Whois lookup

About the Online Whois Lookup

An Online Whois Lookup is an easy and fast way to find the ISP, Hosting provider and contact details for a domain or IP address. There are many uses for Whois data that can be utilised by attackers and defenders in the information security sector.

By having access to whois online it is possible to gather the required information without having a whois client installed on your system. If you are running a Linux or *nix based system installation of a whois client is generally a simple matter.

Useful for tracking down attackers when defending or finding targets to attack when on the offensive. A whois lookup can reveal organisational details, IP ranges to scan and the email addresses of technical staff. This information is commonly found in the information gathering phase of an assessment or planned attack.

This online Whois lookup tool uses the built-in whois command-line utility found in most Linux operating systems and presents the results directly in your web browser.

Whois Query Limits

	Free User	Member
Queries / day	5	500-2000 # based on plan

Become a member and access all our security scanners and IP Tools. A gold mine of data for security analysts, network defenders and other cyber security professionals..

Whois Lookup API

Another way to query the whois service is to use the API. Any client can be used from command line utilities to your favourite scripting language.

Whois API - Simple Text Response

The default HTTP response from the API will be returned in a simple plain text based format. This is actually very close to the standard output from the Linux whois command.

curl "https://api.hackertarget.com/whois/?q=google.com&apikey=**apikeyrequired**"

Whois API - JSON response

In this example with JSON output specified we are using the X-API-Key HTTP Header rather than the &apikey= parameter.

curl -H "X-API-Key: ***apikey***" "https://api.hackertarget.com/whois/?q=8.8.8.8&output=json" | jq
{
  "address": "REDACTED FOR PRIVACY",
  "city": "REDACTED FOR PRIVACY",
  "country": "US",
  "creation_date": "Mon, 16 Apr 2018 22:57:01 GMT",
  "dnssec": "signedDelegation",
  "domain_name": "dns.google",
  "emails": "[email protected]",
  "expiration_date": "Wed, 16 Apr 2025 22:57:01 GMT",
  "name": "REDACTED FOR PRIVACY",
  "name_servers": [
    "ns1.zdns.google",
    "ns2.zdns.google",
    "ns3.zdns.google",
    "ns4.zdns.google"
  ],
  "org": "Charleston Road Registry, Inc.",
  "referral_url": null,
  "registrar": "MarkMonitor Inc.",
  "state": "CA",
  "status": [
    "clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
    "clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
    "clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited"
  ],
  "updated_date": "Wed, 20 Mar 2024 10:02:54 GMT",
  "whois_server": "whois.nic.google",
  "zipcode": null
}

The API is simple to use and aims to be a quick reference tool for security professionals and IT teams. Due to abuse by a small number of users there is a limit of 5 queries per day for Free Users or you can increase the daily quota with a Membership. For those who need to send more packets HackerTarget has Enterprise Plans.

What is a Whois Lookup?

Whois is simply a plain text protocol that returns information from a database of Internet resources. It can reveal the owner or registered user of a resource; that may be a domain name, an IP address block or an autonomous system number (ASN).

Information returned includes physical addresses, email addresses of system staff, names and phone numbers. The DNS name servers of a domain are also displayed. Many domain registration services allow a private listing in which the details of the domain owner can be hidden, these became popular following the prevalence of spam being directed at domain owners.

The Whois protocol was based on the Finger protocol that goes back to 1977, during the very early days of the Internet (ARPANET). The Finger protocol allowed you to "finger" a remote host and the response from the plaintext protocol would reveal who was actually logged on to the system (and how long they had been logged on).

Whois is still a simple plaintext protocol that has a server component that listens on TCP port 43. Clients establish a connection to this port and transmit a text record with the domain or IP address that is to be queried against the Whois database. Since the protocol is so simple a telnet client can be used to query the whois service.

Using Telnet to perform a Whois Lookup

With whois being a simple plain text protocol it is possible to use a standard telnet (or netcat) client to access whois data.

test@testserver:~$ telnet whois.iana.org 43
Trying 192.0.32.59...
Connected to ianawhois.vip.icann.org.
Escape character is '^]'.
hackertarget.com
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

refer:        whois.verisign-grs.com

domain:       COM

organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States

contact:      administrative
name:         Registry Customer Service
organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States
phone:        +1 703 925-6999
fax-no:       +1 703 948 3978
e-mail:       [email protected]

contact:      technical
name:         Registry Customer Service
organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States
phone:        +1 703 925-6999
fax-no:       +1 703 948 3978
e-mail:       [email protected]

nserver:      A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30
nserver:      B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30
nserver:      C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30
nserver:      D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30
nserver:      E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30
nserver:      F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30
nserver:      G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30
nserver:      H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30
nserver:      I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30
nserver:      J.GTLD-SERVERS.NET 192.48.79.30 2001:502:7094:0:0:0:0:30
nserver:      K.GTLD-SERVERS.NET 192.52.178.30 2001:503:d2d:0:0:0:0:30
nserver:      L.GTLD-SERVERS.NET 192.41.162.30 2001:500:d937:0:0:0:0:30
nserver:      M.GTLD-SERVERS.NET 192.55.83.30 2001:501:b1f9:0:0:0:0:30
ds-rdata:     30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766

whois:        whois.verisign-grs.com

status:       ACTIVE
remarks:      Registration information: http://www.verisigninc.com

created:      1985-01-01
changed:      2017-06-22
source:       IANA

Connection closed by foreign host.

We can see that by simply entering the domain we were able to get a response from the iana.org whois server. The important information contained in this response is a pointer to the whois server we need to talk to get more information about our domain.

The pointer is this snippet whois: whois.verisign-grs.com

Lets try again using the verisign-grs.com whois server.

test@testserver~:$ telnet whois.verisign-grs.com 43
Trying 199.7.54.74...
Connected to whois.verisign-grs.com.
Escape character is '^]'.
hackertarget.com
   Domain Name: HACKERTARGET.COM
   Registry Domain ID: 1064667694_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.enom.com
   Registrar URL: http://www.enom.com
   Updated Date: 2017-04-25T02:32:05Z
   Creation Date: 2007-07-04T01:13:38Z
   Registry Expiry Date: 2020-07-04T01:13:38Z
   Registrar: eNom, Inc.
   Registrar IANA ID: 48
   Registrar Abuse Contact Email:
   Registrar Abuse Contact Phone:
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: DNS1.REGISTRAR-SERVERS.COM
   Name Server: DNS2.REGISTRAR-SERVERS.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

Now we have more information, including the DNS servers for the domain, the creation date and the registry expiry date.

Practical Use Cases

Incident Response and Threat Intelligence

The most obvious benefits of a whois lookup for those responding to a security incident is identifying the netblock and ISP that owns a particular IP address. From this contact information the incident responder can alert the owner of the netblock to the presence of malicious traffic.

Historical Whois records are also play a big role in threat intelligence allowing a incident responder to search for key details in the whois data that may be present across multiple investigations or targets. For example you can search whois data to find an email address across multiple domains correlating malicious infrastructure and threat actors.

Troubleshooting Network Issues with Whois

With access to the whois data a network engineer using traceroute to investigate a high latency hop will be able to determine the owner of the network in question and contact the engineers responsible for that network.