Ethical Hacking Lesson 12 – Whois & Network Enumeration | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Reconnaissance & Scanning · Lesson 12

Whois & Network Enumeration

Every organisation that connects to the internet has to register something — a domain name, an IP block, a company address. That registration data lives in public databases anyone can read. Knowing how to read it efficiently is one of the fastest ways to build an accurate picture of a target before active scanning begins.

Registration records exist because the internet requires accountability

The internet was not built with anonymity in mind. From the beginning, every domain name registration and every IP address allocation came with a requirement to provide contact information — so that if something went wrong, there was a way to reach the responsible party. That information sits in public WHOIS databases maintained by organisations like ICANN, ARIN, RIPE, and APNIC depending on the geographic region.

For a pen tester, this accountability infrastructure is genuinely useful. It tells you who owns a domain, when it was registered, who their registrar is, and often which organisation owns the IP address blocks associated with it. None of this requires any interaction with the target's systems. It is reading a public record — the digital equivalent of checking the land registry to see who owns a property.

The real skill is not running the lookup — that takes seconds. The skill is knowing what to look for in the output and how to connect what you find in WHOIS to what you already know from DNS enumeration.

Domain WHOIS — reading beyond the obvious fields

Most people who run a WHOIS query look at the registrant name and move on. That misses the more interesting parts of the record. A domain's creation date tells you how old the infrastructure is likely to be. The registrar tells you which company manages the domain — relevant if you ever need to consider social engineering angles. The nameservers confirm which DNS provider is in use. And the expiry date occasionally reveals something unexpected: a domain about to expire is a domain whose owner may have lost track of their infrastructure.

Privacy protection services like WhoisGuard are increasingly common and will replace the registrant's real contact details with proxy information. When you see that, it limits what you can learn about the individual but often still reveals the registrar, nameservers, and technical contact details that remain useful.

Network WHOIS — mapping who owns what IP space

Domain WHOIS is one thing. Network WHOIS is different — it tells you who owns a block of IP addresses rather than a domain name. This matters in a pen test for a specific reason: companies rarely own just one IP address. They often have entire network ranges allocated to them, and if you find one IP associated with the target, a network WHOIS lookup can reveal the full range of IP addresses that belong to the same organisation.

That range becomes your potential scanning target — subject to your scope agreement. A company might list five specific IPs in your scope, but network WHOIS reveals they own a /24 block of 256 addresses. The conversation about whether those additional IPs fall within scope is one you have before the active phase begins, not during it.

WHOIS REGISTRIES — which organisation handles which region
Registry Region covered Useful when targeting
ARIN North America US and Canadian companies — the most common in commercial engagements
RIPE NCC Europe, Middle East, Central Asia European organisations and any target using European hosting infrastructure
APNIC Asia Pacific Organisations based in or using infrastructure across Asia and Oceania
LACNIC Latin America and Caribbean Companies operating in South and Central America
AFRINIC Africa African organisations and continental hosting infrastructure

You rarely need to think about which registry to query manually — the whois command on Linux automatically routes your query to the appropriate registry based on the IP address or domain. The table above is more useful for understanding why an IP lookup sometimes returns information from an unexpected source.

Running WHOIS and reading what comes back

The scenario: You have just completed DNS enumeration for a manufacturing company. The zone transfer returned several internal hostnames, and one of the IP addresses — 89.44.12.201 — appeared on the VPN gateway subdomain. Before scanning that IP directly, you run WHOIS to confirm the organisation that owns it, understand what network range it sits in, and check whether there are other IPs in the same block that could be in scope for the engagement.

# whois queries the public registration database for a domain or IP address
# When given an IP, it returns network block ownership and contact information
# This is completely passive — your query goes to a public registry server
# No packets reach 89.44.12.201 during this step

# Query the domain registration record first
whois targetmanufacturing.com

# Then query the IP address found on the VPN gateway subdomain
# This reveals who owns that IP block and what range it belongs to
whois 89.44.12.201

Breaking it down:

Creation Date: 2007-04-11
A 17-year-old domain. That gap between creation and now represents years of accumulated infrastructure — legacy servers, forgotten subdomains, software that has not seen a major update since the early cloud era. Flag it and keep it in mind when interpreting scan results later.
inetnum: 89.44.12.0 — 89.44.12.255
The company owns the entire /24 block — 256 IP addresses from .0 to .255. Your scope document listed one IP. Now you know that IP sits inside a 256-address range the company controls. Before scanning anything beyond what is explicitly in scope, go back to the client and clarify whether the full block is included. Never assume.
DNSSEC: unsigned (domain record)
This appeared in the DNS enumeration lesson too — worth restating here because seeing it confirmed in both DNS records and WHOIS data reinforces it as a real finding rather than a data anomaly. Two independent sources saying the same thing is stronger evidence than one.
source: RIPE
The IP block is registered with RIPE NCC — confirming European infrastructure. The whois command routed the IP query to RIPE automatically. This is useful context: RIPE records tend to be more detailed about network ranges than some other registries, and they often include the technical contact name which occasionally turns up in other searches.

Network enumeration — discovering live hosts across a range

Once you have a network range confirmed — whether from WHOIS, DNS enumeration, or the client's own scope document — the next step is finding out which hosts in that range are actually alive and responding. This is called host discovery or live host enumeration, and it is the bridge between reconnaissance and scanning.

The most widely used tool for this is Nmap. While most people associate Nmap with port scanning, it has a dedicated host discovery mode that sends lightweight probes across a network range and reports back which addresses are live — without doing a full port scan. This keeps the initial noise low and lets you build a confirmed target list before committing to heavier scanning.

