43 - Pentesting WHOIS

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Basic Information

The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.

Default port: 43

PORT   STATE  SERVICE
43/tcp open   whois?

From an offensive point of view, remember that WHOIS is just a plain-text TCP service: the client sends a query, the server returns human-readable text, and the connection close marks the end of the response. There is no built-in authentication, integrity, or confidentiality in the protocol.

Modern Reality: WHOIS vs RDAP

For Internet domain registration data, WHOIS is no longer the authoritative option for many public gTLD workflows. ICANN sunset WHOIS for gTLD registration data on 2025-01-28, making RDAP the protocol to prefer for machine-readable domain registration lookups.

However, TCP/43 is still worth testing because it keeps appearing in:

  • Legacy or private WHOIS services
  • RIR / IP allocation workflows
  • Internal registries and custom asset databases
  • Third-party web tools and old automation that still trust WHOIS responses

If your goal is reverse whois, broader asset expansion, or recursive external recon, check the External Recon Methodology page to avoid duplicating work here.

Enumerate

Get all the information that a whois service has about a domain:

whois -h <HOST> -p <PORT> "domain.tld"
printf 'domain.tld\r\n' | nc -vn <HOST> <PORT>

If you find a public-facing WHOIS service, test both domain and IP/ASN style queries because many implementations expose different backends or parsers depending on the object type:

# Domain
printf 'example.com\r\n' | nc -vn <HOST> 43

# IP / CIDR / ASN examples
printf '8.8.8.8\r\n' | nc -vn <HOST> 43
printf 'AS15169\r\n' | nc -vn <HOST> 43

Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:

Referral Chasing and Better Enumeration

A lot of useful WHOIS enumeration is hidden behind referrals. For example, one server may only point you to the next authoritative WHOIS server for a TLD or an RIR. This is worth testing manually because some custom services mishandle follow-up queries, redact fields inconsistently, or leak extra backend metadata.

Useful options and helpers:

# Ask IANA first and then follow the authoritative referral (common Linux whois clients)
whois -I example.com
whois -I 8.8.8.8

# Let Nmap follow domain/IP WHOIS referrals automatically
nmap --script whois-domain <target>
nmap --script whois-ip <target>

# For IP ranges, disable the WHOIS cache if you care about smaller delegated blocks
nmap --script whois-ip --script-args whois.whodb=nocache <target>

Interesting fields to pivot on when the service is not fully redacted:

  • Registrar / Org / abuse contact for phishing reporting or org-mapping
  • Creation / update / expiration times to spot newly registered infrastructure
  • Nameservers to cluster domains managed by the same operator
  • Referral server names to find legacy or forgotten WHOIS infrastructure

RDAP as the Structured Successor

Even if the exposed service is classic WHOIS on port 43, check whether the same provider also offers RDAP because RDAP is often easier to parse and better for automation:

curl -s https://www.rdap.net/domain/example.com | jq
curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq

A practical offensive nuance: a 2024 measurement study comparing WHOIS and RDAP at scale found that they are not always interchangeable, with inconsistencies in fields such as registrar identifiers, creation dates, and nameservers. If your recon pipeline depends on those values, compare both sources before making decisions.

Offensive Notes

Backend Injection in Custom WHOIS Gateways

Also, the WHOIS service always needs to use a database to store and extract the information. So, a possible SQLInjection could be present when querying the database from some information provided by the user. For example doing: whois -h 10.10.10.155 -p 43 "a') or 1=1#" you could be able to extract all the information saved in the database.

Do not limit testing to SQLi. In internal or niche WHOIS deployments, the query can be proxied to:

  • SQL / NoSQL backends
  • LDAP directories
  • shell wrappers around other lookup tools
  • HTTP APIs used by registrar or asset-management portals

So fuzz with payloads for SQLi, LDAP injection, delimiter abuse, very long strings, and malformed UTF-8 / control characters. The protocol itself is simple; the dangerous part is usually the parser or backend glue code.

Rogue / Stale WHOIS Servers

A relevant 2024-2025 attack path is abusing outdated WHOIS trust. If a registry or tool changes its WHOIS hostname and the old domain expires, an attacker may be able to register the old hostname and operate a rogue WHOIS server.

That gives the attacker control over the response body seen by:

  • old WHOIS clients with hardcoded server mappings
  • web applications that fetch WHOIS output and render it back to users
  • automation that still uses WHOIS for domain validation or ownership workflows

This matters because a rogue WHOIS response can become an entry point for:

  • stored/reflected XSS in web WHOIS frontends
  • parser bugs / command injection / eval bugs in libraries consuming the text response
  • bad automation decisions when systems trust attacker-controlled WHOIS contact data

When you find a private or legacy WHOIS service, always check whether the returned refer: / Whois Server: values, banners, or TLD mappings point to expired or attacker-registerable domains.

Shodan

  • port:43 whois

HackTricks Automatic Commands

Protocol_Name: WHOIS    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: WHOIS         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for WHOIS
  Note: |
    The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.


    https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html

Entry_2:
  Name: Banner Grab
  Description: Grab WHOIS Banner
  Command: whois -h {IP} -p 43 {Domain_Name} && printf '{Domain_Name}\r\n' | nc -vn {IP} 43

Entry_3:
  Name: Nmap WHOIS Referrals
  Description: Follow WHOIS referrals for domain and IP lookups
  Command: nmap --script whois-domain,whois-ip --script-args whois.whodb=nocache {IP}

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks