By Motasem Hamdan — 19 Sep 2025

Cyber Threat Intelligence: How to Investigate IPs and Domains | TryHackMe Walkthrough

Introduction

In my exploration of cyber threat intelligence, I delved into the intricacies of analyzing IP addresses and domains to uncover malicious infrastructure. I began with a foundational understanding of the Domain Name System (DNS), recognizing its critical role in translating human-readable hostnames into machine-readable IP addresses and its vulnerability to exploitation by malicious actors.

Data Extraction and Analysis

I focused on various data extraction techniques to build a comprehensive intelligence picture. I started by examining WHOIS information and DNS records, including A, AAAA, NS, MX, and TXT records. This allowed me to gain insights into domain ownership, associated IP addresses, and email delivery mechanisms. I learned to identify red flags such as frequent changes in IP addresses and the absence of SPF/DKIM records.

I also explored the use of Geolocation (GeoIP) data to approximate the country and city of an IP address. I understood that while useful, GeoIP data should be treated as a hint rather than a certainty, and I made it a practice to use at least two sources to verify information.

Next, I investigated the Autonomous System Number (ASN), a unique identifier for a network. Analyzing the ASN helped me determine how an IP is being used, for instance, for hosting, residential, or cloud services.

I then turned my attention to TLS certificates, using Certificate Transparency (CT) logs to enrich my passive intelligence gathering. By examining fields like the issuer, validity period, and subject alternative names, I could uncover domain ownership overlaps and identify shared infrastructure.

Finally, I utilized service banners from search engines like Shodan and Censys to identify open ports, service versions, and potential misconfigurations on internet-facing assets.

Practical Tools and Platforms

Throughout my investigation, I utilized a variety of practical tools and platforms to aid in data extraction and analysis. Some of the key tools I employed include:

VirusTotal, ThreatFox, and OSINT Tricks for threat intelligence and historical data.
NSLookup.io for DNS record lookups.
RDAP.org for retrieving registration data.
IPinfo.io and IPLocation.net for GeoIP information.
BGPView.io for ASN context.
Shodan and Censys.io for service banner and TLS certificate information.
CRT.sh for certificate transparency logs.
Cisco Talos Intelligence for web and email reputation scores.
IP2Proxy for identifying known VPNs/proxies.

Terminal Commands

I also made use of several terminal commands to gather information directly:

I used the openssl s_client command to connect to an IP address and port to retrieve TLS certificate information:openssl s_client -connect 69.197.185.26:443 -showcerts
The dig command was essential for querying various DNS records:dig @1.0.0.1 advanced-ip-sccanner.com. A dig @1.0.0.1 advanced-ip-sccanner.com. AAAA dig @1.0.0.1 advanced-ip-sccanner.com. CNAME dig @1.0.0.1 advanced-ip-sccanner.com. TXT dig @1.0.0.1 advanced-ip-sccanner.com. NS dig @1.0.0.1 advanced-ip-sccanner.com. MX
I utilized the host command to retrieve reverse DNS information:host 86.144.23.10

My investigation concluded with the understanding that continuous learning and the operational integration of these skills are paramount for any security professional looking to enhance their threat intelligence capabilities and effectively respond to the ever-evolving landscape of cyber threats.