Dark Arts
  • index
  • BUY ME A BOOK
  • 🪄Dark Magic
    • Pentesting
      • Industry Methodologies
    • Scopes of Testing
    • Reconnaissance
      • Passive
        • WHOIS
        • DNS
          • nslookup
          • dig
        • WAF
        • Subdomain
        • Google Dork
        • Misc. Techniques
        • Leaked Passwords
      • Active
        • Browser & Plugins
        • ping & traceroute
        • fping
        • telnet & netcat
        • DNS
          • Zone Transfer
          • DNS Amplification DDoS Attack Breakdown
        • Misc. Techniques
    • Vulnerability Assessment
    • Attack Types
  • 🕷️Aragoogs Nest
    • Web Application Overview & Security
      • Security Testing
      • Common Threats & Risks
    • Web Application Architecture
      • Technologies
    • HTTP/S
      • Message
      • Request
      • Response
        • Status Code
    • Crawling/Spidering
  • 🧪Potions
    • Web Browsers
    • Computer Networking
      • Network Protocol
      • Packets
      • OSI Layer
        • Layer 3: Network
        • Layer 4: Transport
      • DNS
        • Primary-Secondary
        • Local Name Resolution
        • Domain Hierarchy
        • FQDN
        • Lookups
        • DNS Resolution
        • DNS Records
        • Security: Attack-Defense (Default)
  • 🎆Spells
    • 📜Linux Scroll
    • 📜WebShell Scroll
    • git
      • Attacks + Vulnerabilities
  • 🖼️Flaws w/ Magical Frameworks
    • Windows
      • In a Nutshell
      • CVE-2019-0708: BlueKeep
      • CVE-2017-0144: EternalBlue: MS17-010
      • Attacking Services
        • MS IIS - WebDAV
        • SMB
        • HTTP File Server (HFS)
        • Apache Tomcat Web Server
        • RDP
        • WinRM
      • File System Vulnerabilities
      • Credential Dumping
        • Password Search in Windows Configuration Files
        • Mimikatz
        • Pass-the-Hash Attack
    • Linux
      • In a Nutshell
      • CVE-2014-6271: Shellshock
      • Attacking Services
        • FTP
        • SSH
        • SAMBA
        • SMTP
        • RSYNC
      • Dumping Hashes
  • 🌼Marauder's Boost
    • Privilege Escalation
    • Windows PrivEsc
      • Windows Kernel Exploit
      • Bypassing UAC
      • Access Token Impersonation
    • Linux PrivEsc
      • Linux Kernel Exploit
      • Misconfigured Cron Jobs
      • Exploiting SUID Binaries
      • shells
      • File Permissions
  • ☠️Death Eaters
    • Post Exploitation
      • Windows
      • Linux
  • 🪄OLLIVANDERS
    • nmap
      • Host Discovery
      • Port Scan
      • Service & OS
      • NSE
      • Firewall/IDS Evasion
      • Scan Optimization
      • Misc. Methods
    • ffuf
    • Hydra
    • Metasploit Framework
      • Architecture
      • Must to Know
      • msfvenom
      • Auxiliary Modules
      • Service Enumeration
      • Vulnerability Scanning
      • Imports
      • Automating
    • Vulnerability Scanners
    • Wireshark
  • 🚂Platform 9(3/4)
    • Auth-Auth
      • Authentication
        • Password-based Authentication
        • Basic Authentication
        • Multi-factor Authentication
        • Access Token
        • Token-based Authentication
          • JWT
          • OAuth 2.0
    • Secure Headers
      • Content-Security-Policy (CSP)
    • Cryptography
      • Caesar Cipher
  • ⛲Port Pensieve
    • Enumeration
      • SMB & NetBIOS
      • SNMP
    • Wordlists
  • 🔆DUELS
    • Pivoting
    • SMB Relay Attack
  • 🗺️Marauder's Map
    • Web Application Pentesting
    • API Pentesting
      • GraphQL
        • Primer
    • Mobile Application Pentesting
  • 🎧SIDE CHANNEL
    • Side Channel Analysis
    • Timing Side-Channel Attacks
      • Vulnerable Login
  • 🥃Sky
    • Cloud Basics
    • Cloud Management
      • Shared Responsibility Model
    • Using Cloud Resources
      • Monitoring & Alerts
      • Identity & Access Management
      • Scalability & Availability
      • Solution Design
    • Cloud Providers
    • Cloud Security & Regulatory Compliance
      • Resource Protection
      • ICCA: Cloud Security & Regulatory Compliance
    • ICCA Preparation
      • Knowledge Tests
      • Lab
  • 🔷Obsidian
    • Pentest Engagement
      • Scoping
    • Pentest Ethics
      • Rules of Engagement
    • Auditing Fundamentals
      • Process/Lifecycle
      • Pentest & Security Auditing
      • GRC
      • Standards, Frameworks & Guidelines
      • From Audit to Pentest
  • 💢Threat Modeling
    • Why Threat Model?
  • 📡THREAT INTEL
    • Threat Intelligence
    • Tool Dump
  • 📱Anything-Mobile-IoT
    • Firmware
    • Firmware Analysis
      • Example: CVE-2016-1555
    • Firmware Installation/Flashing
  • 🎉Mischeif
    • Social Engineering
    • Phishing
      • GoPhish
    • Pretexting
Powered by GitBook
On this page
  • Usage
  • Command Line
  • Websites
  • Reference
  1. Dark Magic
  2. Reconnaissance
  3. Passive

