Gathering and validating domain and IP information_Advanced Penetration Testing for Highly-Secured Environments：The Ultimate Security Guide-QQ阅读男生都市网

Advanced Penetration Testing for Highly-Secured Environments：The Ultimate Security Guide

上QQ阅读APP看书，第一时间看更新

Gathering and validating domain and IP information

When a person or corporate entity registers a domain name there is a lot of information that is gathered. Depending on the registration privacy settings, you can collect this information and use it to verify your IP space, find information about other sites owned by the same individual or corporation, or even phone numbers and addresses of key employees. This type of reconnaissance is considered passive as it does not directly contact client-owned assets to pull information.

We will need to locate the registrar that the domain has been registered with to obtain useful information. Here is a listing of the top registrars.

Gathering information with whois

Domain and IP space registration information can be found by using whois.

Note

Be aware of the specific restrictions and rules that you need to abide by when using whois. For example, you are not allowed to automate your queries or to use the results for commercial or personal gain. Read the legal text headers that appear when you run a simple whois example.com query from the command line. Heed the warnings and follow the rules.

The most basic usage of whois is as follows:

# whois example.com

This will perform a quick lookup of the example.com domain and provide you with the following information:

Whois usage agreements and legal headers
Domain name
Registrar the domain name is registered with
Whois server that was used
The primary DNS nameservers associated with the domain
Domain creation and expiration dates
Registrant information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
Assigned domain administrator information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
Domain billing contact information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address
Domain technical contact information such as First Name, Last Name, Organization, physical address, phone number, and e-mail address

Specifying which registrar to use

There may be times when you will need to specify which registrar you would like to query. whois makes this simple by allowing the usage of the -h "connect to host" option.

# whois -h whois.apnic.net 192.0.43.10

Where in the world is this IP?

You can use whois to find the originating country an IP address is assigned to:

# whois -h whois.arin.net 192.0.43.10 | grep Country:

What we have done here is use the -h option to specify whois.arin.net to extract the record associated with 192.0.43.10 because we specifically wanted the country information relating to this IP. We used the grep command to pull out the Country: row. Here is the resulting output which indicates this IP address is located in The United States of America:

Country: US

Tip

You will find the output format will vary from one registrar to the next. Take some time and get familiar with the different outputs so that you know what to grep for in the future. This could potentially save you a lot of time in the long run.

Defensive measures

When you or your clients register domains, you should opt in on privacy options. These will restrict the information that is available to the public. The data will be replaced with the information provided by your privacy proxy. In case there are situations that require someone to get in contact with you they would contact your proxy whom would in turn let you know that there is an issue that needs to be addressed.