Utilizing whois for information gathering

When a domain gets registered, there is some specific contact information that must be entered. You can elect to have this information publicly shown or pay a fee to have it hidden so that others can't see this personal information. This includes items such as name, physical address, email address, and telephone number. Besides the contact information, there is other relevant information there such as domain registration dates and assigned nameservers. Information can be useful.

Using whois against the company's domain allows us to see some of the pertinent information such as who maintains the DNS records and their contact information. Using the registration dates lets you know when the domain may expire, and you could use this information to potentially register it yourself when it expires, if the company forgets. This has happened to many high-profile sites in the past.

Here is a screenshot from whois for google.com related to the domain information:

Here is the contact information you can see from the whois screen as well:

Now, you can see here that whois provides some great information. What happens if you don't have a domain name but just an IP address? No problem! whois can be queried using an IP address. In fact, this is my favorite way to use whois because it gives you a couple of key items about the company. For example, it shows you the assigned network block that the particular IP falls within as well as the company's AS number. Next, I will show you how to use this AS number.

Here is a screenshot of whois with the IP address, so you can see it's quite different from looking up the domain name. I ran the following command to get the output:

whois -H 216.58.218.238

Let's go back to the AS number we found earlier. We can now take this number and find all the IP networks that are assigned to that company (both, IPv4 and IPv6). This can also be done with whois and some arguments as well as using Unix pipe and grep to filter the output. Utilizing this tool is a great way to verify what the stakeholders told you they owned in terms of IP addresses, and to gain some additional attack surface. I have seen many circumstances where stakeholders forgot or were unaware of a network block they owned: