Listen to this Post

Introduction:
Threat intelligence is the cornerstone of modern cybersecurity defense, providing the critical context needed to identify, understand, and proactively counter cyber threats. This article deconstructs a practical training module to equip you with the essential skills for effective OSINT (Open-Source Intelligence) and digital reconnaissance, transforming raw data into actionable security insights.
Learning Objectives:
- Understand the core principles and workflow of practical threat intelligence gathering.
- Master the application of key OSINT tools like VirusTotal, Shodan, and crt.sh for investigations.
- Develop the ability to synthesize data from multiple sources to build a comprehensive threat profile.
You Should Know:
- The Foundation: Passive DNS Reconnaissance with `nslookup` and `dig`
Before diving into advanced tools, fundamental DNS queries provide the first clues. These commands verify domain ownership, identify associated IP addresses, and find related subdomains.Basic domain to IP resolution nslookup example.com Using dig for more detailed DNS information (Linux/macOS) dig example.com ANY dig +short example.com For a concise output
Step-by-step guide: `nslookup` and `dig` are primary tools for querying DNS servers. Start by resolving a domain to its IP address. The `ANY` query in `dig` requests all available DNS records, which can reveal mail servers (MX), name servers (NS), and text records (TXT) that might contain security policies or even misconfigurations. This initial step maps the digital footprint of your target.
2. Certificate Transparency: Uncovering Hidden Assets with `crt.sh`
Certificate Transparency (CT) logs are a goldmine for discoveringsubdomains and affiliated domains that other methods might miss.
Using curl to query crt.sh database for certificates curl -s "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -u
Step-by-step guide: Every SSL/TLS certificate issued for a domain is recorded in public CT logs. The `crt.sh` database allows you to search these logs. The command uses `curl` to fetch data in JSON format for all certificates related to `example.com` (%.example.com is a wildcard search). The `jq` utility parses the JSON to extract the `name_value` fields (the domains), and `sort -u` presents a unique, sorted list. This often reveals development, staging, and forgotten subdomains, expanding the attack surface for assessment.
3. Threat Analysis: Leveraging VirusTotal’s API with `curl`
VirusTotal aggregates scans from dozens of antivirus engines and provides rich relational data. Automating queries via its API is a key skill.
Query VirusTotal API v3 for a domain's report (replace $API_KEY) curl -s --request GET --url "https://www.virustotal.com/api/v3/domains/example.com" --header "x-apikey: $YOUR_API_KEY" | jq .
Step-by-step guide: VirusTotal provides a powerful API for automated intelligence gathering. This `curl` command constructs an authenticated GET request to the API endpoint for a specific domain. You must replace `$YOUR_API_KEY` with your valid API key. The response, piped into `jq` for readable formatting, contains a wealth of data: detection stats, historical IP resolutions, associated files, and communicating samples. This helps determine if a domain is malicious or compromised.
4. Internet-Wide Scanning: Probing Services with Shodan
Shodan is a search engine for internet-connected devices, providing deep insight into services, banners, and vulnerabilities.
Basic Shodan host search using the CLI (requires Shodan CLI installed and initialized) shodan host 93.184.216.34 Searching for specific services and vulnerabilities shodan search "http.phpmyadmin country:fr"
Step-by-step guide: Unlike search engines that index web content, Shodan indexes metadata from services running on open ports. The `shodan host` command provides a comprehensive overview of a specific IP address: open ports, running services, banners, and even known vulnerabilities. The `search` command lets you perform powerful filters, like finding all PHPMyAdmin instances in France. This is critical for understanding an asset’s exposure and identifying misconfigured or vulnerable systems.
5. Data Decoding: The Power of CyberChef Operations
CyberChef is a web-based “cyber swiss army knife” for encoding, decoding, and data analysis. Its operations can be chained for complex tasks.
While CyberChef is GUI-based, its operations reflect common command-line tasks. Example: Decoding a base64-encoded string found in a log or config file. echo "aHR0cHM6Ly9leGFtcGxlLmNvbQo=" | base64 -d Example: Extracting all URLs from a blob of text using grep grep -oP '(https?://[^\s]+)' logfile.txt
Step-by-step guide: Analysts often encounter obfuscated data, such as base64-encoded strings in phishing URLs or logs. The `base64 -d` command in Linux is the CLI equivalent of CyberChef’s “From Base64” operation, instantly revealing the hidden plaintext. Similarly, `grep` with a regular expression can be used to scrape all URLs from a file. Mastering these decoding and extraction techniques is essential for peeling back layers of obfuscation used by attackers.
6. Cloud Asset Discovery: Querying Censys Search
Censys is another powerful internet-scale scanning platform, often providing complementary data to Shodan for a complete picture.
Querying the Censys API for hosts serving a specific certificate (using curl/jq)
curl -s -u "${API_ID}:${API_SECRET}" "https://search.censys.io/api/v2/hosts/search?q=services.tls.certificates.leaf_data.subject.common_name:example.com" | jq .
Step-by-step guide: Censys offers detailed data on hosts, websites, and certificates. This API query, authenticated with your API ID and Secret, searches for all hosts that have a TLS certificate where the Common Name is example.com. This is another effective method for discovering all infrastructure, including cloud assets (AWS, Azure, GCP), associated with a target organization, which might be missed by traditional subdomain enumeration.
7. Synthesizing Intelligence: Building a Threat Profile
The final step involves correlating data from all previous tools to form a conclusive assessment.
A simple script to automate data collection for a domain !/bin/bash DOMAIN=$1 echo "[+] Running reconnaissance on $DOMAIN" echo "[+] DNS Information:" dig +short $DOMAIN echo "[+] Checking crt.sh for subdomains:" curl -s "https://crt.sh/?q=%.$DOMAIN&output=json" | jq -r '.[].name_value' | sort -u ... integrate other tool calls here ...
Step-by-step guide: True threat intelligence is not about running a single tool but about synthesizing information. This conceptual bash script outlines an automated process. It takes a domain as input, performs a DNS lookup, and queries `crt.sh` for subdomains. A mature version would include calls to the VirusTotal and Shodan APIs, parsing the outputs into a consolidated report. This holistic view allows an analyst to confidently assess the risk level of a domain or IP address.
What Undercode Say:
- The democratization of powerful OSINT tools has fundamentally leveled the playing field, enabling blue teams to adopt an attacker’s mindset for proactive defense.
- The true value lies not in the individual data points each tool provides, but in the correlated narrative they create when combined.
The TryHackMe room exemplifies the critical shift from theoretical security to practical, hands-on skill application. The tools highlighted—VirusTotal, Shodan, CyberChef—are not novel, but their instructed application within a structured investigative workflow is what delivers genuine competency. This approach moves beyond checklist-based security and fosters the analytical thinking required to detect subtle anomalies and emerging threats that automated systems might miss. The room’s “Blue Team” label is slightly misleading; this is core reconnaissance work, essential for both offensive and defensive practitioners.
Prediction:
The standardization of these threat intelligence techniques will become deeply integrated into all layers of organizational security within five years, not just within dedicated SOC teams. We will see a rise in automated threat intelligence platforms that use AI to perform this correlation at scale, but human expertise will remain paramount for interpreting context and managing false positives. Furthermore, as defenses improve, threat actors will increasingly resort to more sophisticated obfuscation and move towards less monitored protocols like DNS over HTTPS (DoH) and decentralized infrastructure, making the skills of unraveling these connections even more valuable.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Laurent Minne – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


