Difference between revisions of "Whois"
(→1.0 - Picking a Server)
Revision as of 12:48, 4 September 2011
Whois is a unix command that allows you to determine the ownership of a domain name.
0.0 - Intro to Whois
Whois has been around for ages, it's like RFC3 or something. We're going to be using a good old fashioned whois client. Now, everyone knows you can just do: whois google.com
It will return a ton of data, sometimes personal information too. Whois is a bit more powerful then most people realize, most whois servers actually support fuzzy completion i.e: *.
1.0 - Picking a Server
In order to get this fuzzy completion to work, you're going to want to tell your whois client to talk directly to a whois server. So let's use ARIN's whois server, whois.arin.net. To tell your whois client to use it, use: whois -h whois.arin.net Anything after that, will be the query for whois.arin.net to process. I recommend using quotes around whatever you're searching for, otherwise you might not get the results you expected.
So for your most basic query, do something like: whois -h whois.arin.net "126.96.36.199"
As you can see above, it gives you some useful info like the size of the network that IP is in (useful for scans), also ARIN and all other registries keep unique identification on who owns blocks so you can use their TechHandle (above, ARINC4-ARIN) or AbuseHandle (above, APL8-ARIN) to look up their other IP blocks.
2.0 - Getting the information that you want
If you havn't noticed, you can send pretty much anything to the whois server. Go ahead and try: whois -h whois.arin.net "?". As you can see, it gives you some help messages that describe how to perform more advanced queries.
Here is an example of part of the output:
Query-by-record-type: To limit your query to a specific record type, include one of the following flags: n Network address space r CIDRized network space d Delegations a Autonomous systems p Points-of-contact o Organizations c End-user customers e Points-of-contact, organizations, end-user customers z All of the above
As you can see, you can limit (or "unlimit") the type of record you are searching for. When building an advanced query, this is the first thing you'll put, I usually use 'z', for "all of the above."
So far we have: whois -h whois.arin.net "z", not too exciting. Next thing we can filter by is record attribute:
Query-by-attribute: To limt your query to a specific record attribute, include one of the following flags: @<domain name> Searches for matches by domain-portion of an email address !<handle> Searches for matches by handle or id /<name> Searches for matches by name .<name> Searches for matches by name (Same as above, but some whois clients have problems with.)
This allows you to filter whois results by attribute type. So for example, if you want to search for POC's by email domain only, you can use 'p @ <domain>'
So lets say you want to look up every point of contact that had google.com in the email address attrbgute: whois -h whois.arin.net "p @ google.com"
3.0 - Domain Whois Example
Example whois of a domain:
$ whois blackhatacademy.org NOTICE: Access to .ORG WHOIS information is provided to assist persons in determining the contents of a domain name registration record in the Public Interest Registry registry database. The data in this record is provided by Public Interest Registry for informational purposes only, and Public Interest Registry does not guarantee its accuracy. This service is intended only for query-based access. You agree that you will use this data only for lawful purposes and that, under no circumstances will you use this data to: (a) allow, enable, or otherwise support the transmission by e-mail, telephone, or facsimile of mass unsolicited, commercial advertising or solicitations to entities other than the data recipient's own existing customers; or (b) enable high volume, automated, electronic processes that send queries or data to the systems of Registry Operator or any ICANN-Accredited Registrar, except as reasonably necessary to register domain names or modify existing registrations. All rights reserved. Public Interest Registry reserves the right to modify these terms at any time. By submitting this query, you agree to abide by this policy. Domain ID:D162985960-LROR Domain Name:BLACKHATACADEMY.ORG Created On:08-Aug-2011 05:45:24 UTC Last Updated On:30-Aug-2011 07:44:03 UTC Expiration Date:08-Aug-2012 05:45:24 UTC Sponsoring Registrar:Active Registrar, Inc. (R1709-LROR) Status:TRANSFER PROHIBITED Registrant ID:ACTR1108301286 Registrant Name:Whois Manager Registrant Organization:Whois Proof LLP Registrant Street1:PO Box 4120 Registrant Street2: Registrant Street3: Registrant City:Portland Registrant State/Province:OR Registrant Postal Code:97208-4120 Registrant Country:US Registrant Phone:+1.2024700599 Registrant Phone Ext.: Registrant FAX:+1.8663666681 Registrant FAX Ext.: Registrant Email:[email protected] Admin ID:ACTR1108306123 Admin Name:Whois Manager Admin Organization:Whois Proof LLP Admin Street1:PO Box 4120 Admin Street2: Admin Street3: Admin City:Portland Admin State/Province:OR Admin Postal Code:97208-4120 Admin Country:US Admin Phone:+1.2024700599 Admin Phone Ext.: Admin FAX:+1.8663666681 Admin FAX Ext.: Admin Email:[email protected] Tech ID:ACTR1108307067 Tech Name:Whois Manager Tech Organization:Whois Proof LLP Tech Street1:PO Box 4120 Tech Street2: Tech Street3: Tech City:Portland Tech State/Province:OR Tech Postal Code:97208-4120 Tech Country:US Tech Phone:+1.2024700599 Tech Phone Ext.: Tech FAX:+1.8663666681 Tech FAX Ext.: Tech Email:[email protected] Name Server:VERA.NS.CLOUDFLARE.COM Name Server:ED.NS.CLOUDFLARE.COM DNSSEC:Unsigned