[WHOIS]
Domain and IP address information lookup for threat intelligence, IOC research, and security investigations
Difficulty: Beginner
Category: Security
Key Features
Domain Lookup
Query domain registration and ownership information
IP Address Research
Investigate IP address ownership and allocation
Threat Intelligence
Gather intelligence on suspicious domains and IPs
Command Line
Scriptable for automated threat research workflows
Basic Usage
Domain Queries
# Query domain information
whois example.com
# Query suspicious domain
whois malicious-site.ru
# Check domain expiration
whois company.org | findstr "Expiry"
IP Address Queries
# Query IP address ownership
whois 8.8.8.8
# Investigate suspicious IP
whois 192.168.1.100
# Check IP allocation
whois 203.0.113.1
Information Gathered
Domain Information
- Registrant: Domain owner contact information
- Registrar: Company that registered the domain
- Creation Date: When domain was first registered
- Expiration Date: When registration expires
- Name Servers: DNS servers handling the domain
- Status: Current domain status and locks
IP Address Information
- Organization: Company or entity owning the IP
- ISP/Provider: Internet service provider
- Country: Geographic location of allocation
- Network Range: CIDR block allocation
- Contact Info: Technical and administrative contacts
- Allocation Date: When IP range was assigned
Security Use Cases
🕵️ Threat Intelligence
Research suspicious domains and IP addresses found in security logs.
# Research IOC
whois malicious-domain.tk
🚨 Incident Response
Investigate C2 servers and malicious infrastructure during incidents.
# Check C2 server
whois 198.51.100.25
🔍 Digital Forensics
Gather attribution information for forensic investigations.
# Investigate attacker domain
whois phishing-site.com
📧 Email Security
Verify sender domains and investigate suspicious email sources.
# Check email sender domain
whois suspicious-sender.info
Advanced Techniques
Historical Analysis
- Domain Age: Newly registered domains are often suspicious
- Registration Patterns: Multiple domains with similar details
- Registrar Analysis: Certain registrars popular with cybercriminals
- Contact Information: Privacy protection may hide malicious intent
Correlation Analysis
# Check multiple related domains
for %i in (domain1.com domain2.com domain3.com) do whois %i
# PowerShell batch lookup
$domains = @("site1.com","site2.com"); $domains | ForEach { whois $_ }
Red Flags and Indicators
🚨 High Risk Indicators
- Recently registered domains: Domains less than 30 days old
- Privacy protection enabled: All contact details hidden
- Suspicious TLDs: .tk, .ml, .ga and other free domains
- Bulk registrations: Multiple domains registered simultaneously
⚠️ Medium Risk Indicators
- Foreign registrars: Registered in countries with lax enforcement
- Inconsistent information: Mismatched or incomplete details
- Fast flux hosting: Frequent IP address changes
- Generic contact info: Obviously fake or generic contact details
✅ Legitimate Indicators
- Established domains: Registered for several years
- Consistent information: Complete and verifiable contact details
- Reputable registrars: Well-known, established registrars
- Professional hosting: Major hosting providers and datacenters
Best Practices & Tips
Cross-reference multiple sources: Verify information using multiple WHOIS databases
Check historical records: Use archive services to see domain history and changes
Analyze registration patterns: Look for patterns in domain registration and contact information
Document findings: Save WHOIS data as it can change or be deleted
Use passive DNS: Combine with passive DNS services for complete intelligence