https://tryhackme.com/room/ipanddomainthreatintel
Created by: tryhackme, SecurityNomad
This whole room is a great network refresher which is why I have taken a lot of snippets to come back to if need be. Task 2, IP Building Blocks, covers DNS and why it matters in the SOC. Per THM, “Domain Name System (DNS) is the protocol responsible for resolving hostnames, such as tryhackme.com, to their respective IP addresses.”
THM also has us download a task file which shows DNS records for a site from nslookup.io.
“From the downloadable report, what are the IP addresses for the A Record associated with our flagged domain, advanced-ip-sccanner[.]com? Answer: IP-1, IP-2.”
“What nameserver addresses are associated with the IP address? Defang the addresses.”
Task 3, IP Enrichment: Geolocation and ASN.
“Open client.rdap.org and identify when the 64[.]31[.]63[.]194 IP was logged for registration.
Answer in UTC: MM/DD/YYYY, H:MM:SS AM/PM”
“What roles are assigned to the entity Entity NOC2791-ARIN associated with the IP address?
Note: Answer via comma, in alphabetical order.”
“What is the country’s name for the same IP address (64[.]31[.]63[.]194)?”
Using iplocation.net, we obtain our answer.
“Can you identify the Autonomous System linked with the same IP address?”
Task 4 covers services and certificates and links to three different links: shodan https://www.shodan.io/(reconnaissance tool for IP address analysis. If you have done red team tasks, you know about this site!), censys https://search.censys.io/(like shodan but more for blue team, pretty cool!) and then lastly a cert information tool site: https://crt.sh/.
“Using shodan.io, what is the first exposed service name of the 85[.]188[.]1[.]133 IP?
Note: If the information in Shodan has been changed, please check out the hint.”
“How many ports have been identified as open on the server from Question 1?
Note: If the information in Shodan has been changed, please check out the hint.”
“Using search.censys.io, what is the TLS certificate fingerprint for the IP address?
Note: If the information in Censys has been changed, please check out the hint.”
“According to crt.sh, what is the Subject’s commonName of the identified TLS certificate?
Note: Search for the TLS fingerprint you identified in Question 3.”
On to Task 5, Reputation Checks and Passive DNS.
“What file has been linked to the IP 166[.]1.160[.]118?” I used Virustotal for this question and the next.
“What organization is identified on historical WHOIS lookups?”
Task 6, Operational Integration, covers various workflows when it comes to a SOC analysts workflow such as geofencing, legal considerations, and safe integration.
On to our task 7 challenge!
“It’s 09:10 on a Monday. Over the weekend, Finance reported a burst of “account verification” emails that looked unusually polished. Your secure email gateway caught a subset; one clicked sample was redirected to santagift[.]shop.
At the same time, your EDR shows workstations briefly beaconing to 170[.]130[.]202[.]134.
Use the skills and tools covered in the room to enrich the three indicators and answer the questions below.”
“What is the RIR associated with 170[.]130[.]202[.]134?”
“What ASN is the IP connected with?”
“Identify the number of NS records for the domain santagift[.]shop.”
“Which NS is identified as the Start of Authority (SOA) for the domain?”
“When was the domain registered? (Answer: DD/MM/YYYY)”.
I reported to THM these questions need to be updated. Every website I went to pointed to aurora.ns.cloudflare.com which is not want THM wanted as well as the number of NS records and the registration date.
