Passive Reconnaissance TryHackMe

Overview

Passive reconnaissance is the process of collecting intelligence about a target without directly interacting with it. This room introduces the passive vs active recon distinction, then focuses on practical data sources such as WHOIS, DNS lookups, DNSDumpster, and Shodan.

Core idea: passive recon should not alert the target because you are using public records and third-party data sources instead of touching the target systems directly.

1) Passive vs Active Recon

Reconnaissance is the information-gathering phase before exploitation. It can be divided into two categories:

Passive reconnaissance: use public information such as DNS records, job ads, search results, news, and internet-wide scanners.
Active reconnaissance: interact directly with the target through connections, probes, social engineering, or physical approaches.

Examples: querying public DNS is passive; connecting to a target’s HTTP, FTP, or SMTP service is active and may trigger logs or legal issues without authorization.

2) WHOIS

WHOIS is a TCP/43 protocol used to retrieve domain registration details from registrar-maintained records.

Registrar: where the domain is registered.
Registrant/admin/tech details: often partially redacted by privacy services.
Creation/update/expiry dates: helpful for target profiling.
Name servers: useful for further DNS investigation.

whois tryhackme.com

Why it matters: WHOIS can reveal domain ownership patterns, contact info, registrar relationships, and infrastructure clues that point to new attack surface.

3) DNS Lookups with nslookup

nslookup is a simple way to query public DNS data without alerting the target.

Common record types:

A: IPv4 addresses
AAAA: IPv6 addresses
CNAME: canonical names
MX: mail servers
SOA: start of authority
TXT: text records

nslookup -type=A tryhackme.com 1.1.1.1
nslookup -type=MX tryhackme.com
nslookup -type=TXT tryhackme.com

Practical value: A/AAAA records reveal target IPs, MX records reveal mail providers, and TXT records may expose SPF, verification tokens, or other useful metadata.

4) DNS Lookups with dig

dig provides more detailed DNS output than nslookup, including useful fields such as TTL by default.

dig tryhackme.com A
dig tryhackme.com MX
dig @1.1.1.1 tryhackme.com MX
dig tryhackme.com TXT

Difference from nslookup: both are useful, but dig is usually preferred when you want richer DNS detail and cleaner scripting-friendly output.

5) DNSDumpster

DNS lookups by themselves will not enumerate subdomains. DNSDumpster helps by aggregating DNS information into a broader picture of the target’s infrastructure.

Finds known subdomains
Shows DNS and MX records together
Resolves names to IPs
Provides simple graphs and geolocation context

Why this matters: forgotten subdomains like blog, wiki, mail, or webmail often expose weaker systems than the main domain and can become the most interesting target during later testing.

6) Shodan

Shodan indexes internet-connected devices and services. Instead of searching web pages, it searches exposed hosts and banners.

IP address
Hosting provider
Geographic location
Service banners
Server type and version

Best use case: search for the domain or IPs you discovered via DNS and see what Shodan already knows about exposed infrastructure without directly touching the target yourself.

7) Recon Workflow

A practical passive recon flow from this room looks like this:

Start with the company or domain name.
Run whois to learn registrar, dates, and name servers.
Use nslookup or dig to query A, MX, and TXT records.
Use DNSDumpster to expand the subdomain picture.
Search the resulting domains and IPs in Shodan for exposed services and banners.

Goal: build a target map before any active probing. This keeps the first active steps narrow, intentional, and less noisy.

Passive Recon Cheat Sheet

whois tryhackme.com
nslookup -type=A tryhackme.com
nslookup -type=MX tryhackme.com 1.1.1.1
nslookup -type=TXT tryhackme.com
dig tryhackme.com A
dig @1.1.1.1 tryhackme.com MX
dig tryhackme.com TXT

Exam Notes (PT1)

Passive recon uses public data sources and should not directly touch the target infrastructure.
WHOIS is useful for registrar data, dates, ownership clues, and name servers.
A, MX, TXT, and CNAME lookups often reveal IPs, mail providers, and operational metadata.
DNSDumpster is useful for subdomain discovery and infrastructure visualization.
Shodan helps profile exposed systems and banners before active scanning begins.