Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: 'Who is' your friend! - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
'Who is' your friend!
At the ISC we often get requests that end up in us using whois information in one way or another. This diary is about showing some 'tricks' we use to get to the details we need for such events.

PLEASE NOTE:
  • These IP addresses are chosen for the educational value, no other implied things good or bad are to be assumed of them.
  • Email addresses have been molested to reduce the impact of the bots searching for spam victims.

ARIN

ARIN deals with North American IP addresses.

$ whois -h whois.arin.net 129.128.5.191

OrgName:    University of Alberta
OrgID:      UNIVER-50
Address:    1030 General Services Building
City:       Edmonton
StateProv:
PostalCode:
Country:    CA

NetRange:   129.128.0.0 - 129.128.255.255
CIDR:       129.128.0.0/16
NetName:    U-ALBERTA
NetHandle:  NET-129-128-0-0-1
Parent:     NET-129-0-0-0-0
NetType:    Direct Assignment
NameServer: NAME.UALBERTA.CA
NameServer: NOM.UALBERTA.CA
NameServer: MENAIK.CS.UALBERTA.CA
Comment:
RegDate:    1987-12-01
Updated:    2001-12-21

RTechHandle: KW1848-ARIN
RTechName:   Watts, Kevin
RTechPhone:  +1-780-492-9583
RTechEmail:  kevin.watts/at/ualberta.ca

# ARIN WHOIS database, last updated 2006-04-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


So this IP address (taken from www.openbsd.org) tells me it's hosted at the University of Alberta in Canada, I do get a technical contact as well.


$ whois -h whois.arin.net 65.173.218.103

Sprint SPRINTLINK-2-BLKS (NET-65-160-0-0-1)
                                  65.160.0.0 - 65.174.255.255
ESCAL INSTITUTE OF ADVANCED FON-1101912576101565 (NET-65-173-218-0-1)
                                  65.173.218.0 - 65.173.218.255

# ARIN WHOIS database, last updated 2006-04-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Where did all the detail go ?
Well this address is part of two blocks ARIN is keeping information on and you need to choose which of them you want to see details of. The part between the braces is the block you can select:

$ whois -h whois.arin.net  NET-65-160-0-0-1

OrgName:    Sprint
OrgID:      SPRN
Address:    12502 Sunrise Valley Drive
City:       Reston
StateProv:  VA
PostalCode: 20196
Country:    US

NetRange:   65.160.0.0 - 65.174.255.255
CIDR:       65.160.0.0/13, 65.168.0.0/14, 65.172.0.0/15, 65.174.0.0/16
NetName:    SPRINTLINK-2-BLKS
NetHandle:  NET-65-160-0-0-1
Parent:     NET-65-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1-AUTH.SPRINTLINK.NET
NameServer: NS2-AUTH.SPRINTLINK.NET
NameServer: NS3-AUTH.SPRINTLINK.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2000-09-19
Updated:    2004-02-06

RTechHandle: SPRINT-NOC-ARIN
RTechName:   Sprintlink (Sprint)
RTechPhone:  +1-800-232-6895
RTechEmail:  NOC/at/sprint.net

OrgTechHandle: ARINS-ARIN
OrgTechName:   arin-sprint-iprequest
OrgTechPhone:  +1-800-232-3458
OrgTechEmail:  ip-req/at/sprint.net

# ARIN WHOIS database, last updated 2006-04-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


Well, this kind of information is of the bigger block that generally points to an ISP. It often contains abuse addresses the ISP prefers, but sprintlink didn't include that information here. They did however include an email address for the NOC.

