This chapter covers three critical passive reconnaissance techniques: WHOIS lookups, Certificate Transparency logs, and ARIN (American Registry for Internet Numbers) queries. These tools allow a penetration tester to gather publicly available information about an organization's domain ownership, SSL/TLS certificates, and IP address allocations without ever touching the target's network. On the PT0-002 exam, questions on passive reconnaissance and OSINT (Open Source Intelligence) typically account for 5-10% of the total, and understanding these specific techniques is essential for the Reconnaissance domain (Objective 2.1). Mastering WHOIS, Certificate Transparency, and ARIN will help you identify attack surface, find subdomains, and map network ranges before any active scanning begins.
Jump to a section
Imagine a county property deed registry. Every piece of real estate has a deed that lists the owner's name, mailing address, purchase date, and sometimes a tax ID. When you want to find out who owns a specific parcel, you go to the county clerk's office and search by the property's address (the domain name). The clerk looks up the deed and gives you the owner's details. However, the registry is not always perfectly accurate: owners may have moved without updating their address, or they may have used a PO box or a lawyer's address for privacy. Similarly, WHOIS records for domain names contain the registrant's name, organization, email, phone, and address. But because of privacy laws like GDPR, many registrars now redact personal information, showing only 'Redacted for Privacy' or a proxy service. The key point: WHOIS is a public database, but its accuracy and completeness vary. In a penetration test, you use WHOIS to gather initial intelligence: identify the organization's name, administrative contacts, and sometimes technical infrastructure like name servers. But you must verify the data because it may be outdated or obscured.
What is WHOIS and Why Does It Exist?
WHOIS is a query and response protocol (defined in RFC 3912) used to query databases that store registered users or assignees of a domain name or IP address block. It was originally developed to allow system administrators to look up contact information for domain owners in case of technical issues, such as a misconfigured mail server or a security incident. The protocol operates over TCP port 43, though many web-based interfaces exist (e.g., whois.icann.org). A WHOIS record typically contains:
- Domain Name: The queried domain.
- Registrar: The company where the domain was registered (e.g., GoDaddy, Namecheap).
- Registrant: The person or organization that owns the domain.
- Administrative Contact: The person responsible for the domain's administration.
- Technical Contact: The person handling technical issues (often the hosting provider).
- Name Servers: The authoritative DNS servers for the domain.
- Creation, Expiration, and Last Updated Dates: Timestamps of key lifecycle events.
- Status Codes: Such as clientTransferProhibited or serverHold, indicating restrictions.
How WHOIS Works Internally
When you run a WHOIS query (e.g., whois example.com), your client sends the query to a WHOIS server. The process involves multiple steps:
1. Determine the appropriate WHOIS server: For generic top-level domains (gTLDs) like .com, the client first queries the WHOIS server of the registry operator (e.g., Verisign for .com and .net). The registry returns a referral to the registrar's WHOIS server.
2. Query the registrar's WHOIS server: The client then queries the registrar's server, which returns the full record.
3. Parse and display the response: The client formats the raw text output.
For country-code TLDs (ccTLDs) like .uk or .de, the process may be different, often handled by a single national registry.
Key Components, Values, and Defaults
- WHOIS Protocol Port: TCP 43 is the default; some services use web APIs over HTTPS.
- Rate Limiting: Many WHOIS servers implement rate limiting (e.g., 10 queries per minute) to prevent abuse. Exceeding limits may result in a temporary block.
- Thick vs. Thin WHOIS:
- Thick WHOIS: The registry stores the full record (including registrant contact). Example: .com, .net.
- Thin WHOIS: The registry stores only minimal data (e.g., name servers, status) and refers to the registrar for full details. Example: .org originally used thin, but now many gTLDs use thick.
- WHOIS Output Fields: Common fields include Domain Name, Registry Domain ID, Registrar WHOIS Server, Registrar URL, Updated Date, Creation Date, Registry Expiry Date, Registrar, Registrant Name, Registrant Organization, Registrant Street, Registrant City, Registrant State/Province, Registrant Postal Code, Registrant Country, Registrant Phone, Registrant Email, Admin Name, Tech Name, Name Server, DNSSEC, and URL of the ICANN Whois Inaccuracy Complaint Form.
- Privacy/Proxy Services: Many registrants use services like WhoisGuard or Domains by Proxy to hide their personal information. In such cases, the WHOIS output shows the proxy service's contact details, not the actual owner.
WHOIS Query Examples
Using the whois command-line tool (available on Linux/macOS, or via Windows PowerShell with the whois module):
whois example.comFor a specific registrar WHOIS server:
whois -h whois.godaddy.com example.comWeb-based tools: https://whois.icann.org, https://www.whois.com.
Certificate Transparency (CT) Logs
Certificate Transparency is an open framework (RFC 6962) designed to monitor and audit SSL/TLS certificates. It requires Certificate Authorities (CAs) to submit every certificate they issue to public, append-only logs. Anyone can query these logs to discover certificates for a domain. This is extremely useful for penetration testers because it reveals subdomains and alternative domain names that may not be publicly listed elsewhere.
How CT Logs Work:
1. When a CA issues a certificate, it sends the certificate to one or more CT logs.
2. The log returns a Signed Certificate Timestamp (SCT), which proves the certificate was submitted.
3. The SCT is embedded in the certificate or delivered via TLS extension.
4. Browsers require certificates to have SCTs to be considered valid (Chrome requires two SCTs from different logs).
5. Anyone can query the logs using tools like crt.sh or certspotter.com.
Querying CT Logs:
- crt.sh (https://crt.sh) is the most popular web-based CT log search. You can search by domain (e.g., %.example.com to find all subdomains).
- Command-line: curl -s 'https://crt.sh/?q=example.com&output=json' | jq .
- certspotter (https://certspotter.com) offers API-based monitoring.
What CT Logs Reveal:
- All issued certificates for a domain and its subdomains.
- Certificate details: subject, issuer, validity period, subject alternative names (SANs).
- Expired and revoked certificates (still in the log).
- Wildcard certificates (e.g., *.example.com).
ARIN (American Registry for Internet Numbers)
ARIN is one of five Regional Internet Registries (RIRs) that manage IP address allocation. ARIN covers the United States, Canada, and parts of the Caribbean. Other RIRs: RIPE NCC (Europe, Middle East, parts of Central Asia), APNIC (Asia Pacific), LACNIC (Latin America and Caribbean), and AFRINIC (Africa). ARIN's WHOIS database allows you to query IP address ownership, including the organization, point of contact, and CIDR block details.
How ARIN WHOIS Works:
- You can query ARIN's WHOIS server at whois.arin.net (port 43) or use the web interface at https://search.arin.net/rdap/.
- ARIN uses RDAP (Registration Data Access Protocol) as a modern replacement for WHOIS, but the legacy WHOIS service still exists.
- RDAP is defined in RFC 7480-7484 and provides structured JSON responses, better security, and internationalization.
Query Examples:
whois -h whois.arin.net 8.8.8.8This returns information about the IP block containing 8.8.8.8 (which belongs to Google).
For a network range:
whois -h whois.arin.net 192.0.2.0/24Key Information from ARIN:
- Organization Name: The registered owner of the IP block.
- NetRange: The CIDR block (e.g., 8.8.8.0 - 8.8.8.255).
- CIDR: The CIDR notation (e.g., 8.8.8.0/24).
- NetName: A descriptive name for the network.
- Parent: The larger block from which this range is derived.
- Organization Address: The registered address of the owner.
- OrgTechHandle: Technical contact handle (can be used for further queries).
- OrgAbuseHandle: Abuse contact handle.
How These Tools Interact
In a typical reconnaissance workflow: 1. WHOIS the domain to get registrant details, name servers, and possibly the registrar. 2. Query CT logs for the domain to discover subdomains and alternative domain names from certificates. 3. Resolve discovered subdomains to IP addresses using DNS. 4. Query ARIN WHOIS for those IP addresses to determine the organization, IP range, and contact info. 5. Use the IP range to identify other hosts in the same block (e.g., via reverse DNS or port scanning).
This sequence allows you to build a comprehensive map of the target's external footprint without sending a single packet to the target's network.
Perform WHOIS Domain Lookup
Start by querying the target domain using a WHOIS client. For example, run `whois target.com` on Linux or use a web-based tool. The response will include the registrant's name, organization, address, phone, and email (unless redacted). Note the name servers—they are often the first point of contact for DNS reconnaissance. Also record the creation and expiration dates; a recently registered domain may indicate a short-lived campaign, while an expired domain might be available for registration. Check for privacy protection: if the registrant is 'WhoisGuard Protected' or similar, the real owner is hidden. In that case, move to other sources like CT logs or social media to identify the organization.
Query Certificate Transparency Logs
Use crt.sh or a similar CT log search tool to retrieve all certificates issued for the target domain and its subdomains. For example, visit `https://crt.sh/?q=%25.target.com` (the `%25` is URL-encoded `%` for wildcard). The results list every certificate, including those that are expired or revoked. Extract all Subject Alternative Names (SANs) because they often reveal subdomains not found via DNS brute-force. For instance, a certificate for `*.dev.target.com` indicates a development subdomain. Also note the issuer and validity dates; certificates issued by lesser-known CAs may be less trustworthy. This step is critical because CT logs are an authoritative source—every publicly trusted certificate must be logged.
Resolve Subdomains to IP Addresses
Take the list of subdomains discovered from CT logs and perform DNS resolution using tools like `dig`, `nslookup`, or a script. For each subdomain, run `dig +short subdomain.target.com A` to get IPv4 addresses, and `dig +short subdomain.target.com AAAA` for IPv6. Record the IP addresses. Note that some subdomains may not resolve (e.g., if they are no longer in use) or may point to the same IP as the main domain. Also check for CNAME records that might reveal third-party services (e.g., `cdn.target.com` pointing to `target.cloudfront.net`). This step bridges the gap between domain-level reconnaissance and network-level reconnaissance.
Perform ARIN WHOIS on IP Addresses
For each unique IP address discovered, query ARIN's WHOIS database (or the appropriate RIR). Run `whois -h whois.arin.net <IP>`. Examine the output to identify the organization that owns the IP block. If the IP belongs to a cloud provider (e.g., AWS, Azure), the organization may be 'Amazon Technologies Inc.' rather than the target itself. This indicates the target uses cloud hosting. Note the NetRange and CIDR to understand the size of the allocated block. Also retrieve the OrgTechHandle and OrgAbuseHandle; these can be used for further queries or social engineering. If the IP is part of a larger block owned by the target, you can then scan the entire range to find other exposed services.
Map the External Attack Surface
Compile all gathered information into a structured dataset. Create a list of domains, subdomains, IP addresses, IP ranges, and associated organizations. Identify which assets are self-hosted versus cloud-hosted. Prioritize targets: for example, a subdomain like `vpn.target.com` or `mail.target.com` may be high-value. Also look for inconsistencies: if WHOIS shows one organization but CT logs show certificates issued to a different entity, there may be a merger, acquisition, or misconfiguration. This step is not a direct query but a synthesis of the previous steps. The output is a comprehensive attack surface map that guides the next phases of testing (e.g., vulnerability scanning, social engineering).
Scenario 1: Merger and Acquisition Reconnaissance
A penetration testing firm is hired to assess the security posture of Company A, which is about to acquire Company B. The testers want to discover all internet-facing assets of both companies to identify potential integration risks. They start with WHOIS lookups on the primary domains (company-a.com and company-b.com). The WHOIS records reveal that Company A uses 'Acme Registrar' and has name servers pointing to a managed DNS provider. However, Company B's WHOIS shows the registrant as 'PrivacyProtect.org'—a privacy service. The testers then query Certificate Transparency logs for both domains. For Company B, they discover certificates for 'mail.company-b.com', 'vpn.company-b.com', and '*.dev.company-b.com'. They resolve these to IP addresses: 'mail.company-b.com' points to 203.0.113.10, which is within a /24 block owned by Company B per ARIN WHOIS. But 'vpn.company-b.com' resolves to 198.51.100.50, which ARIN shows as owned by a cloud VPN provider. This indicates Company B uses a third-party VPN service. The testers now have a clear picture: Company B's internal mail server is self-hosted, but their remote access is outsourced. This helps the acquiring company plan the integration and assess security risks.
