2 min read

Reverse Whois - Increase Attack Surface Area

Reverse Whois - Increase Attack Surface Area

  • Introduction to Whois
  • Whois Flow
  • What is Reverse Whois?
  • Reverse Whois Flow
  • Tools
  • 100 domains or 84615 domains?

Introduction to Whois

Whois, is used to query domain names, IP addresses, and  ASN (autonomous system numbers or IP blocks) for their registered information. In simpler terms, if a user owns a domain or IP address, they have to give information like email, organization name, address, etc. to the domain registrar (like GoDaddy and Google Domains) that is stored in a database.

The above image is a snap of whois information of the domain "disney.com".

Whois - Flow

Input == Domain Name                                   Output == Registrant Information

What is Reverse Whois?

The reverse whois tool allows you to search for domain names owned by the registrant's email address, company owner, or admin name.

The mapping in whois is one-to-one, whereas in reverse whois it is one-to-many. It allows you to increase your attack surface from one domain to multiple domains that are registered by the same organization.
Obtaining domains by reverse whois on Corp.DNS.Domains@disney.com

Reverse Whois  - Flow

Input == Registrant Information                                      Output == Domains


  • viewdns.info
  • whoxy.com
  • securitytrails.com
  • www.reversewhois.io
  • osint.sh/reversewhois/

100 domains or 84615 domains?

If you want to stand in the same queue as other hackers or bug bounty hunters, don't buy the pro subscriptions to these services. If you think you want to attack things that no one is attacking, you should buy subscriptions to these tools.

A general free whois query for "Disney Enterprises, Inc." will give you 100 domains whereas a paid query will give 84615 domain names.
Screenshot - Paid API Query from whoxy API
Now think about this when you are attacking you want to hack on 100 assets of an organization or 84000+ assets?
Thank You for Reading!