Let's look at the smaller block:

$ whois -h whois.arin.net NET-65-173-218-0-1

OrgName:    ESCAL INSTITUTE OF ADVANCED
OrgID:      EIA-16
Address:    5401 WESTBARD AVE SUITE 1501
City:       BETHESDA
StateProv:  MD
PostalCode: 20816
Country:    US

NetRange:   65.173.218.0 - 65.173.218.255
CIDR:       65.173.218.0/24
NetName:    FON-1101912576101565
NetHandle:  NET-65-173-218-0-1
Parent:     NET-65-160-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2002-05-29
Updated:    2002-05-29

RTechHandle: MF974-ARIN
RTechName:   FEARNOW, MATT
RTechPhone:  +1-317-580-9756
RTechEmail:  MATT/at/sans.org

OrgTechHandle: MF974-ARIN
OrgTechName:   FEARNOW, MATT
OrgTechPhone:  +1-317-580-9756
OrgTechEmail:  MATT/at/sans.org

# ARIN WHOIS database, last updated 2006-04-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

It belongs to some institute which some of you might recognize ;-)

CYMRU

Is that all whois has to offer ?

No, by far not. Cymru keeps some more data relating to the routing fabric used on the Internet. As far as routing goes, the IP addresses on the Internet are devided in Autonomous Systems (AS). Each of those has a number, called a ASN. Those AS-es map back to ISPs. The ASNs are used by the ISPs in building links exchanging traffic (called peerings or upstreams). [This is a simplification, I know, but good enough for the purposes of this article].
You can find the AS an IP belongs to:

$ whois -h whois.cymru.com 129.128.5.191
AS      | IP               | AS Name
3359    | 129.128.5.191    | U-ALBERTA - University of Albe


$ whois -h whois.cymru.com  65.173.218.103
AS      | IP               | AS Name
1239    | 65.173.218.103   | SPRINTLINK - Sprint


Now the neat trick is that cymru has a whois server that is aware of the links between the ISPs as well:

$ whois -h v4-peer.whois.cymru.com 129.128.5.191
PEER_AS | IP               | AS Name
6509    | 129.128.5.191    | CANARIE-NTN - Canarie Inc


$ whois -h v4-peer.whois.cymru.com 65.173.218.103
PEER_AS | IP               | AS Name
209     | 65.173.218.103   | ASN-QWEST - Qwest
286     | 65.173.218.103   | KPN KPN Internet Backbone AS
701     | 65.173.218.103   | ALTERNET-AS - UUNET Technologi
1299    | 65.173.218.103   | TELIANET TeliaNet Global Netwo
1668    | 65.173.218.103   | AOL-ATDN - AOL Transit Data Ne
2516    | 65.173.218.103   | JPNIC-ASBLOCK-AP JPNIC
2914    | 65.173.218.103   | NTTA-2914 - NTT America, Inc.
3130    | 65.173.218.103   | RGNET-3130 RGnet/PSGnet
3257    | 65.173.218.103   | TISCALI-BACKBONE Tiscali Intl
3292    | 65.173.218.103   | TDC TDC Data Networks
3356    | 65.173.218.103   | LEVEL3 Level 3 Communications
3549    | 65.173.218.103   | GBLX Global Crossing Ltd.
3561    | 65.173.218.103   | SAVVIS - Savvis
4134    | 65.173.218.103   | CHINANET-BACKBONE No.31,Jin-ro
5511    | 65.173.218.103   | OPENTRANSIT France Telecom
6762    | 65.173.218.103   | SEABONE-NET Telecom Italia Spa
7018    | 65.173.218.103   | ATT-INTERNET4 - AT_T WorldNet
15412   | 65.173.218.103   | FLAG-AS Flag Telecom Global In


This gives you a list of ISPs that have a relationship with the ISP that is hosting the IP you are looking for. Should you be trying to push an unwilling ISP to act, contacting these peers in "cc" is a great means of applying presure.

RIPE

Now what happens if you try to lookup an address in Europe ?

