3.2 NIC Querying

Network Information Centers (NICs) store useful information in WHOIS databases, primarily as network, route, or person objects. WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse.

There are three primary regions under which all public Internet-based network blocks and IP address spaces fall. The following international registrars around the world can retrieve useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):

  • American Registry for Internet Numbers (ARIN) at http://www.arin.net

  • Asia Pacific Network Information Centre (APNIC) at http://www.apnic.net

  • Réseaux IP Européens (RIPE) at http://www.ripe.net

Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas.

3.2.1 NIC Querying Tools and Examples

Tools that are used to query NIC WHOIS databases include:

  • The Sam Spade Windows client (available from http://www.samspade.org)[1]

    [1] URLs for tools in this book are mirrored at the O'Reilly site, http://examples.oreilly.com/networksa/tools.

  • The whois client found within Unix-based environments

  • Direct querying via the appropriate regional WHOIS Using the Sam Spade Windows client

The Sam Spade client is a powerful and easy-to-use Windows tool that can perform many public-record query functions, as shown in Figure 3-4.

Figure 3-4. The Sam Spade Windows client

In this case, I used it to submit a WHOIS query of, which reveals that the IP address is part of an IP network block called NCSC ( to, belonging to the NCSC. Information also provided includes contact details and DNS name server information.

You will often find that company web servers and key Internet-based hosts are hosted in collocation suites or web farms run by third parties. When performing professional network security assessment work, you should check the IP addresses or ranges you enumerate to ensure that they do in fact belong to the client, as opposed to a hosting center or third party that provides their web development and support. Using the Unix whois utility

The Unix whois command-line utility can perform WHOIS queries against specific servers. In Example 3-1, I submit a query of cs-security-mnt. The client is intelligent in the way that it attempts to collect this information from all three of the Network Information Centers (ARIN, RIPE, and APNIC), so I don't need to specify within which database to look for the string.

Example 3-1. Enumerating the cs-security-mnt object from RIPE
# whois cs-security-mnt

% This is the RIPE Whois server.

% The objects are in RPSL format.

% Please visit http://www.ripe.net/rpsl for more information.

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

mntner:       CS-SECURITY-MNT

descr:        Charles Stanley & Co Ltd maintainer

admin-c:      SN1329-RIPE

tech-c:       SN1329-RIPE

upd-to:       sukan.nair@charles-stanley.co.uk

mnt-nfy:      sukan.nair@charles-stanley.co.u

auth:         MAIL-FROM sukan.nair@charles-stanley.co.uk

auth:         MAIL-FROM .*@uk.easynet.net

mnt-by:       CS-SECURITY-MNT

referral-by:  RIPE-DBM-MNT

changed:      phil.duffen@uk.easynet.net 20020111

source:       RIPE

person:       Sukan Nair

address:      Charles-Stanley

address:      25 Luke Street

address:      London EC2A 4AR

address:      UK

phone:        +44 20 8491 5889

e-mail:       sukan.nair@charles-stanley.co.uk

nic-hdl:      SN1329-RIPE

notify:       ripe@ftech.net

mnt-by:       AS5611-MNT

changed:      ripe@ftech.net 19991021

source:       RIPE

Maintenance objects are used for administrative purposes within the RIPE and APNIC databases. For further information relating to NIC security, please see a white paper I wrote in June 2002, available from the Matta web site at http://www.trustmatta.com/downloads/Matta_NIC_Security.pdf. Directly querying ARIN

Web interfaces at ARIN, APNIC, and RIPE can enumerate useful information. In Figure 3-5, I use the WHOIS web interface at ARIN to launch a query of microsoft.

Figure 3-5. Using ARIN to list Microsoft entries

WHOIS requests can take many forms, from specific object queries (of which the interesting types of objects are networks, people, and routes), to vague searches of organization names or IP addresses. Harvesting user details through WHOIS

User details relating to a specific domain can easily be harvested from the Unix command line with the whois utility. Example 3-2 shows a query launched against citicorp.com through ARIN, revealing usernames, email addresses, and telephone numbers.

Example 3-2. Enumerating Citicorp staff through ARIN
# whois "@citicorp.com"@whois.arin.net


Bleak, Glen (GB375-ARIN) glen.bleak@citicorp.com +1-725-768-3812

Ching, David (DCH37-ARIN) David.ching@citicorp.com +1-302-126-2879

Ciati, John (JC2107-ARIN) john.ciati@citicorp.com +1-725-768-6570

Isle, Toby (TI21-ARIN) toby.isle@citicorp.com +1-302-154-7642

Lamb, Rudolph (RL3908-ARIN) rudy.lamb@citicorp.com +1-725-218-1565

Nixon, Tom (TN69-ARIN) Tom.Nixon@citicorp.com +1-725-768-1154

Sabol, Gary (GS364-ARIN) gary.sabol@citicorp.com +1-302-132-7168

Sadler, Katie (KS330-ARIN) katie.sadler@citicorp.com +1-354-132-5481

Strafe, Walter (WS86-ARIN) walter.strafe@citicorp.com +1-542-120-5464

Wood, Mark (MW340-ARIN) mark.wood@citicorp.com +1-743-120-4052

Yarr, Diane (DY613-ARIN) diane.yarr@citicorp.com +1-542-249-1553

After gathering details of Internet network blocks, usernames and email addresses, you can probe further to identify potential weaknesses that can be leveraged. After querying public records, such as web search engines and WHOIS databases, DNS querying can find network-specific information that may be useful.