Scenario 2: Bug Bounty Program Target Discovery
A security researcher is targeting a large e-commerce site, 'shop.example', for a bug bounty program. The researcher begins with a WHOIS lookup on 'shop.example', which reveals the registrar and name servers. However, the registrant info is redacted. The researcher then queries Certificate Transparency logs using the pattern %.shop.example. The logs reveal dozens of subdomains: 'api.shop.example', 'cdn.shop.example', 'admin.shop.example', and 'staging.shop.example'. The 'staging' subdomain is particularly interesting because it might have weaker security. The researcher resolves these subdomains: 'api.shop.example' points to 10.0.0.1 (a private IP—likely an internal misconfiguration), 'cdn.shop.example' points to 203.0.113.100 (which ARIN shows as owned by a CDN provider), and 'admin.shop.example' resolves to 198.51.100.200 (owned by the target's own IP block). The researcher also notes that 'staging.shop.example' resolves to 192.0.2.50, which ARIN shows as part of a /24 block assigned to 'Example Corp'. This block is likely the staging environment. The researcher now has a list of potential targets and can proceed with active scanning and vulnerability assessment, focusing on the staging environment where security may be lax.
Scenario 3: Incident Response and Threat Intelligence
A company experiences a data breach, and the incident response team needs to identify all external-facing assets that may have been compromised. They use WHOIS to verify their own domain registration details and ensure no unauthorized changes. They then query CT logs to find any certificates issued for their domain that they did not authorize—this could indicate a rogue certificate used for man-in-the-middle attacks. For example, they find a certificate for 'login.example.com' issued by an unknown CA. They resolve 'login.example.com' to an IP address that ARIN shows as owned by a different organization. This confirms a phishing campaign using a lookalike domain. The team can then take down the rogue certificate and IP block. This scenario highlights how WHOIS and CT logs are not only for offensive recon but also for defensive monitoring.
What the PT0-002 Exam Tests on This Topic
The PT0-002 exam objectives under 2.1 (Given a scenario, conduct passive reconnaissance) specifically include 'WHOIS', 'Certificate Transparency', and 'ARIN' as enumeration techniques. Expect questions that ask you to identify the correct tool for a given scenario, interpret output, or understand the implications of privacy features. The exam does not require memorizing exact WHOIS field names but does test your ability to differentiate between thick and thin WHOIS, understand RDAP, and know which RIR covers which region.
Common Wrong Answers and Why Candidates Choose Them
Confusing WHOIS with DNS: A question might ask 'Which technique would reveal the IP address of a domain's mail server?' Some candidates answer 'WHOIS' because they think WHOIS gives IP addresses, but WHOIS gives registrant info and name servers, not A records. The correct answer is DNS (e.g., dig mx example.com).
Assuming WHOIS always shows personal info: Many candidates think WHOIS always reveals the real owner's name and address. However, due to GDPR and privacy services, many records show 'Redacted for Privacy'. The exam may test this by asking what you would do if WHOIS returns redacted data—the correct answer is to use alternative sources like CT logs or social media.
Misidentifying the RIR: A question might give an IP address from Europe and ask which RIR to query. Candidates often answer 'ARIN' out of habit. The correct answer for European IPs is RIPE NCC. Know the regions: ARIN (North America), RIPE (Europe, Middle East, parts of Central Asia), APNIC (Asia Pacific), LACNIC (Latin America), AFRINIC (Africa).
Overlooking CT logs for subdomain discovery: When asked how to find subdomains without active scanning, some candidates suggest DNS brute-force or zone transfer. CT logs are a passive, often more comprehensive source because they include expired certificates and wildcards. The exam expects you to recognize CT logs as a valid passive technique.