$ whois -h whois.arin.net 194.7.3.21

OrgName:    RIPE Network Coordination Centre
OrgID:      RIPE
Address:    P.O. Box 10096
City:       Amsterdam
StateProv:
PostalCode: 1001EB
Country:    NL

ReferralServer: whois://whois.ripe.net:43

NetRange:   194.0.0.0 - 194.255.255.255
CIDR:       194.0.0.0/8
NetName:    RIPE-CBLK2
NetHandle:  NET-194-0-0-0-1
Parent:
NetType:    Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: NS3.NIC.FR
NameServer: SUNIC.SUNET.SE
NameServer: NS-EXT.ISC.ORG
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
Comment:    These addresses have been further assigned to users in
Comment:    the RIPE NCC region. Contact information can be found in
Comment:    the RIPE database at http://www.ripe.net/whois
RegDate:    1993-07-21
Updated:    2005-08-03

# ARIN WHOIS database, last updated 2006-04-11 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


That's not going to help you, RIPE is an organization much like ARIN, but instead of North America, they cover Europe and the Middle East.

Actually read more closely: ARIN does point you to whois.ripe.net, so let's contact that server.

$ whois -h whois.ripe.net 194.7.3.21
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-proposal-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
%       To receive output for a database update, use the "-B" flag

% Information related to '194.7.0.0 - 194.7.8.255'

inetnum:      194.7.0.0 - 194.7.8.255
netname:      INNET-BACKBONE-BEL
descr:        INNET NV
country:      BE
admin-c:      HUB1-RIPE
tech-c:       HUB1-RIPE
rev-srv:      auth50.ns.be.uu.net
rev-srv:      auth00.ns.be.uu.net
status:       ASSIGNED PA
mnt-by:       AS2822-MNT
source:       RIPE # Filtered

role:           Hostmaster UUNET Belgium
address:        UUNET Belgium
address:        Culliganlaan 2/H
address:        B-1831 Diegem
address:        Belgium
phone:          +32 70 233 560
fax-no:         +32 70 233 559
e-mail:         tech-dns/at/be.uu.net
remarks:        trouble:      You can reach us for technical questions at tech-dns/at/be.uu.net
remarks:        trouble:      or by telephone at +32 2 404 6000
remarks:        trouble:      or by fax at +32 2 404 6817
admin-c:        PS10957-RIPE
tech-c:         PS10957-RIPE
nic-hdl:        HUB1-RIPE
mnt-by:         AS2822-MNT
source:         RIPE # Filtered

% Information related to '194.7.0.0/16AS2822'

route:        194.7.0.0/16
descr:        INNET-BLOCK
origin:       AS2822
remarks:      CIDR all the way down
remarks:      **************************************
remarks:      * For spamming or other abuse issues *
remarks:      * Please send your requests to       *
remarks:      * abuse/at/be.uu.net                 *
remarks:      **************************************
mnt-by:       AS2822-MNT
mnt-by:       WCOM-EMEA-RICE-MNT
source:       RIPE # Filtered

% Information related to '194.7.0.0/16AS702'

route:          194.7.0.0/16
descr:          BE PA route
origin:         AS702
member-of:      AS702:RS-BE,
                AS702:RS-BE-PA
remarks:        **********ABUSE ISSUES**********
remarks:        All abuse must be reported to
remarks:        abuse/at/be.uu.net for this network.
remarks:        ********************************
mnt-routes:     Fortis-MNT {194.7.124.240/28^+, 194.7.243.224/28^+, 194.7.112.0/22^+, 194.7.124.240/28^+, 194.7.243.224/28^+}
mnt-by:         WCOM-EMEA-RICE-MNT
source:         RIPE # Filtered


Cool, we got the ISP and an abuse contact.

The ASNs are filled out in this format as well. However, should you want to use the information, I'd trust the cymru results just that bit more.

APNIC

Moving on to Asia - Pacific, things change again. Should we try to pull the information off of ARIN, it will point us to whois.apnic.net (not show for brevity).

