What this tutorial is about
This tutorial will guide you on the steps needed to find the individual or company who is responsible for a specific server at the planet.
What You're gonna need
For windows users, It is recommended that you install jwhois windows whois client. You can find directions for obtaining and installing it at
this thread . If you are running a linux or freebsd system, jwhois comes with most distributions of linux. You can pick it up ftom
ftp://ftp.gnu.org/gnu/jwhois/ .
'doing it' on windows
Step One, Open up your command line window, and find the ip address of the machine you are looking up. This can be accomplished with either nslookup, tracert, or even ping.
For this example, we're going to look up my friend's website - cameroncox.com .
C:\>nslookup cameroncox.com
Server: resolver1.level3.net
Address: 209.244.0.3
Non-authoritative answer:
Name: cameroncox.com
Address: 70.84.66.196
C:\>tracert cameroncox.com
Tracing route to cameroncox.com [70.84.66.196]
over a maximum of 30 hops:
1 152 ms 149 ms ^C
C:\>ping cameroncox.com
Pinging cameroncox.com [70.84.66.196] with 32 bytes of data
Reply from 70.84.66.196: bytes=32 time=205ms TTL=55
Reply from 70.84.66.196: bytes=32 time=187ms TTL=55
Reply from 70.84.66.196: bytes=32 time=185ms TTL=55
Reply from 70.84.66.196: bytes=32 time=182ms TTL=55
Ping statistics for 70.84.66.196:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 182ms, Maximum = 205ms, Average = 189ms
In each of these commands, the same ip address is returned: 70.84.66.196 .
Step Two, After obtaining the ip address of cameron's website. We're going to write a simple little command to query rwhois.theplanet.com:4321.
C:\>whois 70.84.66.196 -h rwhois.theplanet.com -p 4321
70.84.66.196 is interchangable with whatever the ip address you're looking up is. the -h rwhois.theplanet.com -p 4321 part of the query is required for querying the planet's rwhois server.
After you hit enter, jwhois is going to spit out alot of information that you may, or may not understand, depending on your experience with computing, and networking. The only real data you need to pay attention to are:
network:IP-Network-Block:70.84.66.192 - 70.84.66.199
network:Organization-Name:micheal cottingham
network:Organization-City
outh Hill
network:Organization-State:VA
network:Organization-Zip:23970
network:Organization-Country:UNITED STATES
network
escription-Usage:customer
network
erver-Pri:ns1.theplanet.com
network
erver-Sec:ns2.theplanet.com
network:Tech-Contact;I:abuse@theplanet.com
network:Admin-Contact;I:abuse@theplanet.com
network:Created:20050223
network:Updated:20050223
The first line specifies what ip addresses are bound to this machine. This value may change depending on if your target orders new ip addresses.
The second line tells us the organization / individual who owns the server. In this case, his name is Michael Cottingham.
The third, forth, and fifth lines tell us the city, and zip code of owner.
The fifth line tells us the type of account the target has. In most cases, it will return "Customer".
The sixth and seventh lines tell us the nameservers the customer is using.
The next two lines tell us who to contact in the even to fabuse.
The final two lines tell us when the records were created, and updated. If the user orders new ip addresses, or changes his contact information, the date of the order / change will be displayed.
'doing it' on *nix
The steps are pretty much the same, You're just going to have to find the ip address using the "host" tool. All the command arguments are the same, and there won't be any difference in output.
If you have any questions, reply to this thread, or PM me.
Happy snooping
Linear Mode
