top of page
Search

TryHackMe: IP and Domain Threat Intelligence — Walkthrough (Lab 3)

  • Writer: DFIRHive
    DFIRHive
  • Oct 21
  • 5 min read
TryHackMe ‘Domain & IP Threat Intelligence’ room — focused on enriching domains, IPs, and infrastructure indicators to uncover attacker activity.


This is the third lab in the Threat Intelligence series, following Intro to CTI and File & Hash Threat Intel.


Here, the focus shifts to infrastructure indicators — domains, IPs, certificates, and network relationships. The lab builds on what we’ve learned so far: this time, we’re enriching IOCs using platforms like RDAP, Shodan, Censys, and crt.sh to understand who owns what, what’s hosted where, and how those details connect to threat activity.


Here’s the walkthrough — each question, the answer, and a short explanation of how the finding fits into investigation workflow.





Question 1 — From the downloadable report, what are the IP addresses for the A Record associated with our flagged domain, advanced-ip-sccanner[.]com?Answer: IP-1, IP-2.


Answer: 172.67.189.143, 104.21.9.202


Reference: DNS A record lookup report. (Download the report and check)


Explanation: The A Record maps a domain to its IP address. Multiple A records (as seen here) often indicate load balancing or CDN-based hosting. This is common for services hosted behind Cloudflare, which obscures the true origin server IPs.


“DNS A record lookup showing IP addresses 172.67.189.143 and 104.21.9.202 for advanced-ip-sccanner.com.”
"A record results mapping advanced-ip-sccanner.com to two Cloudflare-hosted IPs."


Question 2 — What nameserver addresses are associated with the IP address? Defang the addresses.


Answer: jaziel[.]ns[.]cloudflare[.]com, summer[.]ns[.]cloudflare[.]com


Reference: DNS NS record lookup.


Explanation: Name Servers (NS) handle DNS queries for a domain. Seeing Cloudflare name servers confirms the domain uses Cloudflare’s DNS infrastructure, which often masks the original server details for privacy or protection.


“NS lookup output showing Cloudflare name servers for advanced-ip-sccanner.com.”
"DNS lookup displaying Cloudflare name servers — summer.ns.cloudflare.com and jaziel.ns.cloudflare.com — used for the flagged domain."



Question 3 — Open client.rdap.org and identify when the 64[.]31[.]63[.]194 IP was logged for registration. (Answer in UTC: MM/DD/YYYY, H:MM:SS AM/PM)


Answer: 12/27/2010, 3:51:03 PM


Reference: RDAP IP record.


Explanation: RDAP (Registration Data Access Protocol) provides structured IP and domain ownership data. The “registration date” reveals when the IP block was first recorded, useful for spotting newly created vs. long-standing infrastructure.


“RDAP registration record for IP 64.31.63.194 showing registration date.”
"RDAP record showing IP 64.31.63.194 registered on 27 December 2010."



Question 4 — What roles are assigned to the entity Entity NOC2791-ARIN associated with the IP address 64[.]31[.]63[.]194?


Answer: Administrative, Technical


Reference: RDAP entity role field.


Explanation: In RDAP, roles define the purpose of a listed contact — here, “administrative” and “technical.”It helps analysts know whom to contact for incident response or abuse reporting related to that IP.


“RDAP entity information for IP 64.31.63.194 showing entity NOC2791-ARIN and roles administrative, technical.”
"Entity details from RDAP identifying NOC2791-ARIN with administrative and technical roles."



Question 5 — What is the country's name for the IP 64[.]31[.]63[.]194?


Answer: France


Reference: Multiple geolocation lookup sources (RDAP, IPinfo, MaxMind).


Explanation: Cross-verifying IP geolocation ensures accuracy — attackers often route traffic through servers located in other countries. Confirming the country helps analysts understand possible hosting regions and cross-jurisdiction considerations.


“IPinfo geolocation data showing IP 64.31.63.194 located in Paris, France.”
"IPinfo report confirming geolocation of 64.31.63.194 in France."



Question 6 — Can you identify the Autonomous System linked with the IP 64[.]31[.]63[.]194?


Answer: AS136258


Reference: RDAP and BGP routing lookup.


Explanation: An Autonomous System (AS) is a collection of IP networks managed under one organization. The ASN helps link multiple IPs under the same control — often tying different campaigns to the same provider.


“IPinfo ASN data showing AS136258 BrainStorm Network, Inc for IP 64.31.63.194.”
"ASN 136258 linked to BrainStorm Network, Inc — observed via IPinfo results."



Question 7 — Using shodan.io, find which service is primarily associated with the IP address 85[.]188[.]1[.]133.