$ whois -h whois.apnic.net 202.30.50.50
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inetnum:      202.30.0.0 - 202.31.255.255
netname:      KRNIC-KR
descr:        KRNIC
descr:        Korea Network Information Center
country:      KR
admin-c:      HM127-AP
tech-c:       HM127-AP
remarks:      ******************************************
remarks:      KRNIC is the National Internet Registry
remarks:      in Korea under APNIC. If you would like to
remarks:      find assignment information in detail
remarks:      please refer to the KRNIC Whois DB
remarks:      http://whois.nic.or.kr/english/index.html
remarks:      ******************************************
mnt-by:       APNIC-HM
mnt-lower:    MNT-KRNIC-AP
changed:      hostmaster/at/apnic.net 19960229
changed:      hostmaster/at/apnic.net 20010606
status:       ALLOCATED PORTABLE
source:       APNIC

person:       Host Master
address:      11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu,
address:      Seoul, Korea, 137-857
country:      KR
phone:        +82-2-2186-4500
fax-no:       +82-2-2186-4496
e-mail:       hostmaster/at/nic.or.kr
nic-hdl:      HM127-AP
mnt-by:       MNT-KRNIC-AP
changed:      hostmaster/at/nic.or.kr 20020507
source:       APNIC

inetnum:      202.30.50.0 - 202.30.51.255
netname:      KRNIC-NET-KR
descr:        NIDA
country:      KR
admin-c:      IT04-KR
tech-c:       IT04-KR
remarks:      This IP address space has been allocated to KRNIC.
remarks:      For more information, using KRNIC Whois Database
remarks:      whois -h whois.nic.or.kr
mnt-by:       MNT-KRNIC-AP
remarks:      This information has been partially mirrored by APNIC from
remarks:      KRNIC. To obtain more specific information, please use the
remarks:      KRNIC whois server at whois.krnic.net.
changed:      hostmaster/at/nic.or.kr
source:       KRNIC


OK, for tracking down an ISP this answer is a hard one. But read it carefully: it tells you to look for more detailed information on whois.nic.or.kr ...

$ whois -h whois.nic.or.kr 202.30.50.50
[korean part suppressed (my I18N skills lack to reproduce it anyway)]
# ENGLISH

KRNIC is not an ISP but a National Internet Registry similar to APNIC.
The followings is organization information that is using the IPv4 address.

IPv4 Address       : 202.30.50.0-202.30.51.255
Network Name       : KRNIC-NET
Registration Date  : 19990928
Publishes          : Y

[ Organization Information ]
Organization ID    : ORG103657
Org Name           : NIDA
Address            : Seocho2-dong, Seocho-gu, Seoul
Detail address     : 1321-11 NIDA
Zip Code           : 137-857

[ Technical Contact Information ]
Name               : IP Tech
Org Name           : NIDA
Address            : Seocho2-dong, Seocho-gu, Seoul
Detail address     : 1321-11 NIDA
Zip Code           : 137-857
Phone              : +82-2-2186-4500
E-Mail             : noc/at/nida.or.kr


Cool, we got a NOC contact!

LACNIC

Lacnic is responsible for Latin America, let's try it:

$ whois -h whois.lacnic.net 200.160.7.7

% Joint Whois - whois.lacnic.net
%  This server accepts single ASN, IPv4 or IPv6 queries


% Copyright registro.br
%  The data below is provided for information purposes
%  and to assist persons in obtaining information about or
%  related to domain name and IP number registrations
%  By submitting a whois query, you agree to use this data
%  only for lawful purposes.
%  2006-04-12 19:17:34 (BRT -03:00)

