WHOIS Lookup
ShadowMap includes a built-in WHOIS lookup utility for querying domain and IP registration information. WHOIS data is also surfaced automatically within the Web Applications detail view for any discovered asset.
Overview
The WHOIS view displays registration data in a split-panel layout. The left panel shows domain WHOIS data (by hostname), and the right panel shows IP WHOIS data (by IP address). Both panels render the raw WHOIS response in a preformatted code block for readability.
Data Returned
Domain WHOIS
| Field | Description |
|---|---|
| Registrant | Organization or individual who registered the domain (if not privacy-protected) |
| Registrar | The domain registrar through which the domain was registered (e.g., GoDaddy, Namecheap, Cloudflare) |
| Registration Date | When the domain was originally registered |
| Updated Date | When the domain registration was last modified |
| Expiry Date | When the domain registration expires. Domains approaching expiry are at risk of hijacking if not renewed. |
| Name Servers | The DNS servers configured for the domain. Changes in nameservers can indicate domain takeover. |
| Domain Status | Registration status codes (e.g., clientTransferProhibited, serverDeleteProhibited). Status codes indicate what operations are locked or allowed. |
IP WHOIS
| Field | Description |
|---|---|
| Network Range | The CIDR block or IP range the address belongs to |
| Organization | The entity that owns or operates the IP block |
| ISP / Hosting Provider | The internet service provider or hosting company |
| Country | Geographic registration of the IP block |
| Abuse Contact | Email address for reporting abuse related to this IP range |
Use Cases
Investigating Suspicious Domains
When ShadowMap's brand protection or phishing detection modules flag a suspicious domain:
- Run a WHOIS lookup on the flagged domain
- Check the registrant -- is it your organization or an unknown entity?
- Check the registration date -- recently registered domains mimicking your brand are highly suspicious
- Check the registrar -- some registrars are more responsive to takedown requests than others
- Use the registrar and abuse contact information to initiate a takedown
Verifying Asset Ownership
Confirm that domains in your asset inventory are registered to your organization:
- Compare registrant details with your organization's registration records
- Identify domains that may have been registered by employees, subsidiaries, or former contractors
- Flag domains with registrant privacy protection that cannot be verified
Monitoring Domain Expiry
Expired or soon-to-expire domains are a security risk:
- Attackers monitor domain expiry dates and register lapsed domains to capture residual traffic
- Lapsed domains may still receive email, API calls, or user traffic intended for your organization
- Review expiry dates periodically and ensure critical domains are set to auto-renew
Investigating IP Ownership
When an unfamiliar IP appears in your attack surface:
- WHOIS reveals who owns the IP block -- is it your hosting provider, a CDN, or an unexpected third party?
- The organization and ISP fields help determine whether an IP is legitimately associated with your infrastructure
- Abuse contact information is essential for reporting if the IP is involved in attacks against you