IP and Domain Threat Intel | Tryhackme Walkthrough

Security Operations runbooks still revolve around the process verify → enrich → decide, but when the alert is a lone IP address or domain, the enrichment phase looks different. Instead of hashes, we pivot on geolocation, ASNs, open-service footprints, and passive DNS to learn whether a connection is routine SaaS traffic or an adversary foothold beacon.

Scenario

It is Wednesday morning. The SOC has flagged two suspicious domains in phishing emails and three IP addresses in outbound proxy logs. You are tasked with triaging all seven artefacts, enriching them with context, and recommending actions with expiry.

• advanced-ip-sccanner[.]com

• 166[.]1[.]160[.]118

• 64[.]31[.]63[.]194

• 69[.]197[.]185[.]26

• 85[.]188[.]1[.]133

Task 2: IP Building Blocks

1. From the downloadable report, what are the IP addresses for the A Record associated with our flagged domain, advanced-ip-sccanner[.]com? Answer: IP-1, IP-2.

Ans: 172.67.189.143,104.21.9.202

1. What nameserver addresses are associated with the IP address? Defang the addresses.

Ans: jaziel[.]ns[.]cloudflare[.]com, summer[.]ns[.]cloudflare[.]com

Task 3: IP Enrichment: Geolocation and ASN

1. Open client.rdap.org and identify when the 64[.]31[.]63[.]194 IP was logged for registration.
   Answer in UTC: MM/DD/YYYY, H:MM:SS AM/PM

Ans: 12/27/2010, 9:21:03 PM

An RIR (Regional Internet Registry) is an organization responsible for managing and allocating IP address ranges and ASNs for specific world regions.

There are 5 RIRs globally:

RIR	Region Covered	Website
ARIN	North America	https://www.arin.net
RIPE NCC	Europe, Middle East, Central Asia	https://www.ripe.net
APNIC	Asia Pacific	https://www.apnic.net
LACNIC	Latin America, Caribbean	https://www.lacnic.net
AFRINIC	Africa	https://www.afrinic.net

1. What roles are assigned to the entity Entity NOC2791-ARIN associated with the IP address?
   Note: Answer via comma, in alphabetical order.

Ans: administrative,technical

1. What is the country's name for the same IP address (64[.]31[.]63[.]194)?

Ans: France

Reference: https://iplocation.net/

1. Can you identify the Autonomous System linked with the same IP address?

Ans: AS136258

Reference: https://ipinfo.io/ to find ASN

An Autonomous System (AS) is basically a network or group of IP addresses that belongs to a single organization — such as an Internet Service Provider (ISP), a company like Google, or a cloud provider like AWS.

Each AS is identified by a unique number called an ASN (Autonomous System Number).

These numbers help in routing internet traffic and identifying ownership of IP addresses.

Example:

• AS32934 → Meta (Facebook)

• AS16509 → Amazon AWS

• AS12488 → Vodafone

Task 4: Service Exposure

1. Using shodan.io, what is the first exposed service name of the 85[.]188[.]1[.]133 IP?
   Note: If the information in Shodan has been changed, please check out the hint.

Ans: FTP

1. How many ports have been identified as open on the server from Question 1?
   Note: If the information in Shodan has been changed, please check out the hint.

Ans: 6

21,22,80,111,443,873

1. Using search.censys.io, what is the TLS certificate fingerprint for the IP address?
   Note: If the information in Censys has been changed, please check out the hint.

Ans: 5ea8e6046bdabaa8e23a1a012c01d1be5ccd42c66ef2577a59f3b3f0f056d12e

Certificate Fingerprint has changed.. view Hint and get the answer

1. According to crt.sh, what is the Subject's commonName of the identified TLS certificate?
   Note: Search for the TLS fingerprint you identified in Question 3.

Ans: archive.scene.org

Task 5: Reputation Checks and Passive DNS

1. What file has been linked to the IP 166[.]1.160[.]118?

Ans: ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef.exe

1. What organisation is identified on historical WHOIS lookups?
   Ans: Ace Data Centers, Inc

Extra:

On “Cisco Talos Intelligence”

Task 7: Challenge

It’s 09:10 on a Monday. Over the weekend, Finance reported a burst of “account verification” emails that looked unusually polished. Your secure email gateway caught a subset; one clicked sample was redirected to santagift[.]shop.
At the same time, your EDR shows workstations briefly beaconing to 170[.]130[.]202[.]134.

Use the skills and tools covered in the room to enrich the three indicators and answer the questions below.

1. What is the RIR associated with 170[.]130[.]202[.]134?

Ans: ARIN

We use either https://client.rdap.org/ or Virustotal to find RIR

1. What ASN is the IP connected with?

Ans: AS62904

We can use either https://ipinfo.io/ or VirusTotal

1. When was the domain registered? (Answer: DD/MM/YYYY)

Ans: 30/10/2022

When a domain expires, the owner does not renew it and the registrar disables or removes its DNS records, stopping name resolution.
The domain may still appear in WHOIS databases, but it no longer resolves publicly.
As a result, DNS queries for A, MX, TXT, and NS records return no data.

For the next two questions, I referred to older walkthroughs for guidance. Additionally, this website allows us to view historical DNS (previous DNS records): https://dnshistory.org/

1. Identify the number of NS records for the domain santagift[.]shop.

Ans: 4

Which NS is identified as the Start of Authority (SOA) for the domain?

Ans: ns-298.awsdns-37.com

Thank you for reading this walkthrough—I hope you enjoyed it.
keep hunting!