Questions about this topic? Sign up to ask in the talk tab.

Whois

From NetSec
Revision as of 19:07, 22 May 2012 by LashawnSeccombe (Talk | contribs) (Getting the information that you want)

Jump to: navigation, search

Whois is a unix command that allows you to determine the ownership of a domain name.

Lesson

Intro to Whois

It is possible to perform a whois by typing:

Terminal

localhost:~ $ whois google.com

It will return a ton of data, sometimes personal information too.

  • Whois is a bit more powerful than most people realize, most whois servers actually support fuzzy completion i.e: *.

Picking a Server

In order to get this fuzzy completion to work, you're going to want to tell your whois client to talk directly to a whois server. So let's use ARIN's whois server, whois.arin.net. To tell your whois client to use it, use: whois -h whois.arin.net Anything after that, will be the query for whois.arin.net to process. I recommend using quotes around whatever you're searching for, otherwise you might not get the results you expected.

So for your most basic query, do something like: whois -h whois.arin.net "4.2.2.1"

[Querying whois.arin.net]
[whois.arin.net]
#
# Query terms are ambiguous.  The query is assumed to be:
#     "n 4.2.2.1"
#
# Use "?" to get help.
#

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=4.2.2.1?showDetails=true&showARIN=true
#

NetRange:       4.0.0.0 - 4.255.255.255
CIDR:           4.0.0.0/8
OriginAS:       
NetName:        LVLT-ORG-4-8
NetHandle:      NET-4-0-0-0-1
Parent:         
NetType:        Direct Allocation
RegDate:        1992-12-01
Updated:        2009-06-19
Ref:            http://whois.arin.net/rest/net/NET-4-0-0-0-1

OrgName:        Level 3 Communications, Inc.
OrgId:          LVLT
Address:        1025 Eldorado Blvd.
City:           Broomfield
StateProv:      CO
PostalCode:     80021
Country:        US
RegDate:        1998-05-22
Updated:        2011-08-03
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
Ref:            http://whois.arin.net/rest/org/LVLT

OrgTechHandle: TPL1-ARIN
OrgTechName:   Tech POC LVLT
OrgTechPhone:  +1-877-453-8353 
OrgTechEmail:  [email protected]
OrgTechRef:    http://whois.arin.net/rest/poc/TPL1-ARIN

OrgAbuseHandle: APL8-ARIN
OrgAbuseName:   Abuse POC LVLT
OrgAbusePhone:  +1-877-453-8353 
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    http://whois.arin.net/rest/poc/APL8-ARIN

OrgTechHandle: ARINC4-ARIN
OrgTechName:   ARIN Contact
OrgTechPhone:  +1-800-436-8489 
OrgTechEmail:  [email protected]
OrgTechRef:    http://whois.arin.net/rest/poc/ARINC4-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

As you can see above, it gives you some useful info like the size of the network that IP is in (useful for scans), also ARIN and all other registries keep unique identification on who owns blocks so you can use their TechHandle (above, ARINC4-ARIN) or AbuseHandle (above, APL8-ARIN) to look up their other IP blocks.

Getting desired information

If you haven't noticed, you can send pretty much anything to the whois server. Go ahead and try: whois -h whois.arin.net "?". As you can see, it gives you some help messages that describe how to perform more advanced queries.

Here is an example of part of the output:

Query-by-record-type:
To limit your query to a specific record type, include one of the following flags:
n	Network address space
r	CIDRized network space
d	Delegations
a	Autonomous systems
p	Points-of-contact
o	Organizations
c	End-user customers
e	Points-of-contact, organizations, end-user customers
z	All of the above

As you can see, you can limit (or "unlimit") the type of record you are searching for. When building an advanced query, this is the first thing you'll put, I usually use 'z', for "all of the above."

So far we have: whois -h whois.arin.net "z", not too exciting. Next thing we can filter by is record attribute:

Query-by-attribute:
To limit your query to a specific record attribute, include one of the following flags: 
@<domain name>	Searches for matches by domain-portion of an email address
!<handle> 		Searches for matches by handle or id
/<name>			Searches for matches by name
.<name>			Searches for matches by name (Same as above, but some whois clients have problems with.)

This allows you to filter whois results by attribute type. So for example, if you want to search for POC's by email domain only, you can use 'p @ <domain>'

So lets say you want to look up every point of contact that had google.com in the email address attrbgute: whois -h whois.arin.net "p @ google.com"

[Querying whois.arin.net]
[whois.arin.net]
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/pocs;domain=google.com?showDetails=true
#

