- Advanced Penetration Testing for Highly-Secured Environments:The Ultimate Security Guide
- Lee Allen
- 581字
- 2021-08-06 19:58:32
Gathering and validating domain and IP information
When a person or corporate entity registers a domain name there is a lot of information that is gathered. Depending on the registration privacy settings, you can collect this information and use it to verify your IP space, find information about other sites owned by the same individual or corporation, or even phone numbers and addresses of key employees. This type of reconnaissance is considered passive as it does not directly contact client-owned assets to pull information.
We will need to locate the registrar that the domain has been registered with to obtain useful information. Here is a listing of the top registrars.
Gathering information with whois
Domain and IP space registration information can be found by using whois.
Note
Be aware of the specific restrictions and rules that you need to abide by when using whois. For example, you are not allowed to automate your queries or to use the results for commercial or personal gain. Read the legal text headers that appear when you run a simple whois example.com query from the command line. Heed the warnings and follow the rules.
The most basic usage of whois is as follows:
# whois example.com
This will perform a quick lookup of the example.com domain and provide you with the following information:
- Whois usage agreements and legal headers
- Domain name
- Registrar the domain name is registered with
- Whois server that was used
- The primary DNS nameservers associated with the domain
- Domain creation and expiration dates
- Registrant information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
- Assigned domain administrator information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
- Domain billing contact information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
- Domain technical contact information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
There may be times when you will need to specify which registrar you would like to query. whois makes this simple by allowing the usage of the -h "connect to host" option.
# whois -h whois.apnic.net 192.0.43.10
You can use whois to find the originating country an IP address is assigned to:
# whois -h whois.arin.net 192.0.43.10 | grep Country:
What we have done here is use the -h option to specify whois.arin.net to extract the record associated with 192.0.43.10 because we specifically wanted the country information relating to this IP. We used the grep command to pull out the Country: row. Here is the resulting output which indicates this IP address is located in The United States of America:
Country: US
When you or your clients register domains, you should opt in on privacy options. These will restrict the information that is available to the public. The data will be replaced with the information provided by your privacy proxy. In case there are situations that require someone to get in contact with you they would contact your proxy whom would in turn let you know that there is an issue that needs to be addressed.