Home Red Team Recon
Post
Cancel

Red Team Recon

Learn how to use DNS, advanced searching, Recon-ng, and Maltego to collect information about your target.

THM Room https://tryhackme.com/room/redteamrecon

TASK 1 : Introduction

We suggest you start the AttackBox and experiment with every command and tool we demonstrate.

No Answer

TASK 2 : Taxonomy of Reconnaissance

Ensure you have a clear understanding of the different types of recon activities before proceeding.

No Answer

TASK 3 : Built-in Tools

When was thmredteam.com created (registered)? (YYYY-MM-DD)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@ip-10-10-52-65:~# whois thmredteam.com
   Domain Name: THMREDTEAM.COM
   Registry Domain ID: 2643258257_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.namecheap.com
   Registrar URL: http://www.namecheap.com
   Updated Date: 2021-10-13T20:54:46Z
   Creation Date: 2021-09-24T14:04:16Z
   Registry Expiry Date: 2022-09-24T14:04:16Z
   Registrar: NameCheap, Inc.
   Registrar IANA ID: 1068
   Registrar Abuse Contact Email: abuse@namecheap.com
   Registrar Abuse Contact Phone: +1.6613102107
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: KIP.NS.CLOUDFLARE.COM
   Name Server: UMA.NS.CLOUDFLARE.COM
   DNSSEC: unsigned

Answer : 2021-09-24

To how many IPv4 addresses does clinic.thmredteam.com resolve?

1
2
3
4
5
6
7
8
9
10
C:\Users\Administrateur>nslookup clinic.thmredteam.com
Serveur :   one.one.one.one
Address:  1.1.1.1

Réponse ne faisant pas autorité :
Nom :    clinic.thmredteam.com
Addresses:  2606:4700:3034::ac43:d4f9
          2606:4700:3034::6815:5da9
          104.21.93.169
          172.67.212.249

Answer : 2

To how many IPv6 addresses does clinic.thmredteam.com resolve?

Answer : 2

TASK 4 : Advanced Searching

How would you search using Google for xls indexed for http://clinic.thmredteam.com?

Answer : filetype:xls site:clinic.thmredteam.com-

How would you search using Google for files with the word passwords for http://clinic.thmredteam.com?

Answer : passwords site:clinic.thmredteam.com

TASK 5 : Specialized Search Engines

What is the shodan command to get your Internet-facing IP address?

Answer : shodan myip

TASK 6 : Recon-ng

How do you start recon-ng with the workspace clinicredteam?

Answer : recon-ng -w clinicredteam

How many modules with the name virustotal exist?

1
2
3
4
5
6
7
8
9
10
11
12
[recon-ng][thmredteam] > marketplace search virustotal
[*] Searching module index for 'virustotal'...

  +---------------------------------------------------------------------------------+
  |               Path               | Version |     Status    |  Updated   | D | K |
  +---------------------------------------------------------------------------------+
  | recon/hosts-hosts/virustotal     | 1.0     | not installed | 2019-06-24 |   | * |
  | recon/netblocks-hosts/virustotal | 1.0     | not installed | 2019-06-24 |   | * |
  +---------------------------------------------------------------------------------+

  D = Has dependencies. See info for details.
  K = Requires keys. See info for details.

Answer : 2

There is a single module under hosts-domains. What is its name?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[recon-ng][thmredteam] > marketplace info hosts-domains

  +--------------------------------------------------------------------------------------+
  | path          | recon/hosts-domains/migrate_hosts                                    |
  | name          | Hosts to Domains Data Migrator                                       |
  | author        | Tim Tomes (@lanmaster53)                                             |
  | version       | 1.1                                                                  |
  | last_updated  | 2020-05-17                                                           |
  | description   | Adds a new domain for all the hostnames stored in the 'hosts' table. |
  | required_keys | []                                                                   |
  | dependencies  | []                                                                   |
  | files         | ['suffixes.txt']                                                     |
  | status        | not installed                                                        |
  +--------------------------------------------------------------------------------------+

Answer : migrate_hosts

censys_email_address is a module that “retrieves email addresses from the TLS certificates for a company.” Who is the author?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[recon-ng][thmredteam] > marketplace info censys_email_address

  +-----------------------------------------------------------------------------------------------------------------------------------+
  | path          | recon/companies-contacts/censys_email_address                                                                     |
  | name          | Censys emails by company                                                                                          |
  | author        | Censys Team                                                                                                       |
  | version       | 2.0                                                                                                               |
  | last_updated  | 2021-05-11                                                                                                        |
  | description   | Retrieves email addresses from the TLS certificates for a company. Updates the 'contacts' table with the results. |
  | required_keys | ['censysio_id', 'censysio_secret']                                                                                |
  | dependencies  | ['censys>=2.0.0']                                                                                                 |
  | files         | []                                                                                                                |
  | status        | not installed                                                                                                     |
  +-----------------------------------------------------------------------------------------------------------------------------------+

Answer : Censys Team

TASK 7 : Maltego

What is the name of the transform that queries NIST’s National Vulnerability Database?

NIST NIST

Answer : NIST NVD

What is the name of the project that offers a transform based on ATT&CK?

MISP Project 1 MISP Project 1

MISP Project 2 MISP Project 2

Answer : MISP Project

TASK 8 : Summary

The different tools and websites presented in this room provide the basics necessary to tackle further reconnaissance work.

No Answer

This post is licensed under CC BY 4.0 by the author.