loading
loading
Recon
Reverse WHOIS lookup script.
overview
whoisninja flips a normal WHOIS query around. Instead of asking who owns one domain, you give it an organization name, an email address, a phone number, or a domain, and it returns every domain registered with that detail. That turns a single known data point into a list of assets the same party registered, including domains a company never advertised.
It runs against the whoisxmlapi.com Reverse WHOIS API, so you supply --api_key. Drive single values or pass list files for bulk pivots, enable --historic to recover domains that have since changed hands, and tune --sleep and --maxretry to balance coverage against rate limits.
Run it early to expand a target's footprint, then feed recovered domains into subdomain enumeration and probing. On Trickest the Recon node takes the identifiers you supply and writes a file and a folder of results.
use cases
Start from a known organization name or registrant email and recover every domain registered with it, turning one data point into a complete asset list.
Pivot on a registrant detail to surface domains a company owns but never links to publicly, widening the attack surface.
Enable --historic to include domains the target registered in the past, catching assets that have since lapsed or moved.
Feed --org_list or --email_list to run many reverse lookups in one node, collecting registered domains across the whole input.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| org | STRING | --org | Single organization (use * for wildcard). |
| STRING | Single email address (use * for wildcard). | ||
| domain | STRING | --domain | Single domain name (use * for wildcard). |
| api_key | STRING | --api_key | Your Reverse WHOIS API key (whoisxmlapi.com). |
| historic | BOOLEAN | --historic | Get historical domains too (default false). |
| org_list | FILE | --org_list | File containing a list of organizations. |
| sleep | STRING | --sleep | Sleep time between each request (default 2 seconds). |
| maxretry | STRING | --maxretry | Max retry on failure (default 5). |
Showing key inputs. whoisninja exposes 12 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| org | STRING | --org | Single organization (user * for wildcard) |
| STRING | Single email address (user * for wildcard) | ||
| phone | STRING | --phone | Single phone number (user * for wildcard) |
| sleep | STRING | --sleep | Sleep time between each request (default 2 seconds) |
| domain | STRING | --domain | Single domain name (user * for wildcard) |
| api_key | STRING | --api_key | Your Reverse WHOIS API key (whoisxmlapi.com) |
| historic | BOOLEAN | --historic | Get Historical domains too (default false) |
| maxretry | STRING | --maxretry | Max retry on failure (default=5) |
| org_list | FILE | --org_list | File containing a list of organizations |
| email_list | FILE | --email_list | --email_list EMAIL_LIST |
| phone_list | FILE | --phone_list | --phone_list PHONE_LIST |
| domain_list | FILE | --domain_list | --domain_list DOMAIN_LIST |
example
# reverse WHOIS by organization, include historic domainswhoisninja --org "Example Corp" --api_key YOUR_KEY --historic --sleep 2 --maxretry 5example.comexample.netexample.comexample.comstaging.example.commail.example.comdev.example.comcorp-cdn.example.com8 domains for org pivot (historic included)guidance
Use whoisninja when you have one identifier about a target, an org, email, phone, or domain, and want every domain registered with it. For a forward lookup on a single host, use whois-with-ripe instead.
Forward WHOIS on one hostname via RIPE. Use it to read an asset, not to pivot from owner to assets.
Broad attack-surface mapping that also does WHOIS-based correlation. Heavier, covers more than reverse WHOIS alone.
faq
related
Asynchronous DNS brute-force tool for fast subdomain enumeration.
OWASP Amass: network mapping and external asset discovery.
OWASP Amass intel: find an organization's root domains and ranges.
OWASP Amass enumeration that produces structured JSON output.
Find related domains and subdomains via shared Google Analytics IDs.
Find domains and subdomains potentially related to a given domain.
An organization name feeds whoisninja, which reverse-resolves every registered domain and passes them to subfinder for subdomain enumeration before they land as an asset inventory.
Facts on this page come from the live Trickest tool library.