ࡱ> Z\Yq` SCbjbjqPqP .R::S;||||$'BBBBBBB:'<'<'<'<'<'<'$)h+Z`'BB`'BBu'w"w"w" BB:'w":'w"w"%<%B 0VK[-|[ ,%:''0'4%I,!"LI,<%<%I,'B&w"BBB`'`'m" BBB'd d   HYPERLINK "http://isc.sans.org/diary/+Who+is+your+friend+/1260" 'Who is' your friend! Published: 2006-04-13, Last Updated: 2006-04-14 01:52:27 UTC by Swa Frantzen (Version: 2) Rate this diary: At the ISC we often get requests that end up in us using whois information in one way or another. This diary is about showing some 'tricks' we use to get to the details we need for such events. PLEASE NOTE: These IP addresses are chosen for the educational value, no other implied things good or bad are to be assumed of them. Email addresses have been molested to reduce the impact of the bots searching for spam victims. ARIN  HYPERLINK "http://www.arin.net/" \t "_self" ARIN deals with North American IP addresses. $ whois -h whois.arin.net 129.128.5.191 OrgName: University of Alberta OrgID: UNIVER-50 Address: 1030 General Services Building City: Edmonton StateProv: PostalCode: Country: CA NetRange: 129.128.0.0 - 129.128.255.255 CIDR: 129.128.0.0/16 NetName: U-ALBERTA NetHandle: NET-129-128-0-0-1 Parent: NET-129-0-0-0-0 NetType: Direct Assignment NameServer: NAME.UALBERTA.CA NameServer: NOM.UALBERTA.CA NameServer: MENAIK.CS.UALBERTA.CA Comment: RegDate: 1987-12-01 Updated: 2001-12-21 RTechHandle: KW1848-ARIN RTechName: Watts, Kevin RTechPhone: +1-780-492-9583 RTechEmail: kevin.watts/at/ualberta.ca # ARIN WHOIS database, last updated 2006-04-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. So this IP address (taken from www.openbsd.org) tells me it's hosted at the University of Alberta in Canada, I do get a technical contact as well. $ whois -h whois.arin.net 65.173.218.103 Sprint SPRINTLINK-2-BLKS (NET-65-160-0-0-1) 65.160.0.0 - 65.174.255.255 ESCAL INSTITUTE OF ADVANCED FON-1101912576101565 (NET-65-173-218-0-1) 65.173.218.0 - 65.173.218.255 # ARIN WHOIS database, last updated 2006-04-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Where did all the detail go ? Well this address is part of two blocks ARIN is keeping information on and you need to choose which of them you want to see details of. The part between the braces is the block you can select: $ whois -h whois.arin.net NET-65-160-0-0-1 OrgName: Sprint OrgID: SPRN Address: 12502 Sunrise Valley Drive City: Reston StateProv: VA PostalCode: 20196 Country: US NetRange: 65.160.0.0 - 65.174.255.255 CIDR: 65.160.0.0/13, 65.168.0.0/14, 65.172.0.0/15, 65.174.0.0/16 NetName: SPRINTLINK-2-BLKS NetHandle: NET-65-160-0-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation NameServer: NS1-AUTH.SPRINTLINK.NET NameServer: NS2-AUTH.SPRINTLINK.NET NameServer: NS3-AUTH.SPRINTLINK.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-09-19 Updated: 2004-02-06 RTechHandle: SPRINT-NOC-ARIN RTechName: Sprintlink (Sprint) RTechPhone: +1-800-232-6895 RTechEmail: NOC/at/sprint.net OrgTechHandle: ARINS-ARIN OrgTechName: arin-sprint-iprequest OrgTechPhone: +1-800-232-3458 OrgTechEmail: ip-req/at/sprint.net # ARIN WHOIS database, last updated 2006-04-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Well, this kind of information is of the bigger block that generally points to an ISP. It often contains abuse addresses the ISP prefers, but sprintlink didn't include that information here. They did however include an email address for the NOC. Let's look at the smaller block: $ whois -h whois.arin.net NET-65-173-218-0-1 OrgName: ESCAL INSTITUTE OF ADVANCED OrgID: EIA-16 Address: 5401 WESTBARD AVE SUITE 1501 City: