IP addresses empower users to connect from clients to servers, to retrieve information, and to make communication possible. Without IP addresses,Internet would not be what it is today; even with the IPv4 shortage problem, the IP concept still benefits us with the new IPv6-based addresses.
Within the infosec and general OSINT communities, IP addresses are very important. That’s because IP addresses involve numerous details that security researchers often find relevant to their investigations into different types of cybercrime.
Some time ago we wrote an article about how to perform a domain WHOIS lookup, but instead of domains, today we’ll focus on how to perform an IP WHOIS lookup using several traditional domain tools, as well as modern paths using web-based products.
What is a WHOIS IP lookup?
In much the same way as a domain WHOIS lookup, an IP WHOIS lookup is performed by IT users to retrieve as much data as possible for any specific IP address or IP range.
This information is fetched from the Regional Internet Registry (RIR¹), the organization behind IP address allocations, depending on the precise part of the world to which the IP address belongs.
The 5 Regional Internet Registries include: AFRINIC (African Network Information Centre), which handles IP administration for Africa; ARIN (American Registry for Internet Numbers), which administers IP addresses for the US, Canada and a few North-American island countries; APNIC (Asia-Pacific Network Information Centre), in charge of IP address administration in Japan, China, Australia, and other asian countries; LACNIC (Latin America and Caribbean Information Centre); and RIPE NCC (Ripe Network Coordination Centre), which handles IP administration for Europe, Russia and Middle East-based countries.
IP WHOIS results: What are they useful for?
The results obtained from an IP WHOIS lookup are useful for a wide range of tasks, including passive data collection and historical WHOIS services, as well as for real time infosec investigations when someone is trying to contact the owner of the IP block, due to any of several domain security problems, including network abuse, malware distribution, incoming spam and more.
These results include source, assigned net range, CDIR, name, region, city, country and other details. Let’s jump right into practical examples so you can take a look.
How can I perform a WHOIS IP lookup?
Whether you’re performing research against hidden authors behind DNS attacks, DDoS floods or social engineering attacks, performing a WHOIS IP lookup is always applicable.
Let’s explore the most effective ways to perform this lookup from the terminal, using methods ranging from classic to newer and web-based.
WHOIS IP lookup using the WHOIS command
The WHOIS command² is one of the most traditional ways to perform a WHOIS IP lookup. The WHOIS client often comes installed by default on many modern Linux distributions, and allows you to quickly fetch from remote servers the WHOIS data about any given domain name or IP address.
If it hasn’t been installed by default, you can easily do it yourself.
For CentOS/RHEL/Fedora users:
yum install jwhois
For Ubuntu/Debian users:
apt-get install whois
For example, if we want to know all possible information regarding an IP address, let’s say 18.104.22.168, we should simply perform this command:
Here’s the result:
NetRange: 22.214.171.124 - 126.96.36.199 CIDR: 188.8.131.52/12 NetName: CLOUDFLARENET NetHandle: NET-104-16-0-0-1 Parent: NET104 (NET-104-0-0-0-0) NetType: Direct Assignment OriginAS: AS13335 Organization: Cloudflare, Inc. (CLOUD14) RegDate: 2014-03-28 Updated: 2017-02-17 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Ref: https://rdap.arin.net/registry/ip/184.108.40.206
That’s the first part—and includes the network IP range, CIDR, NetName, NetHandle, Parent, NetTypes, Origin AS, Organization, Registration date and Update date, as well as abuse contact and official ARIN IP range URL information.
The second part includes details about the organization, as shown below. Here you’ll find the exact organization name, address, city, state, postal code and country:
OrgName: Cloudflare, Inc. OrgId: CLOUD14 Address: 101 Townsend Street City: San Francisco StateProv: CA PostalCode: 94107 Country: US RegDate: 2010-07-09 Updated: 2018-10-10 Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse Ref: https://rdap.arin.net/registry/entity/CLOUD14
You’ll also find technical, network and abuse contacts so you can get in touch with them quickly by phone or email.
OrgTechHandle: ADMIN2521-ARIN OrgTechName: Admin OrgTechPhone: +1-650-319-8930 OrgTechEmail: email@example.com OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN OrgNOCHandle: NOC11962-ARIN OrgNOCName: NOC OrgNOCPhone: +1-650-319-8930 OrgNOCEmail: firstname.lastname@example.org OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN OrgAbuseHandle: ABUSE2916-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-650-319-8930 OrgAbuseEmail: email@example.com OrgAbuseRef: [https://rdap.arin.net/registry/entity/ABUSE2916-ARIN]
That’s one of the most classic ways to perform an IP WHOIS lookup.
Fetching IP WHOIS information using Telnet
Another way to fetch information from any IP address is by using the old-fashioned telnet command. Yes, the telnet command³ is still a powerful tool for many security researchers and system administrators.
Performing a WHOIS lookup against any IP is pretty easy—you only need to query against a WHOIS server. For example:
telnet whois.apnic.net 43
[firstname.lastname@example.org:~]telnet whois.apnic.net 43 Trying 220.127.116.11... Connected to whois.apnic.net. Escape character is '^]'. % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
Once you’re connected, the console will be open so you can introduce information. In this case, we simply need to type the IP address we want to investigate:
Once you introduce the IP address, more data will be displayed:
% Information related to '18.104.22.168 - 22.214.171.124' % Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' inetnum: 184.108.40.206 - 220.127.116.11 netname: APNIC-LABS descr: APNIC and Cloudflare DNS Resolver project descr: Routed globally by AS13335/Cloudflare descr: Research prefix for APNIC Labs country: AU org: ORG-ARAD1-AP admin-c: AR302-AP tech-c: AR302-AP mnt-by: APNIC-HM mnt-routes: MAINT-AU-APNIC-GM85-AP mnt-irt: IRT-APNICRANDNET-AU status: ASSIGNED PORTABLE remarks: --------------- remarks: All Cloudflare abuse reporting can be done via remarks: firstname.lastname@example.org remarks: --------------- last-modified: 2018-03-30T01:51:28Z source: APNIC
Grabbing WHOIS IP data with netcat
Netcat⁴ is another great alternative to the telnet command, and it works the same way.
