IP and Domain Threat Intel TryHackMe Writeup

Overview

This room explores enriching IP and domain insights with open source threat intelligence tools, covering domain analysis, IP reconnaissance, and threat intelligence gathering.

Task 1: Domain Analysis

1.1 From the downloadable report, what are the IP addresses for the A Record associated with our flagged domain, advanced-ip-sccanner[.]com? Answer: IP-1, IP-2.

Answer: 172.67.189.143,104.21.9.202

1.2 What nameserver addresses are associated with the IP address? Defang the addresses.

Answer: jaziel[.]ns[.]cloudflare[.]com, summer[.]ns[.]cloudflare[.]com

Task 2: IP Analysis

2.1 Open client.rdap.org and identify when the 64[.]31[.]63[.]194 IP was logged for registration. (Answer in UTC: MM/DD/YY, H:MM:SS AM/PM)

Answer: 12/27/2010, 3:51:03 PM

2.2 What roles are assigned to the entity Entity NOC2791-ARIN associated with the IP address 64[.]31[.]63[.]194?

Answer: administrative,technical

2.3 What is the country's name for the IP 64[.]31[.]63[.]194?

Answer: France

2.4 Can you identify the Autonomous System linked with the IP 64[.]31[.]63[.]194?

Answer: AS136258

Task 3: Open-source Intelligence Gathering

3.1 Using shodan.io, find which service is primarily associated with the IP address 85[.]188[.]1[.]133.

Answer: ftp

3.2 How many ports have been identified as open on the server?

Answer: 6

3.3 Using search.censys.io, identify the TLS certificate fingerprint for the IP address.

Answer: 48d6057099841bd18809fd61aa990b17779176de7799f301dac24879da553456

3.4 According to crt.sh, are there Certificate Transparency log entries captured associated with the TLS certificate identified above? (Answer: Yay or Nay)

Answer: Yay

Task 4: Windows Artifact Analysis

4.1 What file has been linked to the IP 166[.]1.160[.]118?

Answer: ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef.exe

4.2 What organisation is identified on historical WHOIS lookups?

Answer: Ace Data Centers, Inc

Task 5: DNS and Domain Intelligence

5.1 What is the RIR associated with 170[.]130[.]202[.]134?

Answer: ARIN

5.2 What ASN is the IP connected with?

Answer: AS62904

5.3 Identify the number of NS records for the domain santagift[.]shop.

Answer: 4

5.4 Which NS is identified as the Start of Authority (SOA) for the domain?

Answer: ns-298.awsdns-37.com

5.5 When was the domain registered? (Answer:DD/MM/YYYY)

Answer: 30/10/2022

Lessons Learned

Open source threat intelligence tools provide valuable IP and domain insights
RDAP protocol offers detailed registration information for IP addresses
ARIN entities contain structured information about IP allocations and roles
Autonomous System Numbers (ASNs) help identify network ownership
Shodan.io reveals service information and open ports for IP addresses
Censys provides TLS certificate information including fingerprints
Certificate Transparency logs track SSL certificate issuance
Malware samples can be linked to specific IP addresses
Historical WHOIS data reveals past IP allocations and organizations
RIRs (Regional Internet Registries) manage IP address allocation globally
ASNs connect IP addresses to specific network providers
NS records provide DNS infrastructure information
SOA records indicate primary name servers for domains
Domain registration dates help establish operational timelines

IP and Domain Threat Intel Writeup