The whois command

The first step in researching the IP address space is to identify the addresses that are assigned to the target site. This is usually accomplished by using the whois command, which allows people to query databases that store information on the registered users of an internet resource, such as a domain name or IP address. Depending on the database that is queried, the response to a whois request will provide names, physical addresses, phone numbers, and email addresses (useful in facilitating social engineering attacks), as well as IP addresses and DNS server names.

An attacker can use information from a whois query to:

• Support a social engineering attack against the location or persons identified in the query
• Identify a location for a physical attack
• Identify phone numbers that can be used for a war dialing attack, or to conduct a social engineering attack
• Conduct recursive searches to locate other domains hosted on the same server as the target or operated by the same user; if they are insecure, an attacker could exploit them to gain administrative access to the server, and then compromise the target server. In cases where the domain is due to expire, an attacker could attempt to seize the domain, and create a look-alike website to compromise visitors who think they are on the original website.
• An attacker will use the authoritative DNS servers, which are the records for lookups of that domain, to facilitate DNS reconnaissance

Note that there has been an increase in the use of third parties to shield this data, and some domains, such as .gov and .mil, may not be accessible to the public domain.

Requests to these domains are usually logged. There are several online lists available that describe domains and IP addresses assigned for government use; most tools accept options for "no contact" addresses, and government domains should be entered into these fields to avoid the wrong type of attention!

The easiest way to issue a whois query is from the command line. The following screenshot shows the whois command run against the domain of cyberhia.com:

The returned whois record contains geographical information, names, and contact information – all of which can be used to facilitate a social engineering attack.

There are several websites that automate whois lookup enquiries, and attackers can use those sites to insert a step between the target and themselves; however, the site doing the lookup may log the requester's IP address.