Whois Online

Identify the Network or Domain owner

What is Whois?

Whois for Security Incident Response

Whois is a network protocol that provides the ability to find the registration record for an IP address or domain name. An important use of the whois protocol is to enable the tracking and reporting of abusive systems. Whether it is spam, denial of service or network based attacks originating from an IP address, using whois a system administrator is able to discover who owns that IP address and report it to the web host provider or ISP (internet service provider).

Using the Whois Command

First you need a terminal

The whois command comes installed in many Linux based distributions such as Ubuntu and Fedora. When installed it is a simple matter of running the command followed by an IP address or hostname to get the results of the registration lookup.

Can whois run under Windows?

There is a Windows whois client that can be downloaded as part of the sysinternals suite of windows tools. Grab a copy from the Microsoft Technet site.

About Hacker Target

Hosted Vulnerability Scanners, DNS and IP tools

Whois Command Line

man whois - command line help
WHOIS(1) Debian GNU/Linux WHOIS(1)

whois - client for the whois directory service

whois [ { -h | --host } HOST ] [ { -p | --port } PORT ] [ -abBcdGHKlLmMrRx ] [ -g SOURCE:FIRST-LAST ] [ -i ATTR[,ATTR]... ] [ -s SOURCE[,SOURCE]... ] [ -T TYPE[,TYPE]... ]
[ --verbose ] OBJECT

whois -q KEYWORD

whois -t TYPE

whois -v TYPE

whois --help

whois --version

whois searches for an object in a RFC 3912 database.

This version of the whois client tries to guess the right server to ask for the specified object. If no guess can be made it will connect to whois.networksolutions.com for NIC
handles or whois.arin.net for IPv4 addresses and network names.

-h HOST, --host HOST
Connect to HOST.

-H Do not display the legal disclaimers some registries like to show you.

-p, --port PORT
Connect to PORT.

Be verbose.

--help Display online help.

Display client version information.

Other options are flags understood by whois.ripe.net and some other RIPE-like servers:

-a Also search all the mirrored databases.

-b Return brief IP address ranges with abuse contact.

-B Disable object filtering. (Show the e-mail addresses.)

-c Return the smallest IP address range with a reference to an irt object.

-d Return the reverse DNS delegation object too.

Search updates from SOURCE database between FIRST and LAST update serial number. It's useful to obtain Near Real Time Mirroring stream.

-G Disable grouping of associated objects.

-i ATTR[,ATTR]...
Search objects having associated attributes. ATTR is attribute name. Attribute value is positional OBJECT argument.
-K Return primary key attributes only. Exception is members attribute of set object which is always returned. Another exceptions are all attributes of objects organisation,
person, and role that are never returned.

-l Return the one level less specific object.

-L Return all levels of less specific objects.

-m Return all one level more specific objects.

-M Return all levels of more specific objects.

Return list of keywords supported by server. KEYWORD can be version for server version, sources for list of source databases, or types for object types.
When querying whois.nic.ad.jp for AS numbers, the program will automatically convert the request in the appropriate format, inserting a space after the string AS.
When querying whois.denic.de for domain names and no other flags have been specified, the program will automatically add the flag -T dn.

When querying whois.dk-hostmaster.dk for domain names and no other flags have been specified, the program will automatically add the flag --show-handles.

RIPE-specific command line options are ignored when querying non-RIPE servers. This may or may not be the behaviour intended by the user. When querying a non-standard server,
command line options which are not to be interpreted by the client should always follow the -- separator (which marks the beginning of the query string).

If the /etc/whois.conf configuration file exists, it will be consulted to find a server before applying the normal rules. Each line of the file should contain a regular expression
to be matched against the query text and the whois server to use, separated by white space. IDN domains must use the ACE format.

The whois protocol does not specify an encoding for characters which cannot be represented by ASCII and implementations vary wildly. If the program knows that a specific server
uses a certain encoding, if needed it will transcode the server output to the encoding specified by the current system locale.

Command line arguments will always be interpreted accordingly to the current system locale and converted to the IDN ASCII Compatible Encoding.


LANG When querying whois.nic.ad.jp and whois.jprs.jp English text is requested unless the LANG or LC_MESSAGES environment variables specify a Japanese locale.

RFC 3912: WHOIS Protocol Specification

RIPE Database Query Reference Manual:

The program may have buffer overflows in the command line parser: be sure to not pass untrusted data to it. It should be rewritten to use a dynamics strings library.

This program closely tracks the user interface of the whois client developed at RIPE by Ambrose Magee and others on the base of the original BSD client. I also added support for
the protocol extensions developed by David Kessens of QWest for the 6bone server.

Whois and this man page were written by Marco d'Itri and are licensed under the terms of the GNU General Public License, version 2 or higher.

Marco d'Itri 20 December 2009