WHOIS
WHOIS.md
WHOIS
Overview
WHOIS is a query and response protocol used to retrieve registration information for domain names, IP addresses, and autonomous systems from public databases maintained by regional internet registries.
Category
#reconnaissance #osint #passive-recon
Phase
Reconnaissance
Purpose
- Look up domain ownership (registrant name, org, email)
- Find registration and expiration dates
- Identify name servers and DNS registrar
- Discover associated IP ranges and ASNs
- Map organizational infrastructure
Basic Usage
# Domain lookup
whois example.com
# IP address lookup
whois 93.184.216.34
# Pipe to grep for quick hits
whois example.com | grep -i "registrant\|email\|name server"
Key Fields to Note
| Field | What It Reveals |
|---|---|
| Registrant Name/Org | Who owns the domain |
| Registrant Email | Contact point, useful for phishing recon |
| Name Servers | DNS infrastructure |
| Creation Date | Domain age (older = more trusted) |
| Expiry Date | Potential domain squatting opportunity |
| Registrar | Which registrar manages it |
Online Tools
- who.is
- ARIN — for IP/ASN (North America)
- RIPE NCC — for Europe/Middle East/Central Asia
- ICANN Lookup
Limitations
- GDPR has caused many registrars to redact personal info (WHOIS Privacy)
- Results may be outdated or masked by proxy services
OPSEC Notes
WHOIS queries may be logged by the registry. Use a VPN or Tor for sensitive lookups. Prefer online tools over direct CLI for passive recon.
Related Tools
- Maltego — visualizes WHOIS data in graphs
- Google Dorking — passive recon companion
- Nmap — active follow-up after domain/IP recon
Tags
#ethical-hacking #reconnaissance #osint #passive