Passive Technical Reconnaissance Activities
Conducting passive reconnaissance activities for technical information means you are trying to identify subdomains, IP addresses, doing DNS footprinting, and getting WHOIS information of the target domain.
WHOIS Lookup
With a WHOIS lookup, you can find out who registered the target domain name in addition to other useful information such as the domain name owner and personal information, billing contact, and technical contact address. This information is public and required to be so by the ICANN organization responsible for overseeing the domain name system. WHOIS information about each domain is stored within public central databases called WHOIS databases. These databases can be queried to fetch detailed information about any registered domain name. Please note that some domain registrants may opt to make their domain registration information private. (This service is called something different by each domain register and require paying additional fee, but the most common terms are domain privacy or WHOIS protection.) In these cases, the personal information of the domain registrant will be
hidden in the WHOIS databases.
Numerous sites offer WHOIS information. However, the main one responsible for delivering this service is ICANN. ICANN and its local regional Internet registries manage the allocation and registration of IP addresses and domain names for the entire world.
• ICANN (https://whois.icann.org/en): This is the head
organization responsible for coordinating the Internet DNS and IP
addresses.
• AFRINIC (https://www.afrinic.net): This is responsible for the
Africa region.
• APNIC (https://www.apnic.net): This is responsible for the AsiaPacific region.
• LACNIC (www.lacnic.net): This is responsible for the Latin
American and the Caribbean.
Many other online services give more information about registered domain names,
listed here:
• Domain History (www.domainhistory.net): This shows archived domain name information.
• Whoisology (https://whoisology.com/#advanced): This is a domain name ownership archive.
• Robtext (https://www.robtex.com): This contains various information about domain names.
• Who (https://who.is): This offers a WHOIS search for domain name, website, and IP tools.
• Operative Framework (https://github.com/graniet/operativeframework): Here you can find all domains registered by the same e-mail address.
• URL Scan (https://urlscan.io): This shows different information about the target website such as IP detail, subdomains, domain trees, links, certificates, and technologies used to build it.
Now, after finding out who is responsible for the target domain name, you can begin
discovering how the target company organizes its Internet resources through web hosts
and subdomains.