Reverse WHOIS
Reverse WHOIS is the process of searching for all domains registered under the same registrant information (such as name, email address, organization, or physical address) found in a WHOIS record.
This technique allows security analysts, investigators, and penetration testers to link related domains based on shared ownership or registration details.
How It Works
1. WHOIS Lookup
-
Perform a WHOIS query on the target domain to get registration details.
2. Extract Registrant Identifiers
-
Identify unique fields such as name, email, phone number, organization, or address.
3. Reverse Search
-
Use reverse WHOIS tools or databases to search for all other domains using those same identifiers.
4. Result Mapping
-
Build a list of related domains — these may include production sites, test environments, old projects, or forgotten assets.
Cybersecurity & Pentesting Perspective
Benefits:
-
Attack surface discovery – Find additional domains owned by the same entity.
-
Legacy system detection – Locate old, forgotten domains that might be vulnerable.
-
Brand protection – Detect typo variants registered by the same party.
-
Threat actor investigation – Link multiple malicious domains to the same owner.
Risks for the target:
-
Exposure of internal, staging, or development domains.
-
Unintentional linking of personal and corporate domains.
-
Easier mapping of the organization’s full digital footprint.
Tools & Resources
Free / Open Source:
-
whoiscommand-line tool (Linux/Mac/Windows with WSL) -
SecurityTrails (limited free queries)
Paid / Commercial:
-
DomainTools Reverse WHOIS
-
WhoisXML API Reverse WHOIS
Then take the Registrant Email (e.g., johndoe@example.com) and search it in a reverse WHOIS service.
Example
Step 1: WHOIS shows:
-
Registrant Email:
admin@hydrattack.com
Step 2: Reverse WHOIS lookup on admin@hydrattack.com finds:
-
api-hydrattack.com– API service domain -
hydrattackdev.com– Development environment -
hydrattacksupport.com– Customer support portal
Legal & Ethical Notice:
Reverse WHOIS should only be performed on domains you own or have written authorization to test. Many WHOIS services mask private data due to GDPR and privacy laws, so results may be limited.