BETHESDA StateProv: MD PostalCode: 20816 Country: US NetRange: 65.173.218.0 - 65.173.218.255 CIDR: 65.173.218.0/24 NetName: FON-1101912576101565 NetHandle: NET-65-173-218-0-1 Parent: NET-65-160-0-0-1 NetType: Reassigned Comment: RegDate: 2002-05-29 Updated: 2002-05-29 RTechHandle: MF974-ARIN RTechName: FEARNOW, MATT RTechPhone: +1-317-580-9756 RTechEmail: MATT/at/sans.org OrgTechHandle: MF974-ARIN OrgTechName: FEARNOW, MATT OrgTechPhone: +1-317-580-9756 OrgTechEmail: MATT/at/sans.org # ARIN WHOIS database, last updated 2006-04-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. It belongs to some institute which some of you might recognize ;-) RIPE Now what happens if you try to lookup an address in Europe ? $ whois -h whois.arin.net 194.7.3.21 OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 194.0.0.0 - 194.255.255.255 CIDR: 194.0.0.0/8 NetName: RIPE-CBLK2 NetHandle: NET-194-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: NS-EXT.ISC.ORG NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: 1993-07-21 Updated: 2005-08-03 # ARIN WHOIS database, last updated 2006-04-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. That's not going to help you,  HYPERLINK "http://www.ripe.net/" \t "_self" RIPE is an organization much like ARIN, but instead of North America, they cover Europe and the Middle East. Actually read more closely: ARIN does point you to whois.ripe.net, so let's contact that server. $ whois -h whois.ripe.net 194.7.3.21 % This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '194.7.0.0 - 194.7.8.255' inetnum: 194.7.0.0 - 194.7.8.255 netname: INNET-BACKBONE-BEL descr: INNET NV country: BE admin-c: HUB1-RIPE tech-c: HUB1-RIPE rev-srv: auth50.ns.be.uu.net rev-srv: auth00.ns.be.uu.net status: ASSIGNED PA mnt-by: AS2822-MNT source: RIPE # Filtered role: Hostmaster UUNET Belgium address: UUNET Belgium address: Culliganlaan 2/H address: B-1831 Diegem address: Belgium phone: +32 70 233 560 fax-no: +32 70 233 559 e-mail: tech-dns/at/be.uu.net remarks: trouble: You can reach us for technical questions at tech-dns/at/be.uu.net remarks: trouble: or by telephone at +32 2 404 6000 remarks: trouble: or by fax at +32 2 404 6817 admin-c: PS10957-RIPE tech-c: PS10957-RIPE nic-hdl: HUB1-RIPE mnt-by: AS2822-MNT source: RIPE # Filtered % Information related to '194.7.0.0/16AS2822' route: 194.7.0.0/16 descr: INNET-BLOCK origin: AS2822 remarks: CIDR all the way down remarks: ************************************** remarks: * For spamming or other abuse issues * remarks: * Please send your requests to * remarks: * abuse/at/be.uu.net * remarks: ************************************** mnt-by: AS2822-MNT mnt-by: WCOM-EMEA-RICE-MNT source: RIPE # Filtered % Information related to '194.7.0.0/16AS702' route: 194.7.0.0/16 descr: BE PA route origin: AS702 member-of: AS702:RS-BE, AS702:RS-BE-PA remarks: **********ABUSE ISSUES********** remarks: All abuse must be reported to remarks: abuse/at/be.uu.net for this network. remarks: ******************************** mnt-routes: Fortis-MNT {194.7.124.240/28^+, 194.7.243.224/28^+, 194.7.112.0/22^+, 194.7.124.240/28^+, 194.7.243.224/28^+} mnt-by: WCOM-EMEA-RICE-MNT source: RIPE # Filtered Cool, we got the ISP and an abuse contact. The ASNs are filled out in this format as well. However, should you want to use the information, I'd trust the cymru results just that bit more. APNIC Moving on to Asia - Pacific, things change again. Should we try to pull the information off of ARIN, it will point us to whois.apnic.net (not show for brevity). $ whois -h