Whois — Domain & IP Registration Lookup

Query domain registration data including owner info, registrar, and DNS records.

What is Whois?

Whois is a query protocol and command-line tool used during the reconnaissance phase of penetration testing. It retrieves publicly available registration records for domain names and IP addresses — exposing details such as the registrant's name, organization, contact email, registrar, registration and expiry dates, and authoritative name servers. This intelligence helps pentesters map out an organization's attack surface before any active scanning begins.

⚠ Legal Notice

Only use this tool on systems you own or have explicit written authorization to test. Unauthorized use is a criminal offense under Pakistan's PECA 2016 and similar laws worldwide.

Installation

# Update package list first
sudo apt update

# Install Whois (pre-installed on most Kali builds)
sudo apt install whois -y

# Verify installation
whois --version

Basic Usage

Whois queries are passive — they only contact public WHOIS servers and leave no trace on the target system. Always start your recon here.

# Look up a domain
whois example.com

# Look up an IP address
whois 8.8.8.8

# Query a specific WHOIS server manually
whois -h whois.arin.net 8.8.8.8

# Grep for registrant info only
whois example.com | grep -i "registrant"

# Grep for name servers
whois example.com | grep -i "name server"

# Grep for expiry date
whois example.com | grep -i "expir"

# Save full output to a file
whois example.com > recon/whois_example.txt

Key Fields to Look For

Registrant Name / Org — Identity of the domain owner or company
Registrant Email — Contact address (useful for OSINT pivoting)
Registrar — Service provider where the domain was registered
Name Servers — DNS infrastructure, reveals hosting providers
Creation Date — Age of the domain; older domains are often more trusted
Expiration Date — Expiring domains can sometimes be hijacked
DNSSEC — Whether the domain has DNS security extensions enabled

Common Use Cases

Authorized penetration testing engagements
CTF (Capture The Flag) challenges
Internal security audits
Bug bounty reconnaissance and domain mapping

Tips & Best Practices

Many modern domains use WHOIS privacy protection, which masks registrant details. In that case, pivot to passive DNS tools like dnsdumpster or amass to enumerate subdomains and hosting history. Always save raw Whois output before starting active scanning — it provides a baseline for your report.

Practice on legal targets like TryHackMe, HackTheBox, or hackzia.site labs before using in live engagements.