Whois Reconnaisance

Overview

The Whois protocol goes back the early days of the Internet. A Whois query is a database search, to a Whois server on TCP port 43, and it is used to resolve contact information about domain names, ip address blocks, and Autonomous System numbers. Information about registered domain name owners and their contact information is stored within a Whois database. Each domain name registrar is required to keep a Whois database with the contact information of the domains they host. There are also centralized Whois database servers maintained through the InterNIC.

Whois searches are typically done from a command line program (Linux/Unix) or a Web browser through publicly available websites that offer the service (Windows). The types of information that can be gathered from a Whois search is:

  • Registrar – The company who registered the domain name
  • Whois server – The URL
  • Nameservers – for the domain name in question
  • Expiration date
  • Registrant name – Who registered the domain
  • Email address
  • Address – Registrant address
  • IP address
  • Technical Contact
  • Telephone Number
  • Fax Number

 

Although domain names are not private many registrars will offer “Whois protection” for an extra annual fee. This protection amounts to having the registrar’s contact information resolve within Whois searches, instead of the registrant’s. Aside from providing a modest level of privacy, hackers can still use a Whois search as a reconnaissance tool to learn more about an organization, its contacts, dns servers and registered ip addresses.

A Whois search can be done from the command line or from a website interface by providing a domain name or an ip address:

        #whois examplebusiness.com

or,
#whois <ip address>

ICANN itself has identified the Whois service as a target of spammers harvesting email addresses (see: http://www.icann.org/en/committees/security/sac023.pdf) and has implemented captcha systems to stop automated Whois information harvesting. Regardless, Whois is a tool that can still reveal information valuable to somebody engaging in organizational reconnaissance.

For more information on Whois: http://en.wikipedia.org/wiki/Whois

Author: Dan

Dan teaches computer networking and security classes at Central Oregon Community College.

Leave a Reply

Your email address will not be published. Required fields are marked *