ABUSE2410-ARIN (ABUSE2410-ARIN) [email protected] +1-650-318-0200
ABUSE2410-ARIN (NETWO80-ARIN) [email protected] +1-650-318-0200
AdMob Network Operations (ANO60-ARIN) [email protected] +1-650-253-0000
AXELROD, Michael  (MAX1-ARIN) [email protected] +1-650-253-0000
Barkan, Ari  (ABA104-ARIN) [email protected] +1-310-468-1622
Barkan, Ari  (ABA105-ARIN) [email protected] +1-310-460-4012
Chittimaneni, Kiran Kumar (KKC9-ARIN) [email protected] +1-650-253-3000
Fong, Zhen Elizabeth (ZEF-ARIN) [email protected] +1-626-243-3341
GC Abuse (GCABU-ARIN) [email protected] +1-650-253-0000
Google Apps (GOOGL-ARIN) [email protected] +1-650-253-0000
Google Inc (ZG39-ARIN) [email protected] +1-650-253-0000
Google Numbers Administration (GNA34-ARIN) [email protected] +1-650-253-0000
Higgin, Shawn Sr. NetEng  (SHI68-ARIN) [email protected] +1-408-728-6140
Katenin, Gleb  (KATEN-ARIN) [email protected] +353 (1) 543-2163
kwon, david  (DKW2-ARIN) [email protected] +1-650-253-1322
LAPERRIERE, SYLVIE  (SLA183-ARIN) [email protected] +1-514-670-8739
NETWORK ADMIN (NETWO4063-ARIN) [email protected] +1-320-629-8001
Network Administration (NETWO2832-ARIN) [email protected] +1-650-486-8100
Network Administration (NETWO81-ARIN) [email protected] +1-650-318-0200
Network Engineering (NETWO2831-ARIN) [email protected] +1-650-486-8100
Network Engineering Corp (NEC10-ARIN) [email protected] +1-650-214-6513
Ng, Tony  (TNG31-ARIN) [email protected] +1-650-253-2576
Simmon, Matt  (MSI136-ARIN) [email protected] +1-734-332-6874
Socolow, Paul  (PSO26-ARIN) [email protected] +1-310-468-1622
Weaver, Tracy  (TWE97-ARIN) [email protected] +1-734-276-4794


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

Domain Whois Example

Example whois of a domain:

$ whois blackhatacademy.org

  NOTICE: Access to .ORG WHOIS information is provided to assist persons in 
  determining the contents of a domain name registration record in the Public Interest Registry
  registry database. The data in this record is provided by Public Interest Registry
  for informational purposes only, and Public Interest Registry does not guarantee its 
  accuracy.  This service is intended only for query-based access.  You agree 
  that you will use this data only for lawful purposes and that, under no 
  circumstances will you use this data to: (a) allow, enable, or otherwise 
  support the transmission by e-mail, telephone, or facsimile of mass 
  unsolicited, commercial advertising or solicitations to entities other than 
  the data recipient's own existing customers; or (b) enable high volume, 
  automated, electronic processes that send queries or data to the systems of 
  Registry Operator or any ICANN-Accredited Registrar, except as reasonably 
  necessary to register domain names or modify existing registrations.  All 
  rights reserved. Public Interest Registry reserves the right to modify these terms at any 
  time. By submitting this query, you agree to abide by this policy. 

  Domain ID:D162985960-LROR
  Domain Name:BLACKHATACADEMY.ORG
  Created On:08-Aug-2011 05:45:24 UTC
  Last Updated On:30-Aug-2011 07:44:03 UTC
  Expiration Date:08-Aug-2012 05:45:24 UTC
  Sponsoring Registrar:Active Registrar, Inc. (R1709-LROR)
  Status:TRANSFER PROHIBITED

  Registrant ID:ACTR1108301286
  Registrant Name:Whois Manager
  Registrant Organization:Whois Proof LLP
  Registrant Street1:PO Box 4120
  Registrant Street2:
  Registrant Street3:
  Registrant City:Portland
  Registrant State/Province:OR
  Registrant Postal Code:97208-4120
  Registrant Country:US
  Registrant Phone:+1.2024700599
  Registrant Phone Ext.:
  Registrant FAX:+1.8663666681
  Registrant FAX Ext.:
  Registrant Email:[email protected]

  Admin ID:ACTR1108306123
  Admin Name:Whois Manager
  Admin Organization:Whois Proof LLP
  Admin Street1:PO Box 4120
  Admin Street2:
  Admin Street3:
  Admin City:Portland
  Admin State/Province:OR
  Admin Postal Code:97208-4120
  Admin Country:US
  Admin Phone:+1.2024700599
  Admin Phone Ext.:
  Admin FAX:+1.8663666681
  Admin FAX Ext.:
  Admin Email:[email protected]

  Tech ID:ACTR1108307067
  Tech Name:Whois Manager
  Tech Organization:Whois Proof LLP
  Tech Street1:PO Box 4120
  Tech Street2:
  Tech Street3:
  Tech City:Portland
  Tech State/Province:OR
  Tech Postal Code:97208-4120
  Tech Country:US
  Tech Phone:+1.2024700599
  Tech Phone Ext.:
  Tech FAX:+1.8663666681
  Tech FAX Ext.:
  Tech Email:[email protected]

  Name Server:VERA.NS.CLOUDFLARE.COM
  Name Server:ED.NS.CLOUDFLARE.COM

  DNSSEC:Unsigned