Steps to solve Passive Reconnaissance Solution Lab

In this step of passive recon, we will look at the information that will be publicly available without interacting directly with the target. So here are some of the tools helping while passive recon.

Step 1: Whois

Whois uses the query and response protocol that is used to search for an object in an RFC 3912 database. It helps us to gather information such as contact information (but can often be “incorrect” when a privacy service is used), registrar, registration date, registration updates and registration expiration dates, and contact emails, among others. 

If we run whois for tryhackme website, we will get the following result: 




Using Whois we were able to answer the following question asked on the challenge:

Question 1: When was registered?

Answer: 20180705

Question 2: What is the registrar of 


Question 3: Which company is using for name servers?


 Step 2: Nslookup And dig

nslookup (Name Server LookUp) is used to query Domain Name System (DNS) servers to map a domain name to an IP as well as other DNS records. We can use it non-interactively and pass arguments.
We can use the -type flag, to specify the query type.

nslookup -type=A



We can get all the IPv4 addresses used by We can gather a lot more information with nslookup such as email servers and configurations for a particular domain. We can use “nslookup -type=MX” and see that’s current email configuration uses Google


Google Will obviously not give vulnerable server versions but for other cases, we might find mail servers that are not secured or patched.

Question 1: Check the TXT records of What is the flag there?

Answer: THM{a5b83929888ed36acb0272971e438d78}

We have solved this question just by repeating similar queries as we saw above for the domain names “” and used  -type=txt and got the flag successfully.

nslookup -type=txt  


If we want more advanced DNS queries and additional functionality, we can use dig(“Domain Information Groper”).dig will return more information, such as the TTL (Time To Live) by default. 


Step 3: DNSDumpster

A lot of useful information can be gathered from the tools above but they are not designed for the enumeration of subdomains. Subdomains can have useful information and servers that can be vulnerable. can be used to discover subdomains, and their IP addresses and attempt to geolocate them.



From the above graphical view, we found a domain called which help me to answer the following question:

Question 1: Lookup on DNSDumpster. What is one interesting subdomain that we would discover in addition to www and blog?

Answer: remote

Step 4: Shodan is used to learn more about our target network. Shodan is like a search engine for devices online, and just because we are not directly connecting to the devices, it will give us a lot of information during the passive research.
If we search for on shodan we will get the following result.


Question 1: According to, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers

Answer: Germany


Question 2: Based on, what is the 3rd most common port used for Apache

Answer: 8080


Question 3: Based on, what is the 3rd most common port used for Nginx?

Answer: 8888

TryHackMe – Passive Reconnaissance Solution

Passive reconnaissance is a way of gaining information about targeted computers and networks without actively engaging with that particular system. We mainly gather information based on publicly available information In this article, we are going to solve the Passive Reconnaissance CTF at TryHackMe’s website. 

Similar Reads

Steps to solve Passive Reconnaissance Solution Lab

In this step of passive recon, we will look at the information that will be publicly available without interacting directly with the target. So here are some of the tools helping while passive recon....