Skip to main content

whois

The whois tool provides automated domain name and IP address lookups, facilitating essential reconnaissance within security workflows. It enables users to gather crucial information about domain ownership and network details, streamlining the information-gathering phase in cybersecurity assessments.

Ideal Use Cases & Fit

The whois tool excels in scenarios requiring detailed domain or IP information, such as:

  • Conducting initial reconnaissance during penetration testing.
  • Validating domain ownership and gathering registration details prior to domain-related assessments.
  • Enriching threat intelligence by correlating domains and IPs with known malicious activities.

It performs best when fed with lists of domain names or IP addresses. The tool is less suitable for live monitoring or real-time data collection, where more dynamic approaches are needed.

Value in Workflows

Incorporating the whois tool into security workflows enhances the reconnaissance phase by automating the collection of domain and IP information. It provides valuable insights that can inform attack vectors, strengthen security postures, and guide further investigation steps. By automating data collection, teams can focus on analysis rather than manual lookups, improving efficiency and accuracy.

Input Data

The whois tool expects a newline-separated list of domains or IP addresses as input. This data is essential for targeting specific entities during the lookup process.

Example:

example.com
8.8.8.8
example.org

Configuration

  • server: Specifies a custom server host for the lookup.
  • port: Sets a custom port number for the connection.
  • iana-referral: Enables lookup using IANA referrals.
  • no-recursion: Disables recursion from registry to registrar servers.
  • exact-match: Ensures exact matches for searches against RIPE-like servers.
  • show-emails: Turns off object filtering to display email addresses.
  • no-grouping: Disables grouping of associated objects for clarity.
  • dns-reverse: Includes DNS reverse delegation objects in the output.
  • inverse-lookup: Performs lookups based on specified attributes.
  • object-type: Filters results to specific object types.
  • primary-keys-only: Restricts results to primary keys from RIPE-like servers.
  • no-recursive-contacts: Prevents recursive look-ups for contact information.
  • search-all-mirrors: Searches through all mirrored databases for comprehensive data.
  • source-db: Chooses a specific source for mirrored database searches.
  • timeout: Configures the maximum wait time for responses.
  • json: Outputs results exclusively in JSON format for structured data handling.