Specific Numbers, Values, and Terms That Appear Verbatum
TCP port 43 for WHOIS.
RFC 3912 for WHOIS, RFC 6962 for Certificate Transparency, RFC 7480-7484 for RDAP.
The five RIRs: ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC.
crt.sh is the most common CT log search tool mentioned.
SCT (Signed Certificate Timestamp) is a key term.
'Thick' vs 'thin' WHOIS.
GDPR as the reason for redacted WHOIS data.
Edge Cases and Exceptions the Exam Loves to Test
Private IP addresses in CT logs: Sometimes internal IPs (10.x.x.x, 192.168.x.x) appear in certificates. The exam might ask why this is a security issue—it reveals internal network structure.
Wildcard certificates: A certificate for *.example.com covers all subdomains. The exam may ask what a wildcard certificate reveals about the domain's security posture.
Expired certificates in CT logs: Even after a certificate expires, it remains in the CT log. The exam might test that you can still find subdomains from expired certs.
RDAP vs WHOIS: RDAP is replacing WHOIS. The exam may ask about the advantages of RDAP (structured data, authentication, internationalization).
How to Eliminate Wrong Answers Using the Underlying Mechanism
When faced with a multiple-choice question about passive reconnaissance, think about the protocol or database being queried:
If the question asks for domain ownership details → WHOIS.
If it asks for SSL/TLS certificates and subdomains → Certificate Transparency logs.
If it asks for IP address ownership → ARIN (or appropriate RIR) WHOIS/RDAP.
If it asks for name servers or mail exchange records → DNS.
If the output includes 'Registrant Name' → WHOIS.
If the output includes 'Subject Alternative Name' → CT log.
If the output includes 'NetRange' → ARIN.
Also, remember that WHOIS queries can be rate-limited, so in a large assessment, you might use RDAP or bulk WHOIS services. The exam may present a scenario where you need to query thousands of domains and ask the most efficient method—the answer is often an automated script or a paid API, not manual whois commands.
WHOIS uses TCP port 43 and provides domain registration information, but personal data is often redacted due to GDPR.
Certificate Transparency logs (RFC 6962) are a passive source for discovering subdomains via SSL/TLS certificates; use crt.sh.
ARIN is the RIR for North America; other RIRs include RIPE NCC (Europe), APNIC (Asia Pacific), LACNIC (Latin America), and AFRINIC (Africa).
RDAP (RFC 7480-7484) is the modern replacement for WHOIS for IP address queries, offering structured JSON responses.
WHOIS and DNS are different: WHOIS gives ownership info; DNS gives resolution records.
CT logs contain all certificates ever submitted, including expired and revoked ones, making them valuable for historical reconnaissance.
When WHOIS data is redacted, use CT logs, social media, or other OSINT to identify the organization.
Always verify WHOIS data because it may be outdated or inaccurate due to privacy services or incomplete updates.
These come up on the exam all the time. Here's how to tell them apart.
WHOIS
Provides domain registration details (registrant, registrar, dates, name servers).
Operates over TCP port 43 or via web interfaces.
Often redacts personal info due to privacy laws.
Useful for identifying the organization behind a domain.
Can be rate-limited; some registrars block automated queries.
Certificate Transparency Logs
Reveals SSL/TLS certificates issued for a domain and its subdomains.
Accessed via web tools like crt.sh or APIs.
Contains all certificates, including expired and revoked ones.
Ideal for discovering subdomains and wildcard entries.
Public and append-only; difficult to hide certificates.
ARIN WHOIS
Legacy protocol using plain text responses.
Queried via whois command on port 43.
Responses are unstructured and vary by RIR.
No authentication or encryption.
Still widely supported but being phased out.
ARIN RDAP
Modern protocol using structured JSON responses.
Queried via HTTPS (RESTful API).
Responses are consistent and machine-readable.
Supports authentication and internationalization.
Recommended by IETF; becoming the standard for RIR data.
