tools

SecurityTrails Blog · Last updated on Oct 14 2021 · by Esteban Borges

Whois IP: best tools to perform a WHOIS and RDAP IP Lookup

Reading time: 11 minutes

Ever since the beginning of the Internet, a key component driving its ongoing progress has been the IP address. That’s right, we’re talking about that magical number behind networks, servers and virtual operating systems.

IP addresses empower users to connect from clients to servers, to retrieve information, and to make communication possible. Without IP addresses,Internet would not be what it is today; even with the IPv4 shortage problem, the IP concept still benefits us with the new IPv6-based addresses.

Within the infosec and general OSINT communities, IP addresses are very important. That’s because IP addresses involve numerous details that security researchers often find relevant to their investigations into different types of cybercrime.

Some time ago we wrote an article about how to perform a domain WHOIS lookup, but instead of domains, today we’ll focus on how to perform an IP WHOIS lookup using several traditional domain tools, as well as modern paths using web-based products.

What is a WHOIS IP lookup?

In much the same way as a domain WHOIS lookup, an IP WHOIS lookup is performed by IT users to retrieve as much data as possible for any specific IP address or IP range.

This information is fetched from the Regional Internet Registry (RIR¹), the organization behind IP address allocations, depending on the precise part of the world to which the IP address belongs.

The 5 Regional Internet Registries include: AFRINIC (African Network Information Centre), which handles IP administration for Africa; ARIN (American Registry for Internet Numbers), which administers IP addresses for the US, Canada and a few North-American island countries; APNIC (Asia-Pacific Network Information Centre), in charge of IP address administration in Japan, China, Australia, and other asian countries; LACNIC (Latin America and Caribbean Information Centre); and RIPE NCC (Ripe Network Coordination Centre), which handles IP administration for Europe, Russia and Middle East-based countries.

IP WHOIS results: What are they useful for?

The results obtained from an IP WHOIS lookup are useful for a wide range of tasks, including passive data collection and historical WHOIS services, as well as for real time infosec investigations when someone is trying to contact the owner of the IP block, due to any of several domain security problems, including network abuse, malware distribution, incoming spam and more.

These results include source, assigned net range, CDIR, name, region, city, country and other details. Let’s jump right into practical examples so you can take a look.

How can I perform a WHOIS IP lookup?

Whether you’re performing research against hidden authors behind DNS attacks, DDoS floods or social engineering attacks, performing a WHOIS IP lookup is always applicable.

Let’s explore the most effective ways to perform this lookup from the terminal, using methods ranging from classic to newer and web-based.

WHOIS IP lookup using the WHOIS command

The WHOIS command² is one of the most traditional ways to perform a WHOIS IP lookup. The WHOIS client often comes installed by default on many modern Linux distributions, and allows you to quickly fetch from remote servers the WHOIS data about any given domain name or IP address.

If it hasn’t been installed by default, you can easily do it yourself.

For CentOS/RHEL/Fedora users:

yum install jwhois

For Ubuntu/Debian users:

apt-get install whois

For example, if we want to know all possible information regarding an IP address, let’s say 104.16.181.15, we should simply perform this command:

whois 104.16.181.15

Here’s the result:

NetRange: 104.16.0.0 - 104.31.255.255
CIDR: 104.16.0.0/12
NetName: CLOUDFLARENET
NetHandle: NET-104-16-0-0-1
Parent: NET104 (NET-104-0-0-0-0)
NetType: Direct Assignment
OriginAS: AS13335
Organization: Cloudflare, Inc. (CLOUD14)
RegDate: 2014-03-28
Updated: 2017-02-17
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/ip/104.16.0.0

That’s the first part—and includes the network IP range, CIDR, NetName, NetHandle, Parent, NetTypes, Origin AS, Organization, Registration date and Update date, as well as abuse contact and official ARIN IP range URL information.

The second part includes details about the organization, as shown below. Here you’ll find the exact organization name, address, city, state, postal code and country:

OrgName: Cloudflare, Inc.
OrgId: CLOUD14
Address: 101 Townsend Street
City: San Francisco
StateProv: CA
PostalCode: 94107
Country: US
RegDate: 2010-07-09
Updated: 2018-10-10
Comment: All Cloudflare abuse reporting can be done via https://www.cloudflare.com/abuse
Ref: https://rdap.arin.net/registry/entity/CLOUD14

You’ll also find technical, network and abuse contacts so you can get in touch with them quickly by phone or email.

OrgTechHandle: ADMIN2521-ARIN
OrgTechName: Admin
OrgTechPhone: +1-650-319-8930
OrgTechEmail: [email protected]
OrgTechRef: https://rdap.arin.net/registry/entity/ADMIN2521-ARIN
OrgNOCHandle: NOC11962-ARIN
OrgNOCName: NOC
OrgNOCPhone: +1-650-319-8930
OrgNOCEmail: [email protected]
OrgNOCRef: https://rdap.arin.net/registry/entity/NOC11962-ARIN
OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-650-319-8930
OrgAbuseEmail: [email protected]
OrgAbuseRef: [https://rdap.arin.net/registry/entity/ABUSE2916-ARIN][6]

That’s one of the most classic ways to perform an IP WHOIS lookup.

