1. Home
  2. Training Library
  3. Information Gathering

Whois Lookup


Information Gathering
Whois Lookup
8m 22s

The course is part of this learning path

Whois Lookup

Now that you know all about the fundamentals of bug bounty hunting and web pen-testing, we're now going to look at the information gathering techniques that you can carry out as reconnaissance on the website you're planning to attack.


Hi. Within this section, we're going to cover information gathering and enumeration. So, before we started this course I said that this is actually the first step that you need to do before you start a weapon testing or bug bounty hunting. Because you need to gather information, you need to know about the website that you're attacking to. However this may feel a little bit overwhelmed and this may feel a little bit vague if you don't know the rest of it. So, most of the time when I teach this beforehand, all of these students say, what to do with this?

Why are you telling this to us? We don't know what to do with this information. However after we learn all of this stuff that we have learned so far, it makes perfect sense to gather all of this information and make something useful out of it. So, that was a decision that I made before I started this  course, leaving this section at the end of this course. It doesn't mean that it's not important. It means that it's essential and it's the first step that you need to do. And in information gathering we actually have two information gathering. First of all, passive information and active information.

We're going to start with whois lookup and this is one of the instances of passive information gathering. So, if you go to google and search whois lookup like I did, you can just find one or two that works perfectly over here. One of them is whois.domaintools.com. I generally use this website whois.domaintools.com but as you can see, they're like millions of results. You can just use whatever you want. I'm just going to open a couple of those and you see what I mean. I'm going to open this ICANN as well. So lookup.ICANN.org and whois.domaintools.org. So, what is whois lookup? You actually gather general information about the website that you're targeting to. So, I'm going to do this with my own website. So, atilsamancioglu.com, make sure you spell it right or make sure you just target another website. This is perfectly legal. We're going to gather publicly available information, so you just do this. You can do this with any website you want actually. I'm going to just do it in the Whois Lookup, whois.domaintools.com, so that we can compare the results and see which is better. So, I'm gonna just target my own website here as well.

So, let's go back to ICANN Lookup and see what kind of information do we gather from here. So, we have the name of course, we have the domain status. We have the name servers. So, this is the name servers that I'm using in my website apparently. And we can see the registry exploration date, created date. Let's see what else we can have over here. As you can see it's pretty short actually. Maybe whois.domaintools.com gives much more information. As you can see, we see the IP address over here which is good because we didn't get that in this case by for some reason I don't know. We can easily get this by pinging the website as you know as we have learned before, but it's useful to get this in the whois lookup as well. As you can see, in the lookup.ICANN.org, we also have the register which is the GoDaddy in this case and we have some kind of alternative service or something like that. But I believe this domaintools.com gives us a little bit more information maybe, let's see. It says that validation required. So, maybe if we do this I'm not a robot captcha, maybe we can get much more information. Let's try that. Here you go.

We have this Whois record over here. We're going to see what it is. We have the IP address, we have the IP location. So, my server is located in Arizona in US. So, we have the domain status. So, this is an active website apparently and we have the IP history. So, I have changed my IP over three years apparently and let's see what else we have over here. So, we have the whois records. So, let's see if we get something different. We've seen GoDaddy already. We have an email, we have a phone. Since I have used the domain protection in this case, you cannot see my email address or my telephone or any of my records over here but we can get something like that. So, let's see we have that many email and of course this is not right. Again I have used protection so I believe this is protected by GoDaddy. So, we have the name servers and stuff. So, as you can see this is very general information and maybe there is not much to do within side of this scope when we go into weapon testing, but again this is useful stuff. So, you know the IP address, you know the GoDaddy for example, maybe you can just try to spoof an email and say this is coming from the guarded administration and you have to click over here to supply some of your information, something like that.

So, generally black hat hackers do this in order to trick people into giving some information like social engineering attacks. Of course this is not one of the scope of this course. But again you need to know what kind of information do you reveal in here for your own website or what kind of information you can gather here with your weapon testing target. So, that's it for the whois record. And again this is an example of passive information gathering which means that we're gathering information which is generally publicly available. We're not doing active scans like intense scans like Nmap or we're not pinging the server like 1000 times a second. So, we're just gathering information right now. Let's stop here and continue within the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.