Skip to main content
Version: Next

WHOIS, GeoIpLocation and DNS interrogation

  • All public records, accessing is not illegal.

WHOIS

  • Query and response protocol (port 43)
  • Used for retrieving information about assigned Internet resources
  • To get WHOIS information you can
    • Use different websites such as whois.net
    • Use command-line: whois cloudarchitecture.io
  • Two models
    • Thick WHOIS: information from all registrars for the specified set of data.
    • Thin WHOIS: limited information about the specified set of data.

WHOIS results

  • Domain details
  • 📝 Domain owner details
    • Includes contact information of the owner
    • Can be hidden by a WHOIS guard
      • A proxy between the owner of the domain and who's accessing
      • Emails are usually still redirected to the owner.
        • 💡 Allows for e-mail phishing to learn who the actual owner is.
  • Domain server
    • Who it's registered with e.g. NameCheap.com, Gandi.net
    • 💡 Site owner might have account in the server, and you can test passwords there.
  • Net range
  • Domain expiration
    • 💡 If auto-renewal fails, someone can transfer a domain to another address for malicious behaviors or just to sell it back to you.
  • Creation and last update dates

Regional internet registries

  • WHOIS databases are maintained by the Regional Internet Registries (RIRs) such as:
    • ARIN: American Registry for Internet Numbers
    • AFRINIC: African Network Information Center
    • APNIC: Asia Pacific Network Information Center
    • RIPE: Réseaux IP Européens Network Coordination Centre
    • LACNIC: Latin American and Caribbean Network Information Center
  • 🤗 Every ISP, hosting company etc. must be member of one of the registries to get IP addresses.

IP geolocation

  • Helps find location information about a target
  • Includes country, city, postal code, ISP, and so on
    • Country is mostly accurate but city, coordinates are not but approximated
  • Helps with social engineering attacks
  • E.g. GeoIpTool.com

DNS interrogation

  • Collecting information about DNS zone data.

    • e.g. server types and their locations

  • Includes information about key hosts in the network

  • 📝 E.g. host -t a cloudarchitecture.com

    • t stands for type of domain record a gives A type of domain records.

    • Returns something likes this:

          cloudarchitecture.io has address 13.33.17.159
          cloudarchitecture.io has address 13.33.17.136

    • A records returns multiple IP addresses to increase speed and availability e.g. when hosting same content in multiple continents.

  • See also DNS enumeration

Reverse DNS lookup

  • Use one of IP addresses that's listed as an A
  • host 13.33.17.159
    • Returns 159.17.33.13.in-addr.arpa domain name pointer server-13-33-17-159.arn53.r.cloudfront.net.
  • Multiple IP addresses can be tied to same domain
    • multiple domain addresses that are tied to the same IP

MX records

  • Can be retrieved with -t mx
  • Exposes which e-mail service they use
  • Have a preference number to tell the SMTP client to try (and retry) each of the relevant addresses in the list in order, until a delivery attempt succeeds
    • The smallest preference number has the highest priority
  • 💡 Once a hacker know who the e-mail provider is, he/she can create fake-mails using the provider to test e.g.
    • What kind of content is allowed
    • If a file be modified so it appears as PDF but make it executable
    • When an e-mail is labeled as spam / malicious