Network Information Centers (NICs) store useful information in WHOIS databases, primarily as network, route, or person objects. WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse.
There are three primary regions under which all public Internet-based network blocks and IP address spaces fall. The following international registrars around the world can retrieve useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):
American Registry for Internet Numbers (ARIN) at http://www.arin.net
Asia Pacific Network Information Centre (APNIC) at http://www.apnic.net
Réseaux IP Européens (RIPE) at http://www.ripe.net
Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas.
Tools that are used to query NIC WHOIS databases include:
The Sam Spade Windows client (available from http://www.samspade.org)
 URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.
The whois client found within Unix-based environments
Direct querying via the appropriate regional WHOIS
The Sam Spade client is a powerful and easy-to-use Windows tool that can perform many public-record query functions, as shown in Figure 3-4.
In this case, I used it to submit a WHOIS query of 18.104.22.168, which reveals that the IP address is part of an IP network block called NCSC (22.214.171.124 to 126.96.36.199), belonging to the NCSC. Information also provided includes contact details and DNS name server information.
The Unix whois command-line utility can perform WHOIS queries against specific servers. In Example 3-1, I submit a query of cs-security-mnt. The client is intelligent in the way that it attempts to collect this information from all three of the Network Information Centers (ARIN, RIPE, and APNIC), so I don't need to specify within which database to look for the string.
# whois cs-security-mnt % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html mntner: CS-SECURITY-MNT descr: Charles Stanley & Co Ltd maintainer admin-c: SN1329-RIPE tech-c: SN1329-RIPE upd-to: firstname.lastname@example.org mnt-nfy: email@example.com auth: MAIL-FROM firstname.lastname@example.org auth: MAIL-FROM .*@uk.easynet.net mnt-by: CS-SECURITY-MNT referral-by: RIPE-DBM-MNT changed: email@example.com 20020111 source: RIPE person: Sukan Nair address: Charles-Stanley address: 25 Luke Street address: London EC2A 4AR address: UK phone: +44 20 8491 5889 e-mail: firstname.lastname@example.org nic-hdl: SN1329-RIPE notify: email@example.com mnt-by: AS5611-MNT changed: firstname.lastname@example.org 19991021 source: RIPE
Maintenance objects are used for administrative purposes within the RIPE and APNIC databases. For further information relating to NIC security, please see a white paper I wrote in June 2002, available from the Matta web site at http://www.trustmatta.com/downloads/Matta_NIC_Security.pdf.
Web interfaces at ARIN, APNIC, and RIPE can enumerate useful information. In Figure 3-5, I use the WHOIS web interface at ARIN to launch a query of microsoft.
WHOIS requests can take many forms, from specific object queries (of which the interesting types of objects are networks, people, and routes), to vague searches of organization names or IP addresses.
User details relating to a specific domain can easily be harvested from the Unix command line with the whois utility. Example 3-2 shows a query launched against citicorp.com through ARIN, revealing usernames, email addresses, and telephone numbers.
# whois "@citicorp.com"@whois.arin.net [whois.arin.net] Bleak, Glen (GB375-ARIN) email@example.com +1-725-768-3812 Ching, David (DCH37-ARIN) David.firstname.lastname@example.org +1-302-126-2879 Ciati, John (JC2107-ARIN) email@example.com +1-725-768-6570 Isle, Toby (TI21-ARIN) firstname.lastname@example.org +1-302-154-7642 Lamb, Rudolph (RL3908-ARIN) email@example.com +1-725-218-1565 Nixon, Tom (TN69-ARIN) Tom.Nixon@citicorp.com +1-725-768-1154 Sabol, Gary (GS364-ARIN) firstname.lastname@example.org +1-302-132-7168 Sadler, Katie (KS330-ARIN) email@example.com +1-354-132-5481 Strafe, Walter (WS86-ARIN) firstname.lastname@example.org +1-542-120-5464 Wood, Mark (MW340-ARIN) email@example.com +1-743-120-4052 Yarr, Diane (DY613-ARIN) firstname.lastname@example.org +1-542-249-1553
After gathering details of Internet network blocks, usernames and email addresses, you can probe further to identify potential weaknesses that can be leveraged. After querying public records, such as web search engines and WHOIS databases, DNS querying can find network-specific information that may be useful.