whois.apnic.net 202.30.50.50 % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 202.30.0.0 - 202.31.255.255 netname: KRNIC-KR descr: KRNIC descr: Korea Network Information Center country: KR admin-c: HM127-AP tech-c: HM127-AP remarks: ****************************************** remarks: KRNIC is the National Internet Registry remarks: in Korea under APNIC. If you would like to remarks: find assignment information in detail remarks: please refer to the KRNIC Whois DB remarks: http://whois.nic.or.kr/english/index.html remarks: ****************************************** mnt-by: APNIC-HM mnt-lower: MNT-KRNIC-AP changed: hostmaster/at/apnic.net 19960229 changed: hostmaster/at/apnic.net 20010606 status: ALLOCATED PORTABLE source: APNIC person: Host Master address: 11F, KTF B/D, 1321-11, Seocho2-Dong, Seocho-Gu, address: Seoul, Korea, 137-857 country: KR phone: +82-2-2186-4500 fax-no: +82-2-2186-4496 e-mail: hostmaster/at/nic.or.kr nic-hdl: HM127-AP mnt-by: MNT-KRNIC-AP changed: hostmaster/at/nic.or.kr 20020507 source: APNIC inetnum: 202.30.50.0 - 202.30.51.255 netname: KRNIC-NET-KR descr: NIDA country: KR admin-c: IT04-KR tech-c: IT04-KR remarks: This IP address space has been allocated to KRNIC. remarks: For more information, using KRNIC Whois Database remarks: whois -h whois.nic.or.kr mnt-by: MNT-KRNIC-AP remarks: This information has been partially mirrored by APNIC from remarks: KRNIC. To obtain more specific information, please use the remarks: KRNIC whois server at whois.krnic.net. changed: hostmaster/at/nic.or.kr source: KRNIC OK, for tracking down an ISP this answer is a hard one. But read it carefully: it tells you to look for more detailed information on whois.nic.or.kr ... $ whois -h whois.nic.or.kr 202.30.50.50 [korean part suppressed (my I18N skills lack to reproduce it anyway)] # ENGLISH KRNIC is not an ISP but a National Internet Registry similar to APNIC. The followings is organization information that is using the IPv4 address. IPv4 Address : 202.30.50.0-202.30.51.255 Network Name : KRNIC-NET Registration Date : 19990928 Publishes : Y [ Organization Information ] Organization ID : ORG103657 Org Name : NIDA Address : Seocho2-dong, Seocho-gu, Seoul Detail address : 1321-11 NIDA Zip Code : 137-857 [ Technical Contact Information ] Name : IP Tech Org Name : NIDA Address : Seocho2-dong, Seocho-gu, Seoul Detail address : 1321-11 NIDA Zip Code : 137-857 Phone : +82-2-2186-4500 E-Mail : noc/at/nida.or.kr Cool, we got a NOC contact! LACNIC  HYPERLINK "http://www.lacnic.net/en/" \t "_self" Lacnic is responsible for Latin America, let's try it: $ whois -h whois.lacnic.net 200.160.7.7 % Joint Whois - whois.lacnic.net % This server accepts single ASN, IPv4 or IPv6 queries % Copyright registro.br % The data below is provided for information purposes % and to assist persons in obtaining information about or % related to domain name and IP number registrations % By submitting a whois query, you agree to use this data % only for lawful purposes. % 2006-04-12 19:17:34 (BRT -03:00) inetnum: 200.160.0/20 aut-num: AS22548 abuse-c: FAN owner: N?cleo de Informa??o e Coordena??o do Ponto BR ownerid: 005.506.560/0001-36 responsible: Demi Getschko address: Av. das Na??es Unidas, 11541, 7? andar address: 04578-000 - S?o Paulo - SP phone: (11) 55093511 [] owner-c: FAN tech-c: FAN inetrev: 200.160.0/20 nserver: a.dns.br nsstat: 20060410 AA nslastaa: 20060410 nserver: b.dns.br nsstat: 20060410 AA nslastaa: 20060410 nserver: c.dns.br nsstat: 20060410 AA nslastaa: 20060410 nserver: d.dns.br nsstat: 20060410 