Known as ‘nc’, it’s one of the most powerful networking tools available. Thanks to its debugging features it’s often used for network TCP and UDP socket investigation and for all kinds of IT roles, from programmers to system administrators and penetration testers.
You can install netcat on CentOS/RHEL/Fedora by using this command:
yum install netcat
For Ubuntu/Debian users, you can use this:
apt-get install netcat
Once you have that application installed, running an IP WHOIS lookup is the same as when using telnet, except instead of ‘telnet’ you’ll launch your query with the ‘nc’ command. For example:
nc whois.iana.org 43
This will open a command line interface that allows you to introduce the IP in question:
This will show you detailed information about that IP, along with associated blocks:
% Information related to '18.104.22.168 - 22.214.171.124' % Abuse contact for '126.96.36.199 - 188.8.131.52' is 'email@example.com' inetnum: 184.108.40.206 - 220.127.116.11 netname: RIPE-NCC descr: RIPE Network Coordination Centre org: ORG-RIEN1-RIPE descr: Amsterdam, Netherlands remarks: Used for RIPE NCC infrastructure. country: NL admin-c: BRD-RIPE tech-c: OPS4-RIPE status: ASSIGNED PA mnt-by: RIPE-NCC-MNT created: 2003-03-17T12:15:57Z last-modified: 2017-12-04T14:42:31Z source: RIPE organisation: ORG-RIEN1-RIPE org-name: Reseaux IP Europeens Network Coordination Centre (RIPE NCC) org-type: LIR descr: RIPE NCC Operations address: P.O. Box 10096 address: 1001 EB address: Amsterdam address: NETHERLANDS phone: +31205354444 fax-no: +31205354445 admin-c: MENN1-RIPE admin-c: AP110-RIPE abuse-c: ops4-ripe mnt-ref: RIPE-NCC-HM-MNT mnt-ref: RIPE-NCC-MNT mnt-by: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-MNT created: 2012-03-09T13:21:52Z last-modified: 2019-06-18T17:20:26Z source: RIPE # Filtered
Are there other ways to fetch WHOIS IP data without using command-line based tools? There are… keep reading!
WHOIS IP lookup using SurfaceBrowser
Our IP scanner capabilities allow us not only to retrieve full network ranges, but also to provide you with the latest WHOIS data about those unknown IP addresses.
Enter SurfaceBrowser™, a web-based enterprise product developed by SecurityTrails that integrates full intelligence data from domains, servers, SSL certificates, open ports, and also IP addresses.
When it comes to performing WHOIS IP lookups, our tool is one of the best. It combines lightning fast speed with accurate results, even integrating geolocation detection capabilities in a single interface.
All you need to do is add any IP address to perform a full WHOIS lookup. Follow these steps:
- Log in to your SecurityTrails account at https://securitytrails.com/app/auth/login,
- Jump into the SurfaceBrowser™ tool: securitytrails.com/app/sb
- Type the IP address you need to explore.
- Browse the results
Once the results are loaded, you’ll get full details on the IP address. In this case, while we were querying 18.104.22.168 IP address, details were:
Connection Hostname: dns.google ASN: AS15169 Organization: Google LLC Type: Business Route: 22.214.171.124/24 Company Google LLC City: Mountain View Postal Code: 94035
But the IP lookup doesn’t end with showing you information about the IP. We go one step ahead to show you all the domains pointing to that IP. In this case, we found around 25k domain names, as you see below:
You’ll find domain names ordered by hostname, alexa rank, computer company name, domain registrar, and related expiry and registration date, as well as mail and web hosting provider.
SurfaceBrowser™ can also explore full IP ranges, such as 126.96.36.199/24. You’ll find clear details about an IP block as you see in the following screenshot:
- IP Count 256
- Bitmask 24
- Base IP 188.8.131.52
- Broadcast IP 184.108.40.206
- Mask 255.255.255.0
- Host Mask 0.0.0.255
- ASN: AS15169
- Organization: Google LLC
- Company: Google LLC
- Neighboring IPs to: 220.127.116.11/24
Today we learned that WHOIS IP results can be very informative when you need details behind certain IP allocations, or when you’re conducting a cybersecurity investigation—and tracking down bad guys.If you’re new to the infosec world, you’ll surely learn many different ways to perform a WHOIS IP lookup, from using classic terminal-based methods using the WHOIS command to relying on modern attack surface area analysis tools like SurfaceBrowserTM.
Start auditing remote networks, IP addresses, and domain names with our full-intelligent API today. Sign up for a free API tier.
And if you work for a private or public agency/company and need access to more than our API, take a leap to the next-level OSINT-set and book a demo to test SurfaceBrowser™, our enterprise-grade solution ready to empower your WHOIS lookups for any network.
Get the best cybersec research, news, tools,
and interviews with industry leaders
¹ https://www.nro.net/about/rirs/ ² https://man.openbsd.org/whois.1 ³ https://kb.iu.edu/d/aayd ⁴ https://en.wikipedia.org/wiki/Netcat