Fetching IP WHOIS information using Telnet

Another way to fetch information from any IP address is by using the old-fashioned telnet command. Yes, the telnet command³ is still a powerful tool for many security researchers and system administrators.

Performing a WHOIS lookup against any IP is pretty easy—you only need to query against a WHOIS server. For example:

telnet whois.apnic.net 43

Output example:

[[email protected]:~]telnet whois.apnic.net 43
Trying 23.239.6.76...
Connected to whois.apnic.net.
Escape character is '^]'.
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

Once you’re connected, the console will be open so you can introduce information. In this case, we simply need to type the IP address we want to investigate:

1.1.1.1

Once you introduce the IP address, more data will be displayed:

% Information related to '1.1.1.0 - 1.1.1.255'
% Abuse contact for '1.1.1.0 - 1.1.1.255' is '[email protected]'
inetnum: 1.1.1.0 - 1.1.1.255
netname: APNIC-LABS
descr: APNIC and Cloudflare DNS Resolver project
descr: Routed globally by AS13335/Cloudflare
descr: Research prefix for APNIC Labs
country: AU
org: ORG-ARAD1-AP
admin-c: AR302-AP
tech-c: AR302-AP
mnt-by: APNIC-HM
mnt-routes: MAINT-AU-APNIC-GM85-AP
mnt-irt: IRT-APNICRANDNET-AU
status: ASSIGNED PORTABLE
remarks: ---------------
remarks: All Cloudflare abuse reporting can be done via
remarks: [email protected]
remarks: ---------------
last-modified: 2018-03-30T01:51:28Z
source: APNIC

Grabbing WHOIS IP data with netcat

Netcat is another great alternative to the telnet command, and it works the same way.

Known as ‘nc’, it’s one of the most powerful networking tools available. Thanks to its debugging features it’s often used for network TCP and UDP socket investigation and for all kinds of IT roles, from programmers to system administrators and penetration testers.

You can install netcat on CentOS/RHEL/Fedora by using this command:

yum install netcat

For Ubuntu/Debian users, you can use this:

apt-get install netcat

Once you have that application installed, running an IP WHOIS lookup is the same as when using telnet, except instead of ‘telnet’ you’ll launch your query with the ‘nc’ command. For example:

nc whois.iana.org 43

This will open a command line interface that allows you to introduce the IP in question:

193.0.7.35

This will show you detailed information about that IP, along with associated blocks:

% Information related to '193.0.0.0 - 193.0.7.255'
% Abuse contact for '193.0.0.0 - 193.0.7.255' is '[email protected]'
inetnum: 193.0.0.0 - 193.0.7.255
netname: RIPE-NCC
descr: RIPE Network Coordination Centre
org: ORG-RIEN1-RIPE
descr: Amsterdam, Netherlands
remarks: Used for RIPE NCC infrastructure.
country: NL
admin-c: BRD-RIPE
tech-c: OPS4-RIPE
status: ASSIGNED PA
mnt-by: RIPE-NCC-MNT
created: 2003-03-17T12:15:57Z
last-modified: 2017-12-04T14:42:31Z
source: RIPE
organisation: ORG-RIEN1-RIPE
org-name: Reseaux IP Europeens Network Coordination Centre (RIPE NCC)
org-type: LIR
descr: RIPE NCC Operations
address: P.O. Box 10096
address: 1001 EB
address: Amsterdam
address: NETHERLANDS
phone: +31205354444
fax-no: +31205354445
admin-c: MENN1-RIPE
admin-c: AP110-RIPE
abuse-c: ops4-ripe
mnt-ref: RIPE-NCC-HM-MNT
mnt-ref: RIPE-NCC-MNT
mnt-by: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-MNT
created: 2012-03-09T13:21:52Z
last-modified: 2019-06-18T17:20:26Z
source: RIPE # Filtered

Are there other ways to fetch WHOIS IP data without using command-line based tools? There are… keep reading!

WHOIS IP lookup using SurfaceBrowser

Our IP scanning capabilities allow us not only to retrieve full network ranges, but also to provide you with the latest WHOIS data about those unknown IP addresses.

Enter SurfaceBrowser™, a web-based enterprise product developed by SecurityTrails that integrates full intelligence data from domains, servers, SSL certificates, open ports, and also IP addresses.

When it comes to performing WHOIS IP lookups, our tool is one of the best. It combines lightning fast speed with accurate results, even integrating geolocation detection capabilities in a single interface.

