tips tools reconnaissance

SecurityTrails Blog · Sep 05 · SecurityTrails team

Whois IP: Top 4 tools to perform a WHOIS IP Lookup

Reading time: 8 minutes

Ever since the beginning of the Internet, a key component driving its ongoing progress has been the IP address. That’s right, we’re talking about that magical number behind networks, servers and virtual operating systems.

IP addresses empower users to connect from clients to servers, to retrieve information, and to make communication possible. Without IP addresses,Internet would not be what it is today; even with the IPv4 shortage problem, the IP concept still benefits us with the new IPv6-based addresses.

Within the infosec and general OSINT communities, IP addresses are very important. That’s because IP addresses involve numerous details that security researchers often find relevant to their investigations into different types of cybercrime.

Some time ago we wrote an article about how to perform a domain WHOIS lookup, but instead of domains, today we’ll focus on how to perform an IP WHOIS lookup using several traditional domain tools, as well as modern paths using web-based products.

What is a WHOIS IP lookup?

In much the same way as a domain WHOIS lookup, an IP WHOIS lookup is performed by IT users to retrieve as much data as possible for any specific IP address or IP range.

This information is fetched from the Regional Internet Registry (RIR¹), the organization behind IP address allocations, depending on the precise part of the world to which the IP address belongs.

The 5 Regional Internet Registries include: AFRINIC (African Network Information Centre), which handles IP administration for Africa; ARIN (American Registry for Internet Numbers), which administers IP addresses for the US, Canada and a few North-American island countries; APNIC (Asia-Pacific Network Information Centre), in charge of IP address administration in Japan, China, Australia, and other asian countries; LACNIC (Latin America and Caribbean Information Centre); and RIPE NCC (Ripe Network Coordination Centre), which handles IP administration for Europe, Russia and Middle East-based countries.

IP WHOIS results: What are they useful for?

The results obtained from an IP WHOIS lookup are useful for a wide range of tasks, including passive data collection and historical WHOIS services, as well as for real time infosec investigations when someone is trying to contact the owner of the IP block, due to any of several domain security problems, including network abuse, malware distribution, incoming spam and more.

These results include source, assigned net range, CDIR, name, region, city, country and other details. Let’s jump right into practical examples so you can take a look.

How can I perform a WHOIS IP lookup?

Whether you’re performing research against hidden authors behind DNS attacks, DDoS floods or social engineering attacks, performing a WHOIS IP lookup is always applicable.

Let’s explore the most effective ways to perform this lookup from the terminal, using methods ranging from classic to newer and web-based.

WHOIS IP lookup using the WHOIS command

The WHOIS command² is one of the most traditional ways to perform a WHOIS IP lookup. The WHOIS client often comes installed by default on many modern Linux distributions, and allows you to quickly fetch from remote servers the WHOIS data about any given domain name or IP address.

If it hasn’t been installed by default, you can easily do it yourself.

For CentOS/RHEL/Fedora users:

yum install jwhois

For Ubuntu/Debian users:

apt-get install whois

For example, if we want to know all possible information regarding an IP address, let’s say 104.16.181.15, we should simply perform this command:

whois 104.16.181.15

Here’s the result:

NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2017-02-17
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/104.16.0.0

That’s the first part—and includes the network IP range, CIDR, NetName, NetHandle, Parent, NetTypes, Origin AS, Organization, Registration date and Update date, as well as abuse contact and official ARIN IP range URL information.

The second part includes details about the organization, as shown below. Here you’ll find the exact organization name, address, city, state, postal code and country:

OrgName: Cloudflare, Inc.
OrgId: CLOUD14
Address: 101 Townsend Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2010-07-09
Updated: 2018-10-10
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/entity/CLOUD14

You’ll also find technical, network and abuse contacts so you can get in touch with them quickly by phone or email.

OrgTechHandle: ADMIN2521-ARIN
OrgTechName: Admin
OrgTechPhone: +1-650-319-8930
OrgTechEmail: rir@cloudflare.com
OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
OrgNOCHandle: NOC11962-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-650-319-8930
OrgNOCEmail: noc@cloudflare.com
OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-319-8930
OrgAbuseEmail: abuse@cloudflare.com
OrgAbuseRef: [https://rdap.arin.net/registry/entity/ABUSE2916-ARIN][6]

That’s one of the most classic ways to perform an IP WHOIS lookup.

Fetching IP WHOIS information using Telnet

Another way to fetch information from any IP address is by using the old-fashioned telnet command. Yes, the telnet command³ is still a powerful tool for many security researchers and system administrators.

Performing a WHOIS lookup against any IP is pretty easy—you only need to query against a WHOIS server. For example:

telnet whois.apnic.net 43

Output example:

[research@securitytrails.com:~]telnet whois.apnic.net 43
Trying 23.239.6.76...
Connected to whois.apnic.net.
Escape character is '^]'.
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

Once you’re connected, the console will be open so you can introduce information. In this case, we simply need to type the IP address we want to investigate:

1.1.1.1

Once you introduce the IP address, more data will be displayed:

% Information related to '1.1.1.0 - 1.1.1.255'
% Abuse contact for '1.1.1.0 - 1.1.1.255' is 'abuse@apnic.net'
inetnum: 1.1.1.0 - 1.1.1.255
netname: APNIC-LABS
descr: APNIC and Cloudflare DNS Resolver project
descr: Routed globally by AS13335/Cloudflare
descr: Research prefix for APNIC Labs
country: AU
org: ORG-ARAD1-AP
admin-c: AR302-AP
tech-c: AR302-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-AU-APNIC-GM85-AP
mnt-irt: IRT-APNICRANDNET-AU
status: ASSIGNED PORTABLE
remarks: ---------------
remarks: All Cloudflare abuse reporting can be done via
remarks: resolver-abuse@cloudflare.com
remarks: ---------------
last-modified: 2018-03-30T01:51:28Z
source: APNIC

Grabbing WHOIS IP data with netcat

Netcat is another great alternative to the telnet command, and it works the same way.

