Hello world and welcome to HaXeZ, in this post I’m going to be discussing the Red Team Reconnaissance room on TryHackMe. This room focuses on the reconnaissance techniques used by Red Teamers to gather information about their target. To elaborate, the room covers the following topics:
- The types of reconnaissance activities.
- WHOIS and DNS-based reconnaissance.
- Advanced searching.
- Searching by image.
- Google hacking.
- Specialized search engines.
Taxonomy of Reconnaissance
This task discusses the two different types of reconnaissance that Red Team members use to profile their target.
Firstly, it explains that passive reconnaissance is carried out without interacting with the target. Furthermore, it explains that this shouldn’t require sending a single packet to the target. This type of reconnaissance is known as Open Source Intelligence (OSINT). For example, querying domain and IP address information, and finding email addresses and employee names through social media sites like Linked In.
Active reconnaissance is the opposite of passive reconnaissance and the process of gathering information by interacting with the target. For example, using Nmap and other tools to scan their infrastructure to identify active services and weaknesses is considered active reconnaissance.
External recon is anything that takes place outside the target’s network. It primarily focuses on externally facing infrastructure that is publically accessible from the internet. This could be anything from web servers to mail servers.
Internal reconnaissance takes place within the target network. For example, this could be facilitated by the Red Teamer physically turning up to their building and accessing the network via a port. Although, it could be done remotely via a VPN solution into the network. This type of reconnaissance would utilize tools like Nessus, OpenVAS, and other vulnerability scanning tools to identify weaknesses within their network.
Built-In Reconnaissance Tools
This task focuses on learning to use built-in tools that most operating systems come with. These tools include:
The first tool that is discussed in the room is whois. Whois is a tool for querying information about a domain name. This tool will return information about the WHOIS server, the registrar URL, the domain registration date, the expiration date, the registrant contact information. However, sometimes this information is protected via domain privacy so it can be hit and miss as to how much information you can get from it.
The next tool discussed in this room is nslookup. Nslookup is a tools used to query DNS records from the nameserver. I’ve covered DNS and nslookup in detail in one of my other posts https://haxez.org/2022/05/domain-name-system-simplified/. This tool can be useful to find hidden records.
Digg.com, how I miss your former self, what happened to you? Alas, dig has nothing to do with Digg.com but always makes me think about it whenever I use it. Dig, short for Domain Internet Groper is another tool used to query name servers for DNS records.
Host is a tool used to resolve domain names to IP addresses. It does more than that but let’s keep it simple for now. It can query DNS servers for DNS records and show you what IP address those records resolve to.
If you’ve ever worked in technical support then it is likely that you know what a traceroute is. Essentially, it will trace your route to the specified target. Furthermore, it will show you the hops it takes to the target. This can be good for identifying connectivity issues.
There are a number of questions to answer. I would strongly recommend you go and find the answers to yourself but here we go. You can use the whois and host tools to get these answers so go do it instead of copying and pasting.
When was thmredteam.com created (registered)? 2021-09-24 To how many IPv4 addresses does clinic.thmredteam.com resolve? 2 To how many IPv6 addresses does clinic.thmredteam.com resolve? 2
This section of the room discusses advanced searching techniques. It explains how to use certain keywords to find specific search results. This can be used to find certain file types on specific websites. Furthermore, it can be used to find pages containing specific texts on specific websites. This technique is primarily known as Google Dorking but other search engines support this functionality. There isn’t much more to say about this section of the room, I have covered Google Dorking and other OSINT techniques here Hack To Learn: OSINT and Passive Reconnaissance
How would you search using Google for xls indexed for htttp://clinic.thmredteam.com? filetype:xls site:clinic.thmredteam.com How would you search using Google for files with the word passwords for http://clinic.thmredteam.com? passwords site:clinic.thmredteam.com
Specialized Reconnaissance Search Engines
There are a number of specialized search engines that have been built specifically for gathering information about targets. These search engines range from performing DNS searches, Censys information, and a search for all internet-connected devices which allows the user to search via services and even vulnerabilities.
ViewDNS.info is a website that has many different utilities for performing passive reconnaissance against the target. It reminds me of MX Toolbox due to the many different tools available. This is a good web application to have bookmarked for your reconnaissance phases.
This room also discusses the threatintelligenceplatform.com and https://search.censys.io/ web applications which I would highly recommend you check out. I won’t be going into much more detail in this write-up as the information is available on TryHackMe.
Finally, the room talks about Shodan. Shodan is an amazing tool that gives the user Mr. Robot-like powers. It allows you to perform searches for internet-connected devices but has a number of powerful search operators. Additionally, these operators allow the user to filter results based on variables like geographical location, operating system, services available, and many others.
What is the shodan command to get your Internet-facing IP address? shodan myip
Recon-ng can be compared to Metasploit in that it is a framework. However, it is a framework for Open source Intelligence rather than exploitation. It offers a number of features including the ability to create workspaces for your target. Furthermore, it can also be linked to a database to save information about the target. It also has a marketplace that you can use to search for and install tools. Please see the video at the end of the post for a demonstration of this tool.
This room has a number of questions that you should try to answer yourself. However, I have provided the answers below as it’s always good to have a reference.
How do you start recon-ng with the workspace clinicredteam recon-ng -w clinicredteam How many modules with the name virustotal 2 here is a single module under hosts-domains. What is its name? migrate_hosts censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author? Censys Team
Maltego is a fantastic tool that allows you to rapidly perform Open Source Intelligence gathering against your target. For example, you can input a domain name and then use one of the many transforms available. These transforms use open-source platforms such as search engines to gather information about the target. They can return entities like server IP addresses, mailboxes, and many others. The community edition limits you to a set number of transform results but it is still very powerful and a fun tool to check out. Please check out my OSINT video for a demonstration https://www.youtube.com/watch?v=csZaWzFhmCs.
This was a fun room that taught me a few things I didn’t know about reconnaissance. I realize that this post is poorly regurgitating the information available on TryHackMe. These posts are mainly for my benefit as it helps me to reinforce my learning by using multiple methods of consuming the information. If I create a video and a write-up about it then there is no way I will forget it right? Anyway, let me know what you thought about the room, and please check out the video below.