The scenario: Your scope has been confirmed. The client has authorised you to enumerate their internal lab network — the 192.168.56.0/24 range your lab sits on. Before scanning individual ports on specific hosts, you run a host discovery sweep to confirm which addresses are alive and responding. This is active reconnaissance and requires the testing window to be open.

# Nmap host discovery sweep across the full lab subnet
# This is active recon — packets are sent to every address in the range
# Only run this inside your authorised scope and testing window

# -sn means "scan network" but skip port scanning entirely
#    It only checks which hosts are alive, nothing more
#    This is significantly quieter than a full port scan

# -PE sends an ICMP echo request (like ping) to each host
# -PS80,443 also sends TCP SYN probes to ports 80 and 443
#    Some hosts block ICMP but still respond to TCP — combining both
#    catches hosts that a plain ping sweep would miss entirely

# The /24 notation means scan all 256 addresses in this range (.0 to .255)
nmap -sn -PE -PS80,443 192.168.56.0/24

Breaking it down:

-sn (skip port scan)
This flag is what makes the command a host discovery sweep rather than a port scan. Without it, Nmap would scan the most common 1,000 ports on every address in the range — generating far more traffic and taking considerably longer. Use -sn first to confirm which hosts exist, then run targeted port scans only against those live addresses.
-PE -PS80,443 used together
Using both probe types is deliberate. Firewalls and host-based security tools often block ICMP echo requests — so a plain ping sweep returns nothing even when a host is live. The TCP SYN probes on ports 80 and 443 give you a second path to detect those hosts. Using both together catches things that either approach alone would miss.
256 addresses scanned in 2.14 seconds
The speed difference between a host discovery sweep and a full port scan is dramatic. Scanning 256 addresses for live hosts took just over two seconds. Running a full port scan across all 65,535 ports on all 256 addresses would take hours. Always do host discovery first — it narrows the work to only the addresses worth scanning in detail.

Three live hosts returned — 192.168.56.1 (the VirtualBox gateway), .101 (Metasploitable), and .102 (a second service on Metasploitable). In a real engagement, this list would be your confirmed target list for the port scanning phase. Everything from here is focused on those three addresses, not the other 253 that came back silent.

Connecting WHOIS findings to the bigger picture

By this point in a real engagement — after DNS enumeration and WHOIS and network discovery — you have a structured intelligence picture that looks something like this.

INTELLIGENCE SUMMARY — end of recon phase Ready for scanning
Domain intelligence
Registered 2007 via Namecheap. Cloudflare CDN in front — real origin IP is masked. DNSSEC unsigned. Organisation confirmed as Target Manufacturing Ltd, UK.
Network ownership
Owns IP block 89.44.12.0/24 — registered with RIPE NCC. 256 addresses under company control. Scope confirmation required before scanning the full range.
DNS findings
Zone transfer succeeded — 6 internal hosts exposed including dev, ftp, vpn, admin subdomains. Admin panel and VPN gateway flagged as priority targets.
Live hosts confirmed
Host discovery sweep returned 3 live addresses on the lab subnet. Full port scanning will target these addresses only — not the full /24.
Critical findings
Zone transfer misconfiguration (information disclosure — critical). DNSSEC unsigned (low). CVE-2022-40684 on VPN gateway identified via Shodan (critical — escalate immediately).

That summary took roughly two to three hours to build from public sources and a small number of active queries. The scanning phase that follows will be faster and more focused because this groundwork was done properly. Every scan you run from here is targeted rather than exploratory — and targeted scans generate less noise, take less time, and produce more actionable results.

Teacher's Note: The transition from recon to scanning is one of the most important decisions in an engagement. Going into scanning without a clear target list is how people spend three days port scanning things that are not relevant. The WHOIS and host discovery work in this lesson is what makes that transition clean.

Practice questions

Scenario:

A pen tester runs a WHOIS lookup on an IP address discovered during DNS enumeration of a German automotive company. The output shows the IP block is registered to a Frankfurt-based hosting provider and the source field reads RIPE. The tester needs to confirm which regional internet registry is responsible for IP address allocations in Europe. Which registry issued this IP block?


Scenario:

A pen tester has a confirmed scope of 10.0.0.0/24 — 256 addresses. Before running detailed port scans, they want to find out which of those 256 addresses are actually live and responding, without triggering a full port scan against every address in the range. They use Nmap with a specific flag that tells it to perform host discovery only and skip the port scanning stage entirely. What is that flag?


Scenario:

A pen tester is working from a scope document that lists five specific IP addresses belonging to a retail company. A WHOIS lookup on one of those IPs reveals the company owns the entire /24 block — 256 addresses — all registered under the same organisation name. The tester believes the additional IPs in the block are probably also fair game. What is the correct next step before scanning any of those additional addresses?


Quiz

Scenario:

A junior pen tester asks why they should bother running WHOIS on an IP address when they already know from the DNS enumeration phase exactly which IPs are associated with the target's subdomains. A senior tester explains there is a specific piece of information that IP WHOIS provides that DNS records do not. What is it?

Scenario:

A pen tester runs an Nmap host discovery sweep using only ICMP echo probes against a /24 range and gets back only two live hosts. They suspect several more hosts exist but are blocking ICMP traffic at the firewall. Their team lead suggests a modification to the command that would detect those hidden hosts without escalating to a full port scan. What should the tester add to their Nmap command?

Scenario:

A pen tester runs WHOIS on a target domain and notices the registrant organisation name does not match the trading name of the company they are testing. The domain was created in 2003 and the company they are testing was founded in 2011. The client has confirmed the domain belongs to them. What is the most likely explanation for the name mismatch?

Up Next · Lesson 13

Google Dorking

Using search engine operators to surface sensitive files, exposed login pages, and configuration data that organisations never intended to be publicly indexed.

← Previous Course Index Next →