Tryhackme-Active Reconnaissance Walkthrough

Hacer Dalkiran
5 min readFeb 28, 2023

--

In this room, we will discover basic active reconnaissance methods. Before we starting, lets look at what is active and passive reconnaissance.

I want to explain them with my words:)

Active reconnaissance is like to identify personality of a people, nudge her/him. I mean, he or she react as a result of your action. Like this example, your target react you and most of time realize you. For example, port scanning is an example of active reconnaissance. Your firewalls, IPS or SIEMs will recognize your scan.

Passive reconnaissance means blind search. I mean, target does not recognize your recon. For example, OSINT search is passive recon.

Lets dive into our room:

1. Introduction

Not all of active reconnaissance activities are seen as suspicious activities. For example web browsing can be seen as innocent. However, trying sql injection payloads will be detected most of time.

Here we will see innocent and suspicious techniques such as ping and telnet.

2. Web Browser

If we are using a technique, some network info such as protocol, protocol versions and ports, would good for us every time. Web ports are 80-HTTP and 443-HTTPS commonly.

For a website, Chrome DevTools and Firefox Developer tools are important since web can examine network traffic, request-responses, some JS files and cookies etc. We can reach developer tools by using Ctrl+Shift+I

Task 2

Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.

Browse the following website and look for Chrome developer tools and find script.js in Application>Frames>Scripts>Script.js

Answer:

- 8

3. Ping

Lots of us knows what is ping. We are using ICMP request as boring name convention, for troubleshooting most of time. Most of time firewalls block ping probes. Like many other protocols, ICMP works as request-response style. One side send a request and the other side send response. Therefore, we understand that the target is alive or online.

  • -c : number of ping requests in linux
  • -n: number of ping requests in MS systems.

If you dont know the details, you can look at manuel of ping by using the command ‘man ping’

Question

- Which option would you use to set the size of the data carried by the ICMP echo request?

Answer

- -s

Question

- What is the size of the ICMP header in bytes?

Answer

- 8

There are 32 bits and 8 bytes in total by default.

Question

- Does MS Windows Firewall block ping by default? (Y/N)

Answer

- Y

Question

- Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 10.10.125.46. How many ping replies did you get back?

Answer

- 10

4. Traceroute

Number of routers that our package touch. Note that because of dynamic routing protocols, the outputs may not reflect exact results.

The command for Linux and MacOS is traceroute MACHINE_IP and

the command for MS Windows is tracert MACHINE_IP

The other thing that we need to know is TTL is not about time, it is about maximum number of routers/hops that a packet can pass before being dropped. Thus, when TTL is equal to 0, the packet will be dropped. After passing a router, the value of TTL decrements by 1.

For linux, details are something different.

Traceroute start with sending UDP datagrams and the value of TTL is 1. Thus, the first router’s TTL value is 0. Therefore TTL of 1 represents the IP of first router. Since the packet drops, it sends another packet with TTL value is 2 and this event goes on.

Question:

-In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com?

Answer

-172.67.69.208

Question:

-In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com?

Answer:

-104.26.11.229

Question:

-In Traceroute B, how many routers are between the two systems?

Answer

-26

5. Telnet

The first purpose of this protocol is communicate with remote system with a CLI. Since the communication is not encrypted, it is not secure anymore and should not be used.

However, we do not use telnet not just communication, we are using also for troubleshooting. If telnet client is available, by using the command below, we can check whether a port is open or closed.

telnet MACHINE_IP PORT

Question

-Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

Answer

-Apache

Question

-What is the version of the running server (on port 80 of the VM)?

Answer

-2.4.10

6. Netcat

To listen ports, we can use Netcat. Netcat supports both UDP and TCP. The command like as follows:

nc IP_ADDRESS PORT

and this is similar to telnet IP_ADDRESS PORT.

Instead of host:telnet, we will write host:netcat.

If you want to open and listen a specific port like a server, you can use netcat also. For convenience, we are using 1234 or 4444 as port numbers what we will listen.

  • -l : listen mode
  • -p : specify port number
  • -n : numeric value only
  • -v : verbose
  • -vv : very verbose
  • -k : keep listening after client disconnects

we are using those options commonly as a combination of l,v,n,p as follows:

nc -lvnp 1234

In this task we behave like a client and listen the server:

nc IP_ADDRESS PORT

question

-Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?

answer

-0.17

after write the command above. (nc IP_ADDRESS 21)

--

--

Hacer Dalkiran
Hacer Dalkiran

Written by Hacer Dalkiran

Mathematician and Cybersecurity girl

No responses yet