WHOIS

WHOIS is an essential protocol in the Domain Name System (DNS) for managing and retrieving domain-related information.

The WHOIS protocol is a request and response protocol that follows the RFC 3912 specification, used to retrieve information about the registration of domain names and IP addresses. WHOIS provides key administrative data such as the domain owner's contact information, the registrar, registration dates, and other relevant details.

Purpose: WHOIS allows users to look up the ownership details of a domain or IP address. This can include contact information, the registrar managing the domain, and the registration status.

Operation: A WHOIS query is initiated by sending a request to a WHOIS server, which listens on TCP port 43. The server responds with detailed information about the domain or IP address requested.

Structure: WHOIS queries are generally formatted in simple text, and the server's response is also text-based, listing information in a readable format.

Data Returned: A typical WHOIS query reveals:

  • Registrar Information: Identifies the company or entity responsible for registering and managing the domain.

  • Registrant Information: Displays the name, organization, address, phone number, and other contact details of the domain owner (unless hidden via a privacy service).

  • Registration Dates: Includes the creation, last update, and expiration dates of the domain.

  • Name Server: Specifies which server to contact to resolve the domain name.

Privacy Considerations

  • To protect privacy, some registrars offer WHOIS privacy services that mask personal details of the domain owner.

  • Many WHOIS services take steps to protect email addresses from being harvested by automated tools, often redacting them to prevent abuse.

  • Many domain registrants subscribe to privacy services to hide their personal information, including email addresses, to avoid spam and protect their privacy.

Implementation: WHOIS is implemented as part of the Domain Name System (DNS) and can be accessed through various WHOIS lookup tools and services online.

While many online services provide WHOIS information, it is generally faster and more efficient to use a local WHOIS client to perform queries directly through port 43.

Usability: The information gathered from WHOIS queries can help uncover new attack vectors, including social engineering or technical attacks. Example: Depending on the scope of the penetration test, attacks could target the email server of the admin user or DNS servers, provided these fall within the test's scope and are owned by the client.

Usage

Command Line

whois [WEBSITE]

Websites

There are various websites that provide WHOIS information and leverage this protocol. Simply search 'WHOIS' on Google. Here are two examples:

Reference

PreviousPassiveNextDNS

Last updated 9 months ago

🪄
Whois.com - Domain Names & Identity for Everyone
Logo
WHOIS Search, Domain Name, Website, and IP Tools - Who.is
Logo
https://www.ietf.org/rfc/rfc3912.txt