Introduction to pentesting: Reconnaissance

Whois

A very simple yet effective means for collecting additional information about our target is Whois. The Whois service allows us to access specific information about our target, including the IP addresses or host names of the company’s Domain Name Systems (DNS) servers and contact information usually containing an address and phone number.

Whois is built into the Linux operating system. The simplest way to use this service is to open a terminal and enter the following command:

whois target-domain

For example, to find out information about facebook.com, we’d issue the following command: “whois facebook.com”.

It’s important to record all the information and pay special attention to the DNS servers. If the DNS servers are listed by name only, we’ll use the Host command to translate those names into IP addresses. We’ll discuss the host command in the next lesson.

Again, it’s important to closely review the information you’re presented with. Sometimes, the output won’t provide many details. We can often access these additional details by querying the specific whois server listen in the output of our original search.