Known as ‘nc’, it’s one of the most powerful networking tools available. Thanks to its debugging features it’s often used for network TCP and UDP socket investigation and for all kinds of IT roles, from programmers to system administrators and penetration testers.

You can install netcat on CentOS/RHEL/Fedora by using this command:

yum install netcat

For Ubuntu/Debian users, you can use this:

apt-get install netcat

Once you have that application installed, running an IP WHOIS lookup is the same as when using telnet, except instead of ‘telnet’ you’ll launch your query with the ‘nc’ command. For example:

nc whois.iana.org 43

This will open a command line interface that allows you to introduce the IP in question:

193.0.7.35

This will show you detailed information about that IP, along with associated blocks:

% Information related to '193.0.0.0 - 193.0.7.255'
% Abuse contact for '193.0.0.0 - 193.0.7.255' is 'abuse@ripe.net'
inetnum: 193.0.0.0 - 193.0.7.255
netname: RIPE-NCC
descr: RIPE Network Coordination Centre
org: ORG-RIEN1-RIPE
descr: Amsterdam, Netherlands
remarks: Used for RIPE NCC infrastructure.
country: NL
admin-c: BRD-RIPE
tech-c: OPS4-RIPE
status: ASSIGNED PA
mnt-by: RIPE-NCC-MNT
created: 2003-03-17T12:15:57Z
last-modified: 2017-12-04T14:42:31Z
source: RIPE
organisation: ORG-RIEN1-RIPE
org-name: Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
org-type: LIR
descr: RIPE NCC Operations
address: P.O. Box 10096
address: 1001 EB
address: Amsterdam
address: NETHERLANDS
phone: +31205354444
fax-no: +31205354445
admin-c: MENN1-RIPE
admin-c: AP110-RIPE
abuse-c: ops4-ripe
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: RIPE-NCC-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-MNT
created: 2012-03-09T13:21:52Z
last-modified: 2019-06-18T17:20:26Z
source: RIPE # Filtered

Are there other ways to fetch WHOIS IP data without using command-line based tools? There are… keep reading!

WHOIS IP lookup using SurfaceBrowser

Our IP scanner capabilities allow us not only to retrieve full network ranges, but also to provide you with the latest WHOIS data about those unknown IP addresses.

Enter SurfaceBrowser™, a web-based enterprise product developed by SecurityTrails that integrates full intelligence data from domains, servers, SSL certificates, open ports, and also IP addresses.

When it comes to performing WHOIS IP lookups, our tool is one of the best. It combines lightning fast speed with accurate results, even integrating geolocation detection capabilities in a single interface.

All you need to do is add any IP address to perform a full WHOIS lookup. Follow these steps:

Once the results are loaded, you’ll get full details on the IP address. In this case, while we were querying 8.8.8.8 IP address, details were:

Connection Hostname: dns.google
ASN: AS15169
Organization:
Google LLC
Type: Business
Route: 8.8.8.0/24
Company
Google LLC
City: Mountain View
Postal Code: 94035

But the IP lookup doesn’t end with showing you information about the IP. We go one step ahead to show you all the domains pointing to that IP. In this case, we found around 25k domain names, as you see below:

25k domain names

You’ll find domain names ordered by hostname, alexa rank, computer company name, domain registrar, and related expiry and registration date, as well as mail and web hosting provider.

SurfaceBrowser™ can also explore full IP ranges, such as 8.8.8.0/24. You’ll find clear details about an IP block as you see in the following screenshot:

IP block details
  • IP Count 256
  • Bitmask 24
  • Base IP 8.8.8.0
  • Broadcast IP 8.8.8.255
  • Mask 255.255.255.0
  • Host Mask 0.0.0.255
  • ASN: AS15169
  • Organization: Google LLC
  • Company: Google LLC
  • Neighboring IPs to: 8.8.8.0/24

Today we learned that WHOIS IP results can be very informative when you need details behind certain IP allocations, or when you’re conducting a cybersecurity investigation—and tracking down bad guys.If you’re new to the infosec world, you’ll surely learn many different ways to perform a WHOIS IP lookup, from using classic terminal-based methods using the WHOIS command to relying on modern attack surface area analysis tools like SurfaceBrowserTM.

Start auditing remote networks, IP addresses, and domain names with our full-intelligent API today. Sign up for a free API tier.

And if you work for a private or public agency/company and need access to more than our API, take a leap to the next-level OSINT-set and book a demo to test SurfaceBrowser™, our enterprise-grade solution ready to empower your WHOIS lookups for any network.

¹ https://www.nro.net/about/rirs/
² https://man.openbsd.org/whois.1
³ https://kb.iu.edu/d/aayd
https://en.wikipedia.org/wiki/Netcat