All you need to do is add any IP address to perform a full WHOIS lookup. Follow these steps:

Once the results are loaded, you’ll get full details on the IP address. In this case, while we were querying 8.8.8.8 IP address, details were:

Connection Hostname: dns.google
ASN: AS15169
Organization:
Google LLC
Type: Business
Route: 8.8.8.0/24
Company
Google LLC
City: Mountain View
Postal Code: 94035

But the IP lookup doesn’t end with showing you information about the IP. We go one step ahead to show you all the domains pointing to that IP. In this case, we found around 25k domain names, as you see below:

25k domain names

You’ll find domain names ordered by hostname, alexa rank, computer company name, domain registrar, and related expiry and registration date, as well as mail and web hosting provider.

SurfaceBrowser™ can also explore full IP ranges, such as 8.8.8.0/24. You’ll find clear details about an IP block as you see in the following screenshot:

IP block details

  • IP Count 256
  • Bitmask 24
  • Base IP 8.8.8.0
  • Broadcast IP 8.8.8.255
  • Mask 255.255.255.0
  • Host Mask 0.0.0.255
  • ASN: AS15169
  • Organization: Google LLC
  • Company: Google LLC
  • Neighboring IPs to: 8.8.8.0/24

RDAP IP Lookup

Registration Data Access Protocol, also known as “RDAP”, is set to be the WHOIS replacement in the future. This new protocol allows users to request registration data associated with IPs, networks, hosts and ASNs, but the big differences are its architecture, design, and the way users can access data from RDAP servers. That’s why today we’re introducing you to three popular RDAP Lookup clients, so you can perform your lookups in a fast and accurate way.

OpenRDAP

OpenRDAP is a command line GUI client for RDAP. It’s written in Go, and serves well as a handy web-based client for performing quick RDAP IP lookups. In order to use it against any IPv4 or IPv6 address, just type:

rdap -v 1.1.1.1
rdap -v 2a02:ec80::/32

If you don’t want all the verbose output, you can remove the ‘-v’ parameter, and the output will look like this:

OpenRDAP

Other useful RDAP lookup commands include:

  • ASN lookup: rdap -v AS15169
  • Domain lookup: rdap -v example.com
  • NS lookup: rdap -v -t nameserver -s https://rdap.verisign.com/com/v1 ns1.google.com

Rdapper

Rdapper is another useful RDAP client, written in Perl. It’s a nice alternative to OpenRDAP that runs in your local terminal and helps you get data about any IPv4 and IPv6 address, hostnames (a “forward” domain name such as example.com; or a “reverse” domain name such as 168.192.in-addr.arpa;) or autonomous systems.

If you have the ‘cpan’ package already installed on your system, you only need to install the package, by running:

sudo cpan -i rdapper

And you’re ready to go. Here’s an example of output from an RDAP lookup against an IP address:

[[email protected] ~]$ rdapper --type=IP 1.1.1.1
Handle          : 1.1.1.0 - 1.1.1.255
Name            : APNIC-LABS
End Address     : 1.1.1.255
IP Version      : v4
Port 43 Whois   : whois.apnic.net
Country         : AU
cidr0_cidrs     : {"cidr0_cidrs":[{"v4prefix":"1.1.1.0","length":24}]}
Remarks         : HASH(0x55784f483020)
Remarks         : HASH(0x55784f47e290)
objectClassName : ip network
Start Address   : 1.1.1.0
Type            : ASSIGNED PORTABLE
events          : {"events":[{"eventAction":"last
changed","eventDate":"2020-07-15T13:10:57Z"}]}
==== Source ====
Objects returned came from source
APNIC
This is the APNIC WHOIS Database query service. The objects are in RDAP format.

Curl

For this purpose, our beloved curl command can also serve us well. Since RDAP queries are simple HTTP-based requests, you can use any client such as Curl or Wget to query the RDAP information for any IP or hostname.

In the following example, we’ll get data from 1.1.1.1 from APNIC:

curl https://rdap.apnic.net/ip/1.1.1.1

If you want to visualize the JSON file in a fancy way, you can tweak the command a bit by using:

curl -s https://rdap.apnic.net/ip/1.1.1.1 | jq --color-output
RDAP IP Lookup using Curl

Or you can always use the old-fashioned wget command:

wget https://rdap.apnic.net/ip/61.135.157.156

Today we learned that WHOIS IP results can be very informative when you need details behind certain IP allocations, or when you’re conducting a cybersecurity investigation—and tracking down bad guys.

If you’re new to the infosec world, you’ll surely learn many different ways to perform a WHOIS IP lookup, from using classic terminal-based methods using the WHOIS command to relying on modern attack surface analysis tools like SurfaceBrowser™.

Esteban Borges Blog Author
ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.

¹ https://www.nro.net/about/rirs/ ² https://man.openbsd.org/whois.1 ³ https://kb.iu.edu/d/aaydhttps://en.wikipedia.org/wiki/Netcat