WHOIS is a public registry—and the tool used to query it—that stores registration data for every domain name on the internet. When a domain is registered, metadata such as the owner’s name, organization, contact details, registration dates, name servers, and registrar are recorded in this system.
Much of this information is publicly accessible because domain privacy is an optional, paid feature offered by registrars. If privacy protection is not enabled, anyone can query the WHOIS database and view the real-world details behind a domain.
From a red team perspective, WHOIS is a powerful passive reconnaissance source. A single lookup can reveal an organization’s legal name, technical contacts, registrar choices, hosting clues, and sometimes even additional domains registered by the same entity—all without sending a single packet to the target’s infrastructure.
WHOIS Information for a Domain Name
When you run a command such as:
root@neon:/ops# whois neonmatrixlabs.netYour query is sent to the domain’s registry or registrar WHOIS server. The response describes the domain itself, not the server or IP hosting it.
Example output:
Domain Name: NEONMATRIXLABS.NET
Registry Domain ID: 982374650_DOMAIN_NET-VRSN
Registrar: CyberRegistrar Inc.
Registrar WHOIS Server: whois.cyberregistrar.net
Registrar URL: https://www.cyberregistrar.net
Creation Date: 2021-06-14T19:22:00Z
Updated Date: 2024-11-30T10:15:42Z
Registry Expiry Date: 2026-06-14T19:22:00Z
Domain Status: clientTransferProhibited
DNSSEC: unsigned
Registrant Name: Alex Vector
Registrant Organization: Neon Matrix Labs
Registrant Country: US
Name Server: NS1.NEONMATRIXLABS.NET
Name Server: NS2.NEONMATRIXLABS.NET
Name Server: NS3.NEONMATRIXLABS.NET
>>> Last update of WHOIS database: 2025-01-10T03:41:27Z <<<This data typically includes:
- Domain owner (Registrant)
- Contact details (sometimes masked or privacy-protected)
- Registrar (e.g., Gandi, GoDaddy)
- Domain creation and expiration timestamps
- Name servers used by the domain
- Domain status flags (e.g.,
clientTransferProhibited) - Administrative and technical contact information
Domain WHOIS reveals who registered the domain and how it is managed. It does not describe the hosting server or the underlying IP infrastructure.
WHOIS Information for an IP Address (ASN Discovery)
When you query an IP address instead:
root@neon:/ops# whois 203.0.113.87Your request is routed to one of the Regional Internet Registries (RIRs) responsible for IP allocation, such as:
- ARIN – North America
- RIPE NCC – Europe, Middle East
- APNIC – Asia-Pacific
- LACNIC – Latin America
- AFRINIC – Africa
Example output:
NetRange: 203.0.113.0 - 203.0.113.255
CIDR: 203.0.113.0/24
NetName: NEON-CLOUD-BLK
NetType: Reassigned
Organization: NeonCloud Infrastructure Ltd.
Country: US
OrgTechPhone: +1-800-555-0199
OrgTechEmail: noc@neoncloud.example
OrgAbuseEmail: abuse@neoncloud.example
Parent NetRange: 203.0.112.0 - 203.0.115.255
Parent CIDR: 203.0.112.0/22
Parent NetName: NEON-CLOUD-PARENT
NetType: Direct Allocation
Organization: NeonCloud Infrastructure Ltd.Unlike domain WHOIS, IP WHOIS focuses on network ownership, not websites. The information usually includes:
- Organization that owns or controls the IP block
- Allocated IP ranges (CIDR notation)
- Abuse and technical contact details
- ASN (Autonomous System Number)
- ISP or hosting provider associated with the network
IP WHOIS does not tell you who owns a domain. A single IP address may host hundreds or thousands of unrelated domains. IP WHOIS only reflects the organization that controls the network infrastructure, not the individual services running on it.
Module Progress: 1. Information Gathering
-
1 Nmap
- Reading Now