WHOIS Lookups - Cybersecurity Academy

What is a WHOIS Lookup?

A WHOIS lookup is a query used to retrieve registration data about a domain name or IP address. It provides information such as the registrant's contact details, domain creation and expiration dates, registrar, and DNS servers. In ethical hacking, WHOIS lookups are part of passive reconnaissance to gather intel without alerting the target.

🔍 Why is WHOIS Information Important?

WHOIS records can reveal key insights during a security assessment:

Identify the organization behind a domain
Find contact details (e.g., emails for phishing simulations)
Detect infrastructure patterns through nameservers or registrars
Spot related domains via shared WHOIS data
Uncover forgotten or exposed domains

🧠 Step-by-Step: How to Perform WHOIS Lookups

Step 1: Use Online WHOIS Tools

Step 2: Use Command-Line Tools

On Linux or macOS, you can run:

whois targetdomain.com

If you don’t have whois installed:

sudo apt install whois   # Debian/Ubuntu
brew install whois       # macOS with Homebrew

Step 3: Analyze the Results

Look for the following fields in WHOIS data:

Registrant Organization: Name of owning company
Registrant Email: Often usable for OSINT or phishing simulations
Nameservers: Can indicate hosting provider or internal DNS
Registrar: Useful in identifying related domains
Creation/Expiration Dates: Helps track domain lifecycle

🌐 Real-World Example

Running a WHOIS query on example.com might return:

Domain Name: EXAMPLE.COM
Registrar: IANA Reserved
Registrant Name: Internet Assigned Numbers Authority
Registrant Organization: IANA
Registrant Email: abuse@example.com
Creation Date: 1995-08-14
Expiration Date: 2030-08-13
Name Server: A.IANA-SERVERS.NET
Name Server: B.IANA-SERVERS.NET

⚙️ Advanced Usage & Automation

whois + grep: Extract key fields only:

whois target.com | grep -Ei "Registrant|Name Server|Registrar"

WHOIS in Python:

import whois
domain = whois.whois("example.com")
print(domain)

Automate bulk lookups: Useful in bug bounty recon across multiple domains/subdomains.

💡 Practical Tips

Combine WHOIS with DNS lookups for broader intel
Use privacy-protected WHOIS as a clue — it often hides something valuable
Watch out for typosquat domains with similar WHOIS patterns
Correlate registrant emails with other leaked databases (e.g., HaveIBeenPwned)
Keep in mind GDPR restrictions may mask some data

📡 WHOIS Lookups