AA nslastaa: 20060410 nserver: e.dns.br nsstat: 20060410 AA nslastaa: 20060410 created: 20011016 changed: 20050524 nic-hdl-br: FAN person: Frederico Augusto de Carvalho Neves e-mail: fneves/at/registro.br created: 19971217 changed: 20030721 remarks: Security issues should also be addressed to remarks: cert/at/cert.br, http://www.cert.br/ remarks: Mail abuse issues should also be addressed to remarks: mail-abuse/at/cert.br % whois.registro.br accepts only direct match queries. % Types of queries are: domains (.BR), BR POCs, CIDR blocks, % IP and AS numbers. Don't worry too much about those long lists of nameservers. They are almost always there with lacnic. AfriNIC I've never had to deal with the fifth RIR:  HYPERLINK "http://www.afrinic.net/" \t "_self" AfriNIC in real life, but here is an example: $ whois -h whois.afrinic.net 196.216.2.1 % This is the AfriNIC Whois server. % Information related to '196.216.2.0 - 196.216.3.255' inetnum: 196.216.2.0 - 196.216.3.255 netname: AFRINIC descr: African Network Information Center - Internal Use. descr: CSIR/icomtek descr: 43A descr: PO Box 395 descr: Pretoria descr: Gauteng descr: 0001 country: ZA admin-c: EMB2-AFRINIC tech-c: EMB2-AFRINIC status: ASSIGNED PI remarks: remarks: AfriNIC is the Internet Numbers' Registry for the remarks: African continent and part of the Indian Ocean remarks: region. It took over the management and remarks: distribution of internet resources in Africa remarks: from ARIN, RIPE NCC and APNIC. Headquarters are in remarks: Mauritius while the Engineering Operations Centre remarks: is in Pretoria, South Africa. remarks: mnt-by: AFRINIC-HM-MNT mnt-lower: AFRINIC-HM-MNT changed: hostmaster/at/arin.net 20040517 changed: hostmaster/at/arin.net 20041102 changed: hostmaster/at/afrinic.net 20050221 changed: e.byaru/at/gmail.com 20050409 source: AFRINIC parent: 196.216.0.0 - 196.216.255.255 person: ERNEST MWIRIMA BYARUHANGA address: CSIR/icomtek 43A address: P O Box 395 address: PRETORIA address: GAUTENG address: 0001 address: ZA phone: +27128412894 fax-no: +27128414720 e-mail: ernest/at/afrinic.org nic-hdl: EMB2-AFRINIC mnt-by: AFRINIC-HM-MNT remarks: remarks: AfriNIC - http://www.afrinic.net remarks: The African & Indian Ocean Internet Registry changed: hostmaster/at/arin.net 20040516 changed: hostmaster/at/arin.net 20040516 changed: hostmaster/at/afrinic.net 20050221 changed: e.byaru/at/gmail.com 20050409 source: AFRINIC Domain names Whois also can be used as an interface to see who owns what domain name, but that's for another time. Other sources There are many more sources of whois information. The trick aside from the starting points above is to read the comments that are given back. Sometimes some information isn't available through the whois information due to risks of abuse. Often they'll point you over to some website with some detection of automated processes and perhaps even only giving out the information as a gif file instead of text. Update A number of readers pointed out that they use the whois proxy at whois.geektools.com to prevent having to figure out which of the servers to use. You use it as: $ whois -h whois.geektools.com 10.0.0.0 They sometimes also assumed that I used it myself. I actually use the  HYPERLINK "http://www.openbsd.org/cgi-bin/man.cgi?query=whois&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=html" \t "_self" whois client from OpenBSD. It connects on it's own to the appropriate RIR, based on the output of ARIN. -- Swa Frantzen -  HYPERLINK "http://www.section66.com/" \t "_self" Section 