Passive Reconnaissance

Passive Reconnaissance

Collecting information without engaging with the target system directly.

introduction.

Passive reconnaissance is the process of gathering information about a target without directly interacting with its system. This type of reconnaissance is carried out discreetly to avoid detection and frequently involves gathering information from publicly available sources. The primary goal of passive reconnaissance is to gather as much information as possible without alerting the target to the activity. This information can then be used to plan the next steps in an attack or to assess the target's security posture.

Task 2. Passive Versus Active Recon.

This room expects the user to have a working knowledge of computer networks.

Task 3. Whois.

upon spewing the machine and typing the whois tryhackme.com the following should appear where answeres will be gotten.

ANSWERS:

task 4. nslookup & dig

This tool is used to query the name servers and dig for additional information about them.

answers: THM{a5b83929888ed36acb0272971e438d78}

Task 5. DNSDumpster

Is a querying method that looksups subdomains in a more easier and lesstime consuming effort and time

Answers: remote/help

task 6. Shodan.io

When you are tasked to run a penetration test against specific targets, as part of the passive reconnaissance phase, a service like Shodan.io can be helpful to learn various pieces of information about the client’s network, without actively connecting to it

Answers:

  1. Germany

  2. 8080

  3. 5001

task 7 . summary

this room, we focused on passive reconnaissance. In particular, we covered command-line tools, whois, nslookup, and dig. We also discussed two publicly available services DNSDumpster and Shodan.io. The power of such tools is that you can collect information about your targets without directly connecting to them. Moreover, the trove of information you may find using such tools can be massive once you master the search options and get used to reading the results.

PurposeCommandline Example
Lookup WHOIS recordwhois tryhackme.com
Lookup DNS A recordsnslookup -type=A tryhackme.com
Lookup DNS MX records at DNS servernslookup -type=MX tryhackme.com 1.1.1.1
Lookup DNS TXT recordsnslookup -type=TXT tryhackme.com
Lookup DNS A recordsdig tryhackme.com A
Lookup DNS MX records at DNS serverdig @1.1.1.1 tryhackme.com MX
Lookup DNS TXT recordsdig tryhackme.com TXT