inetnum:     200.160.0/20
aut-num:     AS22548
abuse-c:     FAN
owner:       N?cleo de Informa??o e Coordena??o do Ponto BR
ownerid:     005.506.560/0001-36
responsible: Demi Getschko
address:     Av. das Na??es Unidas, 11541, 7? andar
address:     04578-000 - S?o Paulo - SP
phone:       (11) 55093511 []
owner-c:     FAN
tech-c:      FAN
inetrev:     200.160.0/20
nserver:     a.dns.br
nsstat:      20060410 AA
nslastaa:    20060410
nserver:     b.dns.br
nsstat:      20060410 AA
nslastaa:    20060410
nserver:     c.dns.br
nsstat:      20060410 AA
nslastaa:    20060410
nserver:     d.dns.br
nsstat:      20060410 AA
nslastaa:    20060410
nserver:     e.dns.br
nsstat:      20060410 AA
nslastaa:    20060410
created:     20011016
changed:     20050524

nic-hdl-br:  FAN
person:      Frederico Augusto de Carvalho Neves
e-mail:      fneves/at/registro.br
created:     19971217
changed:     20030721

remarks:     Security issues should also be addressed to
remarks:     cert/at/cert.br, http://www.cert.br/
remarks:     Mail abuse issues should also be addressed to
remarks:     mail-abuse/at/cert.br

% whois.registro.br accepts only direct match queries.
% Types of queries are: domains (.BR), BR POCs, CIDR blocks,
% IP and AS numbers.

Don't worry too much about those long lists of nameservers. They are almost always there with lacnic.

AfriNIC

I've never had to deal with the fifth RIR: AfriNIC in real life, but here is an example:

$ whois -h whois.afrinic.net 196.216.2.1
% This is the AfriNIC Whois server.

% Information related to '196.216.2.0 - 196.216.3.255'

inetnum:      196.216.2.0 - 196.216.3.255
netname:      AFRINIC
descr:        African Network Information Center - Internal Use.
descr:        CSIR/icomtek
descr:        43A
descr:        PO Box 395
descr:        Pretoria
descr:        Gauteng
descr:        0001
country:      ZA
admin-c:      EMB2-AFRINIC
tech-c:       EMB2-AFRINIC
status:       ASSIGNED PI
remarks:
remarks:      AfriNIC is the Internet Numbers' Registry for the
remarks:      African continent and part of the Indian Ocean
remarks:      region. It took over the management and
remarks:      distribution of internet resources in Africa
remarks:      from ARIN, RIPE NCC and APNIC. Headquarters are in
remarks:      Mauritius while the Engineering Operations Centre
remarks:      is in Pretoria, South Africa.
remarks:
mnt-by:       AFRINIC-HM-MNT
mnt-lower:    AFRINIC-HM-MNT
changed:      hostmaster/at/arin.net 20040517
changed:      hostmaster/at/arin.net 20041102
changed:      hostmaster/at/afrinic.net 20050221
changed:      e.byaru/at/gmail.com 20050409
source:       AFRINIC
parent:         196.216.0.0 - 196.216.255.255

person:       ERNEST MWIRIMA BYARUHANGA
address:      CSIR/icomtek 43A
address:      P O Box 395
address:      PRETORIA
address:      GAUTENG
address:      0001
address:      ZA
phone:        +27128412894
fax-no:       +27128414720
e-mail:       ernest/at/afrinic.org
nic-hdl:      EMB2-AFRINIC
mnt-by:       AFRINIC-HM-MNT
remarks:      remarks:     AfriNIC - http://www.afrinic.net
remarks:      The African & Indian Ocean Internet Registry
changed:      hostmaster/at/arin.net 20040516
changed:      hostmaster/at/arin.net 20040516
changed:      hostmaster/at/afrinic.net 20050221
changed:      e.byaru/at/gmail.com 20050409
source:       AFRINIC

Domain names

Whois also can be used as an interface to see who owns what domain name, but that's for another time.

Other sources

There are many more sources of whois information. The trick aside from the starting points above is to read the comments that are given back. Sometimes some information isn't available through the whois information due to risks of abuse. Often they'll point you over to some website with some detection of automated processes and perhaps even only giving out the information as a gif file instead of text.

--
Swa Frantzen - Section 66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!