π‘οΈ Methodology Checklist
- Query registrar info:
whois [DOMAIN] - Note: registrant org, email, phone, name servers
- Reverse WHOIS search on registrant email/org for related domains
- ASN lookup:
whois -h whois.radb.net [IP] - IP owner:
whois [IP]β identifies hosting provider or own IP space - Check historical WHOIS (DomainTools) for ownership changes
- Privacy-masked registrations: note for social engineering context
π― Operational Context
Use when: First step of any engagement β run WHOIS before any other tool. Reveals registrar, nameservers, org, registrant contact, and historical ownership pivots. Think Dumber First: WHOIS takes 3 seconds and gives you the DNS provider (for zone transfer attempts), registrant email (for LinkedIn/OSINT pivot), and registration date (how long theyβve been running). Run it first, always. Skip when: Target uses domain privacy (WhoisGuard/PrivacyProtect) β pivot to crt.sh CT log OSINT instead.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
whois [DOMAIN] | Query WHOIS database for domain registration info |
sudo apt update && sudo apt install whois -y | Install whois tool |
π¬ Deep Dive & Workflow
Overview
WHOIS is a query/response protocol for accessing databases of registered internet resources: domain names, IP blocks, and autonomous systems.
Key Record Fields
| Field | Description | Pentest Value |
|---|---|---|
| Domain Name | Target domain | β |
| Registrar | Where domain was registered (GoDaddy, Amazon) | Cloud registrar = likely cloud-hosted |
| Registrant Contact | Organization or person who owns the domain | Phishing targets, org names |
| Administrative Contact | Person responsible for domain management | Social engineering targets |
| Technical Contact | Person handling infrastructure | Technical staff identification |
| Name Servers | DNS servers for the domain | Next targets for DNS enumeration |
| Dates | Creation, Update, Expiration | Old domains = more legit; new = suspicious |
Why It Matters
1. Social Engineering & Phishing Unprotected records leak names, emails, phone numbers of admin/technical staff β targeted phishing pretexts.
2. Infrastructure Mapping Name servers + IP addresses β first view of network infrastructure β potential entry points.
3. Historical Analysis Services like WhoisFreaks show historical records β track ownership changes, past vulnerabilities.
Red Flags (Malicious Domain Detection)
- Recent registration (days/weeks old)
- Privacy proxy hiding registrant info
- Free email services for registrant contacts
- Registrant addresses in high-cybercrime regions
- Multiple domains sharing same nameservers β common threat actor infrastructure
- Registration clusters shortly before major attacks
Key Data to Extract (CPTS)
- IANA ID β registrar identifier
- Abuse Contacts β can identify technical support staff
- Admin Email β domain management contact
- DNS SEC status β
unsigned= no DNSSEC protection - Name Servers β use for next step: DNS zone transfer attempts
Always combine WHOIS with DNS enumeration, CT logs, and Shodan for a complete picture.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| WHOIS returns privacy-protected data | GDPR/domain privacy service active | Try historical WHOIS via viewdns.info or SecurityTrails; check pre-GDPR records |
| whois command returns nothing | Wrong TLD handler | Use whois -h whois.iana.org [DOMAIN] to find correct server; or use web-based whois |
| Registrant data shows reseller not target | Domain registered through registrar reseller | Check Registrant Organization vs Admin Organization fields β often differ |
| WHOIS nameservers donβt match DNS resolvers | Split-brain DNS or CDN | Perform zone transfer against WHOIS nameservers, not just the live resolvers |
| Historical WHOIS shows different owner | Domain transferred/sold | Check if old owner infrastructure still referenced β could be subdomain takeover risk |
π Reporting Trigger
Finding Title: Domain Registration Data Enables Targeted Reconnaissance Impact: WHOIS data exposes registrant contact details, hosting provider, and DNS infrastructure that enables targeted spear-phishing, social engineering, and infrastructure-level attacks. Root Cause: Default domain registration settings expose registrant PII. No domain privacy service configured. Recommendation: Enable WHOIS privacy protection on all registered domains. Use a registrar email alias rather than personal/corporate email. Audit domain registrations for consistency across the organization.