Answer: FTP


Reference: Shodan


Explanation: Shodan reveals that the IP exposes FTP (File Transfer Protocol). FTP servers are often targeted for credential theft or data exfiltration since many still run without encryption or authentication hardening.



Question 8 — How many ports have been identified as open on the server?


Answer: 6


Reference: Shodan open ports listing.


Explanation: An IP with multiple open ports increases its attack surface. Scanning these ports helps analysts spot possible weak points or identify services that shouldn’t be publicly exposed.



Question 9 — Using search.censys.io, identify the TLS certificate fingerprint for the IP address.


Answer: 48d6057099841bd18809fd61aa990b17779176de7799f301dac24879da553456


Reference: Censys TLS certificate details.


Explanation: A TLS fingerprint (SHA256) uniquely identifies an SSL certificate. It can be used to trace reused certificates across multiple servers — a common trait in attacker-controlled infrastructure.



Question 10 — According to crt.sh, are there Certificate Transparency log entries captured associated with the TLS certificate identified above? (Answer: Yay or Nay)


Answer: Yay


Reference: crt.sh Certificate Transparency log search.


Explanation: Certificate Transparency (CT) logs track SSL/TLS certificate issuance. A “Yay” indicates that the certificate has been logged, showing it’s publicly recorded and traceable.



Question 11 — What file has been linked to the IP 166[.]1.160[.]118?


Answer: (File name as per virustotal result)


Reference: Virus Total -> Relations


“VirusTotal relations tab showing file linked to IP 166.1.160.118.”
"VirusTotal relations view connecting IP 166.1.160.118 to a malicious Windows executable."



Question 12 — What organization is identified on historical WHOIS lookups?


Answer: Ace Data Centers, Inc.


Reference: WHOIS dataset.


Explanation: WHOIS lookups show previous domain or IP ownership. This is useful when attackers change registrars or hosting providers to avoid detection — older records often expose original infrastructure links.


“ARIN WHOIS data for IP 166.1.160.118 showing organization Ace Data Centers, Inc.”
"WHOIS output revealing historical ownership of IP 166.1.160.118 under Ace Data Centers, Inc."


Question 13 — What is the RIR associated with 170[.]130[.]202[.]134?


Answer: ARIN


Reference: Regional Internet Registry (RIR) data.


Explanation: RIRs (like ARIN, RIPE, APNIC) manage IP allocations by region. Knowing which RIR controls an IP range helps determine the responsible registry and applicable reporting channels.


“VirusTotal details tab for IP 170.130.202.134 showing Regional Internet Registry ARIN.”
"IP 170.130.202.134 identified under ARIN registry in VirusTotal details."



Question 14 — What ASN is the IP connected with?


Answer: AS62904


Reference: IPinfo -> ASN


Explanation: ASN 62904 corresponds to the network operator responsible for that IP range. Correlating ASN data helps group related infrastructure or trace repeated use of specific hosting services in threat campaigns.


“IPinfo ASN data showing AS62904 Eonix Corporation for IP 170.130.202.134.”
"ASN 62904 linked to Eonix Corporation — verified via IPinfo lookup."


Question 15 — Identify the number of NS records for the domain santagift[.]shop.


Answer: 4


Reference: DNS lookup result.


Explanation: Multiple NS (Name Server) records provide redundancy and load balancing. Checking the number of NS entries can also highlight misconfigurations or attacker-controlled DNS infrastructure.


“DNS lookup results showing four NS records for santagift.shop hosted on Amazon Technologies.”
"NS lookup output showing four Amazon Technologies name servers resolving for santagift.shop."



Question 16 — Which NS is identified as the Start of Authority (SOA) for the domain?


Answer: ns-298.awsdns-37.com


Reference: nslookup.io


Explanation: The Start of Authority (SOA) record specifies the authoritative server for DNS information. Knowing this helps identify the true source of domain configuration and its hosting provider.


“SOA record lookup showing ns-298.awsdns-37.com as the Start of Authority for santagift.shop.”
"DNS lookup revealing ns-298.awsdns-37.com as the Start of Authority (SOA) for the domain santagift.shop."



Question 17 — When was the domain registered? (Answer: DD/MM/YYYY)


Answer: 30/10/2022


Reference: WHOIS creation date.


Explanation: Recently registered domains are often indicators of short-lived malicious campaigns. Checking registration dates helps analysts prioritize new domains for scrutiny.


“WHOIS lookup showing santagift.shop domain creation date as 2022-10-30.”
"WHOIS record showing the creation date of santagift.shop — an indicator of a recently registered domain."


Appreciate you taking the time to read through!

If this helped you understand the TryHackMe CTI room a little better, feel free to share it with others or tag DFIRHive.



Comments

  • Instagram
  • Facebook
  • Twitter
  • LinkedIn
  • Discord
bottom of page