In this post, we will understand what the WHOIS database is? How it works? And how an attacker may exploit this information from an InfoSec implication.
Every year, millions of individuals, businesses, organizations and governments register a top level domain such as mydomain.com from an Internet domain registrar for a small price that is normally paid annually. One of the registration steps involves providing valid and accurate contact information of the registrant. This information is referred to as Domain Name Registration Data.
The following data is required to provide identifying and contact information such as:
- Mailing address
- Phone number
- Postal code
This data must be available for three types of domain contact: Technical, Administrative and Registrar. The domain registrar will store this WHOIS data and the IP address of the DNS servers.
The WHOIS service is not a single, centrally-operated database. Instead, the data is managed by independent entities known as “registrars” and “registries.”
History of WHOIS
Elizabeth Feinler and her team created the Resource Directory for ARPANET. She was responsible for creating the first WHOIS directory in the early 1970s. Internet Engineering Task Force published a protocol for a directory service for ARPANET users. Initially, the directory simply listed the contact information that was requested of anyone transmitting data across the ARPANET. At that time, if you wanted to perform a WHOIS lookup, you would query the central WHOIS database.
The official WHOIS requirements were documented in RFC 920
WHOIS servers are operated by Regional Internet Registrars (RIR), and they can be queried directly over port 43.
In the early days of the internet, there was only one WHOIS server, but the number of existing WHOIS servers has increased with the expansion of the internet. If the information for the requested domain is not present on the queried server, the request is then forwarded to the WHOIS server of the domain registrar and the results are returned to the end client.
There are many websites and tools by which we may query this data from the WHOIS servers.
The information retrieved is only as accurate as the information updated by the domain owner, and it can be misleading at times if the updated details on the registrar website are incorrect. Also, domain owners can block sensitive information related to your domain by subscribing to additional services provided by the domain registrar, after which the registrar would display their details instead of the contact details of your domain.
Types of WHOIS lookup data models
WHOIS information is not stored in any single way. There are two different methods of storing WHOIS records on the WHOIS servers:
- WHOIS Thin model: this type of WHOIS model answers back with the registrar name, domain registration dates and name servers used. The WHOIS server stores the name of another WHOIS server that has the full data of the Registrar (as in the case of .com TLD) and other basic data. In order to access all the data, a second query to the server would have to be made.
- WHOIS Thick model: the thick WHOIS model expands the information, adding such details as registrar, technical and administrative details. When you perform a WHOIS lookup, it usually displays all the information about the domain name owner (thick model), as it’s the faster method and only requires a single query.
The purpose of the WHOIS lookup
Many people think that the WHOIS information is just data that is stored along with any domain name. However, these people don’t release the vulnerabilities which this data may cause. This data has far reaching implications.
An attacker may use this information for various malicious activities like social engineering. The mail address may be used for war driving. Contact names and numbers provided during registration can be used for social engineering attacks such as duping users via telephone. Mailing addresses can help the attacker perform wardriving and find unsecured wireless access points.
As we saw before, back in the ARPANET days the WHOIS model was merely a user directory. However, as decades passed, WHOIS information became a lot more personal, including full contact details, making it one of the most useful data-sets available for performing data reconnaissance and intel gathering tasks.
The main goal and functions of the WHOIS lookup have evolved, and today it’s used for a number of reasons, including:
- Tracking down domain cracking activities, spamming and phishing attacks.
- For help during federal investigations against websites promoting abusive material such as xenophobia, child abuse, child pornography, illegal drugs market, hatred, violence, racial and social discrimination, etc.
- Providing ISPs, network operators, security agencies and government law enforcement agencies the information needed to keep the Internet as secure and transparent as possible.
- Supporting trademark agencies in the investigation of abuse activities from domain names wrongfully using registered company names or products, or promoting trademarks illegally.
- Prevention of online fraud by helping users to detect phishing attacks against financial institutions and general login-based interfaces used on web services.
How to perform a WHOIS lookup
A Whois tool is built into Kali Linux.
I am using the Kali Docker image. The WHOIS tool is not installed in it by default. To install, open terminal and enter the following command
apt-get install WHOIS
To retrieve the WHOIS information run the following command
$whois <<domain name>>
In this example, we are running a WHOIS on facebook.com
WHOIS lookup result
The following information is displayed:
This information has various interesting details
The domain Expiry date. If the domain owner fails to renew this domain by the expiration date, the registrar would release the domain for anyone to buy.
The data also has information about the Technical, Administrative and Registrar contacts. This may be used for wardriving or perform social engineering hacks.
It also displays DNS information. This may used to query further hosts on this domain.