Mistake
WHOIS always provides the real owner's name and contact information.
Correct
Due to GDPR and privacy services, many WHOIS records show 'Redacted for Privacy' or a proxy service's details. The actual owner is hidden. In such cases, you must use alternative OSINT techniques to identify the organization.
Mistake
Certificate Transparency logs only contain valid, unexpired certificates.
Correct
CT logs are append-only and contain all certificates ever submitted, including expired, revoked, and even test certificates. This makes them a valuable source for discovering historical subdomains and misconfigurations.
Mistake
ARIN WHOIS only works for IP addresses in the United States.
Correct
ARIN covers the United States, Canada, and parts of the Caribbean. For IP addresses outside these regions, you must query the appropriate RIR: RIPE NCC (Europe, Middle East), APNIC (Asia Pacific), LACNIC (Latin America), or AFRINIC (Africa).
Mistake
WHOIS and DNS are the same thing.
Correct
WHOIS provides domain registration and ownership information (registrant, registrar, dates, name servers). DNS translates domain names to IP addresses and other records (A, MX, CNAME). They operate on different protocols (WHOIS on TCP 43, DNS on UDP 53) and serve different purposes.
Mistake
You cannot find subdomains without active scanning.
Correct
Certificate Transparency logs are a passive source that reveals subdomains listed in SSL/TLS certificates. By querying crt.sh or similar, you can discover subdomains without sending any traffic to the target.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
WHOIS is a protocol for querying domain registration databases to find the owner, registrar, and contact information for a domain. DNS (Domain Name System) resolves domain names to IP addresses and other records like MX or CNAME. They are separate systems: WHOIS tells you who owns a domain; DNS tells you how to reach it. On the exam, if you need to find the IP address of a server, use DNS (e.g., `dig A example.com`). If you need to find the registrant's name, use WHOIS.
The easiest way is to use the web tool crt.sh. Go to https://crt.sh and enter your search term. For example, `%.example.com` finds all certificates with subdomains of example.com. You can also use the API: `curl -s 'https://crt.sh/?q=example.com&output=json' | jq .` to get JSON output. Other tools include certspotter.com and Facebook's certificate transparency monitor. On the exam, remember that CT logs reveal subdomains from SSL/TLS certificates.
In thick WHOIS, the registry (e.g., Verisign for .com) stores the full registration record, including registrant contact information. In thin WHOIS, the registry stores only minimal data (like name servers and status) and refers queries to the registrar's WHOIS server for full details. Most gTLDs now use thick WHOIS. The exam may ask which type provides more immediate information—thick WHOIS gives you the full record directly from the registry.
Use the WHOIS service of the appropriate Regional Internet Registry (RIR). For North American IPs, query whois.arin.net. For European IPs, query whois.ripe.net. For Asia Pacific, whois.apnic.net. For Latin America, whois.lacnic.net. For Africa, whois.afrinic.net. You can also use the web interface at https://search.arin.net/rdap/. The response will show the organization that owns the IP block.
Due to privacy regulations like the European Union's General Data Protection Regulation (GDPR), many registrars and registries now redact personal information (name, address, email, phone) from public WHOIS output. Instead, they show 'Redacted for Privacy' or provide a proxy service. This is to protect the registrant's privacy. In a penetration test, you must rely on other sources (CT logs, social media, etc.) when WHOIS data is redacted.
RDAP (Registration Data Access Protocol) is a modern replacement for WHOIS, defined in RFC 7480-7484. It uses HTTPS and returns structured data in JSON format, making it easier for automated processing. RDAP also supports authentication, internationalization, and consistent query patterns across RIRs. The exam may ask about RDAP as a more secure and standardized alternative to WHOIS for IP address queries.
Yes, CT logs are append-only and permanent. Once a certificate is logged, it remains in the log even after it expires or is revoked. This is useful for discovering subdomains that were used in the past but may no longer be active. When querying crt.sh, you can filter by date or just review all results to find historical certificates.
You've just covered WHOIS, Certificate Transparency, and ARIN — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?