1.7 Whois Footprinting

My resume of module 02 footprinting form CEH material

Whois Footprinting Gathering network-related organization is important information when planning such as a hack. “Whois” information In this section, we about will the target discuss Whois footprinting. Whois footprinting focuses on how to perform a Whois lookup, analyzing the Whois lookup results, and the tools used to gather Whois information.

Whois Lookup

Whois is a query and response protocol used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system. This protocol listens to requests on port 43 (TCP). Regional Internet Registries (RIRS) maintain Whois databases and it contains the personal information of domain owners. For each resource, Whois database provides text records with information about the resource itself, and relevant information of assignees, registrants, and administrative information (creation and expiration dates).

Two types of data models exist to store and look up Whois information:

• Thick Whois - Stores the complete Whois information from all the registrars for the particular set of data.
• Thin Whois - Stores only the name of the Whois server of the registrar of a domain, which in turn holds complete details on the data being looked up.

Whois query returns following information:

• Domain name details
• Contact details of domain owner
• Domain name servers
• Expiry records
• NetRange
• Records last updated
• When a domain has been created

An attacker queries a Whois database server to obtain information about the target domain name, contact details of its owner, expiry date, creation date and so on., and the Whois sever responds to the query with the requested information. Using this information an attacker can create a map of the organization’s network, mislead domain owners with social engineering, and then obtain internal details of the network.

Regional Internet Registries (RIRs)

The RIRs include:

• ARIN (American Registry for Internet Numbers) Source: https://www.arin.net ARIN provides services related to the technical coordination and management of Internet number resources. ARIN offers its services in form of three areas:

  • Registration - pertains to the technical coordination and management
  • Organization - pertains to the interaction between ARIN members and stakeholders and ARIN
  • Policy Development - facilitates the development of policy for the technical coordination and management of Internet number resources in the ARIN region

  ARIN also develops technical services to support the evolving needs of the Internet community.

• AFRINIC (African Network Information Center)

  Source: https://www.afrinic.net

  The acronym, AFRINIC, is the RIR for Africa, responsible for the distribution and management of Internet number resources such as IP addresses and ASN (Autonomous System Numbers) for the African region.

• APNIC (Asia Pacific Network Information Center)

  Source: https://www.apnic.net

  APNIC is one of five RIRs charged with ensuring the fair distribution and responsible management of IP addresses and related resources required for the stable and reliable operation of the global Internet.

• RIPE (Réseaux IP Européens Network Coordination Centre)

  Source: https://www.ripe.net

  RIPE NCC provides Internet resource allocations, registration services, and coordination activities that support the operation of the Internet globally.

• LACNIC (Latin American and Caribbean Network Information Center)

  Source: http://www.lacnic.net

  LACNIC is an international non-government organization responsible for assigning and administrating Internet numbering resources (IPv4, IPv6), autonomous system numbers, reverse resolution, and other resources for the Latin America and Caribbean region.

Whois Lookup Result Analysis

Whois services such as http://whois.domaintools.com or http://www.tamos.com can help to perform Whois lookups. The following figure shows a result analysis of a Whois lookup obtained with the two mentioned Whois services. The services perform Whois lookup by entering the target’s domain or IP address. The domaintools.com service provides Whois information such as registrant information, email, administrative contact information, created and expiry date, and a list of domain servers. The SmartWhois available at http://www.tamos.com gives information about an IP address, hostname, or domain, including country, state or province, city, phone number, fax number, name of the network provider, administrator, and technical support contact information. It also assists in finding the owner of the domain, the owner’s contact information, the owner of the IP address block, registered date of the domain and so on. It supports Internationalized Domain Names (IDNs), which means one can query domain names that use non-English characters. It also supports IPv6 addresses.

Whois Lookup Tools

Whois Lookup tools extract information such as IP address, hostname or domain name, registrant information, DNS records including country, city, state, phone and fax numbers, network service providers, administrators and technical support information for any IP address or domain name. There are numerous tools available to retrieve Whois information, including:

• some tools on github

Finding IP Geolocation Information

IP geolocation help you to identify information such as country, region/state, city, latitude and longitude of city, ZIP/postal code, time zone, connection speed, ISP (hosting company), domain name, IDD country code, area code, weather station code and name, mobile carrier, elevation and so on. Using the information obtained from IP geolocation, an attacker may attempt to gather more information about a target with the help of social engineering, surveillance and non-technical attacks such as dumpster diving, hoaxing, or acting as a technical expert. With the help of information obtained, attacker can also set up a compromised web server nearby victim’s location and if there is detection of the exact location of the victim it can send malicious stuff and infect the victim with a malware designed for that specific area or the attacker can gain an unauthorized access to the target device or may attempt to launch an attack using target device IP geolocation lookup tools such as IP2Location helps to collect IP geolocation information about the target which help attackers to launch social engineering attacks such as spamming and phishing. IP Geolocation Lookup Tools:

• on github