66 BCXYZ[q v w ѣmVVFV1)hX5B*CJOJQJ\^JaJphhX0JCJOJQJ^JaJ,jhXB*CJOJQJU^JaJph#hXB* CJ&OJQJ^JaJ&ph,#hXB*CJOJQJ^JaJph#hXB*CJOJQJ^JaJphUUU,jhXB*CJOJQJU^JaJphUUU-hXhX0JB*CJ&OJQJ^JaJ&ph)hXhXB*CJ&OJQJ^JaJ&ph2jhXhXB*CJ&OJQJU^JaJ&phZ  q v a\ di$-DM gdX-D@&M gdX & F  x-DM ^ gdX -DM gdXgdX@&gdXSC 7a{e  -I[\rT:hX5B*CJOJQJ\^JaJfHphq :hX5B*CJOJQJ\^JaJfHphq 4hXB*CJOJQJ^JaJfHphq 4hXB*CJOJQJ^JaJfHphq )hX5B*CJOJQJ\^JaJph#hXB*CJOJQJ^JaJph#hXB*CJOJQJ^JaJph cdi#CDqrvwBgh%v&w&}&'F'G't-.7.8.011 1!1S1T1Z1[11117777Ʊ۟ۈۈx۟Ʊ۟۟Ʊۈx۟hX0JCJOJQJ^JaJ,jhXB*CJOJQJU^JaJph#hXB*CJOJQJ^JaJph)hX5B* CJ&OJQJ\^JaJ&ph,)hX5B*CJOJQJ\^JaJph#hXB*CJOJQJ^JaJph#hXB*CJOJQJ^JaJph,$h%w&}&G'u-8.01 117778>>J?X?@@RCSC-DM gdX-D@&M gdX -DM gdX77!8"8R8S8Z8[8888>>>J?X?@@AABBBBBBCCECFCPCQCRCSCĴ۟ۍ۟ĴĴۉhX#hXB*CJOJQJ^JaJph)hX5B*CJOJQJ\^JaJphhX0JCJOJQJ^JaJ,jhXB*CJOJQJU^JaJph#hXB*CJOJQJ^JaJph#hXB* CJ&OJQJ^JaJ&ph,!,1h/ =!"#$% Dd,>  c :ANormalFax01C"þ type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=jullrich"b!X󆡑NBD*nX󆡑NBPNG  IHDRfsRGB@}0PLTE{bIDATE!0Eq^uM&VUp\ &C|)"3.8̴(6 jPtsʄ&)NU- \^w& ^eyƾ_c|_^9IENDB`@@@ NormalCJ_HaJmH sH tH DA@D Default Paragraph FontRiR  Table Normal4 l4a (k(No List<U`< X Hyperlink7>*S*Y(phB^`B X Normal (Web)dd[$\$<o< Xaddthis_separator2:o!: X ico-comments1CJ$aJ$S;RZqva \ di$hw}Gu%8&() ))///066J7X788R;U;800000 0 0800000I00I00I0000800000080000008000080008008008000Zqva \ di$hw}Gu%8&() ))///066J7X788R;U;K00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MK00MI00QM0hI000H 7SC"%&($SC#'SC$BXvCqv )S)Z)!0R0Z0:::;E;P;S;XXXXXXXtud#uud#vu$$wu#xu#yu$zud{u|u$}ud~uuu$uduuuduuu(u(u4(ut(u(ut(u4(u4(ut(u(  o)F1F1N1V1b1111122H3333U;         |)M1U1a1h1h1111123Q3333U; B*urn:schemas-microsoft-com:office:smarttagscountry-region9*urn:schemas-microsoft-com:office:smarttagsState8*urn:schemas-microsoft-com:office:smarttagsCity: *urn:schemas-microsoft-com:office:smarttagsStreet; *urn:schemas-microsoft-com:office:smarttagsaddress=*urn:schemas-microsoft-com:office:smarttags PlaceType=*urn:schemas-microsoft-com:office:smarttags PlaceName9*urn:schemas-microsoft-com:office:smarttagsplace dqN  clnx '1DN`j :?ouin  s z $ . ~  + 8 C E Z [ g y  1 6 \ c /6MV!5BOZjv *35?Uc*4AK\fw EJ{Y`z%(Wa w|  UZ!&di/!4!!!!!"" ###"#m#t#####H$M$`$e$y$|$%%*%&&9&?&''((T)Z)))))**F+M+\+_+++++++++++++++++++,,,,-,0,m,t,,,,,,,,,,,,,,,- --#-.-5-@-F-T-\-g-n-y-------------._/c///////S0Z0000000 11.151?1D1y1~111111111111111229233334455555566w7|78"8(9-999::::;;;;U;pqhk:?ELMPde , - EJjn!&`a$$$F%M%9&?&&&))C+D+++++++p/q/0000y1~1R3W3K9M999U;3333333333333333333333333333333333333ZZddR;U;U;U+ l^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo(U+* :%Xwa> G Qq:h:%X`%1$E=5) y:%X0:%X%1$E=.{$:%lo5)waQQ,.{$ zo/lo$1:%X8:%XQ@:%XqC:%X> GQQ, rO:%XeICT:%X'^T:%X%Sh:%Xq:hlovFi:%X]m:%Xlo`X@T.S;P@UnknownG:Ax Times New Roman5Symbol3& :Cx Arial7&@ Calibria Diavlo LightTimes New Roman?5 :Cx Courier New;Wingdings"qhzy2ky2k!245;5;2QHX)?X2'Who is' your friendAlAl Oh+'0t  0 < HT\dl'Who is' your friendAlNormalAl1Microsoft Office Word@ @&[-@[-y2՜.+,D՜.+,D hp  Homek5; 'Who is' your friend Title 8@ _PID_HLINKSA*Yhttp://www.section66.com/d Duhttp://www.openbsd.org/cgi-bin/man.cgi?query=whois&apropos=0&sektion=1&manpath=OpenBSD+Current&arch=i386&format=htmld}/ http://www.afrinic.net/dCG http://www.lacnic.net/en/dFMhttp://www.ripe.net/dVGhttp://www.arin.net/d`q4http://isc.sans.org/diary/+Who+is+your+friend+/1260d  !"#$%&'()+,-./013456789:;<=>?@ABCDEFGHJKLMNOPRSTUVWX[Root Entry F#c[-]Data *1Table2Y,WordDocument.RSummaryInformation(IDocumentSummaryInformation8QCompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89q