Whois Footprinting

Whois Footprinting: A Complete Guide for CEH Exam Preparation

Why Whois Footprinting is Important

Whois footprinting is a critical component of the information gathering phase in ethical hacking. It provides valuable data about domain ownership, administrative contacts, technical contacts, registration dates, expiration dates, and name servers. This information serves as the foundation for further reconnaissance activities and helps ethical hackers understand the organizational structure and network infrastructure of their target.

What is Whois Footprinting?

Whois (pronounced as "who is") is a query and response protocol used for querying databases that store registered users or assignees of Internet resources, including domain names, IP address blocks, and autonomous system numbers. Whois footprinting is the process of using the Whois protocol to gather information about a target organization's domain registrations and network allocations.

How Whois Footprinting Works

Whois footprinting works by querying Whois databases maintained by regional internet registries (RIRs) like ARIN, RIPE, APNIC, LACNIC, and AFRINIC, as well as domain registrars. When a query is made for a particular domain or IP address, the Whois server returns all public information related to that resource.

The basic steps involved in Whois footprinting include:

1. Domain Whois Lookup: Query domain registrar's Whois database to get information about domain ownership, contact details, registration and expiration dates.

2. IP Whois Lookup: Query RIR databases to get information about IP address blocks, including the organization they're assigned to and contact information.

3. Autonomous System Number (ASN) Lookup: Get information about the autonomous systems associated with an organization.

4. DNS Servers Identification: Identify name servers associated with a domain.

Tools commonly used for Whois footprinting include:
• Command-line Whois client
• Online Whois services (like whois.domaintools.com)
• SmartWhois
• DomainTools
• ARIN Whois Database Search

How to Answer Questions on Whois Footprinting in an Exam

When tackling questions about Whois footprinting in the CEH exam, focus on understanding the following key areas:

1. Purpose and Benefits: Understand why Whois footprinting is performed and what information it can provide to an ethical hacker.

2. Information Obtained: Know exactly what information can be gathered through Whois queries, including domain information, contact details, name servers, etc.

3. Tools and Techniques: Be familiar with various tools used for Whois footprinting and how they differ from each other.

4. Countermeasures: Understand how organizations can protect sensitive information in Whois records.

5. Limitations: Be aware of the limitations of Whois footprinting, especially with the implementation of GDPR and privacy protection services.

Exam Tips: Answering Questions on Whois Footprinting

1. Recognize the Type of Information: Questions may ask what specific information can be gathered using Whois. Remember that Whois provides registrant information, technical contacts, administrative contacts, billing contacts, domain creation/expiration dates, and name servers.

2. Understand the Protocol: Know that Whois operates on port 43 by default and is a TCP-based protocol.

3. Differentiate Between Registry Levels: Be able to identify which registry (ARIN, RIPE, APNIC, etc.) would hold information for a given IP address based on geographic location.

4. Remember Privacy Services: Understand that many domain owners use privacy protection services to shield their personal information from appearing in Whois records.

5. Know Common Tools: Questions may ask about specific tools used for Whois lookups or integrated tools that include Whois functionality.

6. Understand Recent Changes: Be aware of how GDPR has affected Whois information availability for domains registered by EU citizens or organizations.

7. Practical Application: Be prepared to interpret Whois output and determine what useful information could be extracted for further reconnaissance.

8. Remember Defensive Measures: Know how organizations can protect themselves, such as using Whois privacy services or providing minimal required information.

By thoroughly understanding both the technical aspects of Whois footprinting and its practical applications in ethical hacking, you'll be well-prepared to answer any related questions on the CEH exam.