Overview
The WHOIS Lookup tool retrieves registration information for domains and IP addresses from internet registrars, providing ownership details, contact information, and administrative data.
WHOIS Lookup is a utility tool: it queries public registration databases. It does not add data to your Attack Surface and does not generate findings. Results are displayed as raw WHOIS output.
Supported targets
| Target type | Examples |
|---|
| Domain | example.com, corp.example.org |
| IP address | 192.168.1.1, 8.8.8.8 |
How it works
The tool queries the appropriate internet registrar for the target:
For domains, it queries domain registrars (Verisign, ICANN, etc.). For IP addresses, it queries Regional Internet Registries (ARIN, RIPE, APNIC, etc.).
For domains
| Field | Description |
|---|
| Registrar | Company that registered the domain |
| Created | Domain registration date |
| Expires | Domain expiration date |
| Updated | Last modification date |
| Name servers | DNS servers for the domain |
| Status | Domain status codes (clientTransferProhibited, etc.) |
| Registrant | Owner name and organization |
| Admin contact | Administrative contact details |
| Tech contact | Technical contact details |
For IP addresses
| Field | Description |
|---|
| Network | IP range/CIDR block |
| Organization | Company that owns the IP block |
| Country | Geographic location |
| Address | Organization address |
| Abuse contact | Email for reporting abuse |
| Technical contact | Technical support contact |
Many domain registrations use privacy protection services (like WhoisGuard or PrivacyProtect) that hide actual registrant details. This is normal and expected.
Follow-up actions
After retrieving WHOIS data:
- Run Domain Finder: Discover related domains owned by the same organization
- Run Subdomain Finder: Enumerate subdomains for discovered domains
- Check IP ranges: Use identified CIDR blocks to find additional assets
- Research contacts: Use discovered emails for social engineering assessment scope
