Home > Website Pentesting

WHOIS Lookup

Understood. I will recreate the chapter with deep, full-length theory + practical steps, strictly following your tutorial rules.

Here is the fully rebuilt version:

WHOIS Lookup

WHOIS lookup is one of the first practical steps in reconnaissance. It extracts ownership, registration, and infrastructure details about a domain or IP address from public records. This information helps map the target’s external footprint and reveals clues that guide later phases such as DNS enumeration, subdomain discovery, and infrastructure mapping.

WHOIS is passive because all information is obtained from public databases rather than interacting with the target’s server. This makes it safe and undetectable.

What WHOIS Reveals

A WHOIS record typically contains:

  • Domain owner or organization

  • Administrative and technical contacts

  • Registrar

  • Name servers

  • Creation, update, and expiry dates

  • Domain status codes

  • DNS provider information

  • Hosting details for IP lookups

Each part helps you understand how the domain is structured and what systems support it.

Practical WHOIS Lookup Using Linux

WHOIS comes preinstalled on many Linux distributions, including Kali. If it is missing, install it using:

sudo apt install whois

Once installed, queries work in a simple format:

whois example.com

This command sends a request to the relevant registry and prints all available data.

Understanding the Output

A typical WHOIS result includes several sections. The key parts are outlined below.

Domain Information Section

Domain Name: example.com
Registry Domain ID: XXXXXXXXXXXX
Registrar: XYZ Registrar
Creation Date: 2000-08-14T00:00:00Z
Updated Date: 2023-02-10T00:00:00Z
Registry Expiry Date: 2030-08-14T00:00:00Z

This section shows:

  • Domain age

  • Maintenance frequency

  • Expiry timeline

  • Registrar identity

Older domains are often legitimate long-term assets, while newly registered ones may indicate temporary or malicious setups.

Registrant Section

Registrant Organization: Example Corp
Registrant Country: US
Registrant Email: admin@example.com

Even when privacy masking is applied, patterns in masked emails still reveal useful information, such as domain naming conventions.

Name Server Section

Name Server: ns1.example.net
Name Server: ns2.example.net

Name servers identify who manages the DNS infrastructure. This helps map hosting providers, cloud networks, and third-party platforms.

Domain Status Codes

Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited

These codes indicate:

  • Security protections

  • Domain lock status

  • Potential signs of compromise

  • Whether the domain is active or abandoned

Statuses such as redemptionPeriod or pendingDelete indicate unstable infrastructure.

Practical WHOIS Lookup for IP Addresses

WHOIS also works with IP addresses. This reveals the organization or data center controlling the IP block.

Example:

whois 142.250.183.206

Output typically includes:

  • Organization name

  • Abuse contact email

  • Network ranges

  • Country

  • Autonomous System Number (ASN)

IP WHOIS helps identify whether the target uses cloud hosting (AWS, Azure, GCP), shared hosting, or on-premise infrastructure.

Using Online WHOIS Tools

When you cannot use terminal tools, online services provide equivalent data without active interaction:

  • whois.domaintools.com

  • who.is

  • icann.org/whois

  • viewdns.info

These services are still passive because they only provide already indexed records.

Practical Metadata Extraction From WHOIS

Once you obtain WHOIS output, extract actionable details. The following examples demonstrate how WHOIS data turns into intelligence.

Example 1: Identifying Subdomains From Name Servers

If the WHOIS record shows:

Name Server: ns1.mycompanydns.com

The domain mycompanydns.com can be investigated for:

  • Additional subdomains

  • Shared infrastructure

  • Linked assets

This expands the attack surface.

Example 2: Finding Related Domains

If a WHOIS record contains:

Registrant Email: it.admin@corp-example.com

Search for other domains registered using the same email:

"it.admin@corp-example.com" site:

This often uncovers:

  • Backup domains

  • Internal portals

  • Old or abandoned services

  • Testing environments

Example 3: Mapping Hosting Providers

If IP WHOIS reveals:

OrgName: Google LLC

You know the application is hosted on Google Cloud. This leads to:

  • Cloud-based recon

  • Provider-specific service enumeration

  • Identifying misconfigured cloud resources

Example 4: Determining Domain Legitimacy

New domains with creation dates like:

Creation Date: 2024-11-10

may indicate:

  • Phishing sites

  • Fake login portals

  • Recently deployed malicious infrastructure

Older domains suggest stable systems.

Practical Workflow for Pentesters

A structured WHOIS workflow improves accuracy and avoids missed information.

Step 1: Query WHOIS

whois targetdomain.com > whois.txt

Save output for analysis.

Step 2: Extract Key Indicators

Look for:

  • Registrant email

  • Organization

  • Name servers

  • Registrar

  • Domain age

  • Status codes

Step 3: Pivot on Discovered Data

Using extracted values:

  • Investigate registrant email

  • Enumerate name server domain

  • Search for domains under the same registrar

  • Combine with DNS enumeration later

Step 4: Integrate With Other Recon Phases

WHOIS feeds into:

  • Subdomain discovery

  • Passive DNS

  • Technology identification

  • Employee mapping

It forms one of the first intelligence blocks in the full recon chain.

Common WHOIS Limitations and Workarounds

WHOIS sometimes hides data or provides incomplete information. Workarounds include:

  • Using historical WHOIS archives

  • Pivoting on name server information

  • Looking for registrant patterns

  • Using certificate transparency logs to fill gaps

  • Combining WHOIS with archive.org data

Even masked WHOIS records still expose enough to guide deeper investigation.

Intel Dump

  • WHOIS reveals domain ownership, age, registrar, and DNS infrastructure.

  • Practical WHOIS commands include whois domain.com and whois IP.

  • Output includes registrant data, creation dates, name servers, and status codes.

  • Name servers and registrant emails help discover related assets.

  • IP WHOIS identifies hosting providers and data center operators.

  • Online WHOIS tools act as passive alternatives to terminal commands.

  • Extracted details support subdomain discovery, DNS mapping, and cloud analysis.

  • WHOIS limitations are handled using historical datasets and cross-source pivots.

HOME LEARN COMMUNITY DASHBOARD