Reconnaissance” for you. Now, you are ready to perform passive reconnaissance against targets using Whois information, nslookup, dig, DNSdumpster, Shodan and much more. I’ll be covering more rooms related to reconnaissance, enumeration and vulnerability analysis later. So stay tuned and till then, “Hack the planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top