43 - Pentesting WHOIS

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Taarifa za Msingi

Protokoli ya WHOIS inatumika kama njia ya kawaida ya kuulizia kuhusu waliosajiliwa au wamiliki wa rasilimali mbalimbali za Intaneti kupitia hifadhidata maalum. Rasilimali hizi zinajumuisha majina ya kikoa, matundu ya anwani za IP, na mifumo huru ya mtandao, miongoni mwa mengine. Zaidi ya hayo, protokoli hii inatumika kupata aina mbalimbali zaidi za taarifa.

Bandari ya chaguo-msingi: 43

PORT   STATE  SERVICE
43/tcp open   whois?

Kutoka kwa mtazamo wa kushambulia, kumbuka kwamba WHOIS ni huduma ya TCP ya maandishi wazi tu: mteja anatuma swali, seva inarudisha maandishi yanayosomeka na binadamu, na kufungwa kwa muunganisho kunaashiria mwisho wa jibu. Kuna hakuna uthibitisho uliojengwa ndani, uadilifu, au usiri katika itifaki.

Ukweli wa Kisasa: WHOIS vs RDAP

Kuhusu data za usajili wa domain za Internet, WHOIS is no longer the authoritative option for many public gTLD workflows. ICANN ilimaliza rasmi matumizi ya WHOIS kwa data za usajili za gTLD tarehe 2025-01-28, ikifanya RDAP itifaki inayopendekezwa kwa utafutaji wa usajili wa domain unayosomwa na mashine.

Hata hivyo, TCP/43 bado inastahili kupimwa kwa sababu inaendelea kuonekana katika:

  • Legacy or private WHOIS services
  • RIR / IP allocation workflows
  • Internal registries and custom asset databases
  • Third-party web tools and old automation that still trust WHOIS responses

Ikiwa lengo lako ni reverse whois, upanuzi mpana wa mali, au recursive external recon, angalia the External Recon Methodology page ili kuepuka kurudia kazi hapa.

Orodhesha

Pata taarifa zote ambazo huduma ya whois ina kuhusu domain:

whois -h <HOST> -p <PORT> "domain.tld"
printf 'domain.tld\r\n' | nc -vn <HOST> <PORT>

Ikiwa utapata huduma ya WHOIS inayopatikana hadharani, jaribu zote mbili za maswali za domain na IP/ASN, kwa sababu utekelezaji mwingi hutoa backends au parsers tofauti kulingana na aina ya kitu:

# Domain
printf 'example.com\r\n' | nc -vn <HOST> 43

# IP / CIDR / ASN examples
printf '8.8.8.8\r\n' | nc -vn <HOST> 43
printf 'AS15169\r\n' | nc -vn <HOST> 43

Kumbuka kwamba wakati mwingine unapomuomba huduma ya WHOIS taarifa fulani, database inayotumika inaonekana kwenye jibu:

Kufuata Marejeo na Uorodheshaji Bora

Sehemu kubwa ya uorodheshaji wa WHOIS yenye manufaa imefichwa nyuma ya referrals. Kwa mfano, server moja inaweza kukuonyesha tu kwenye next authoritative WHOIS server kwa TLD au RIR. Hii inastahili kujaribiwa kwa mikono kwa sababu baadhi ya huduma za kawaida hushughulikia vibaya follow-up queries, kuhariri fields kwa njia isiyo thabiti, au leak extra backend metadata.

Useful options and helpers:

# Ask IANA first and then follow the authoritative referral (common Linux whois clients)
whois -I example.com
whois -I 8.8.8.8

# Let Nmap follow domain/IP WHOIS referrals automatically
nmap --script whois-domain <target>
nmap --script whois-ip <target>

# For IP ranges, disable the WHOIS cache if you care about smaller delegated blocks
nmap --script whois-ip --script-args whois.whodb=nocache <target>

Sehemu za kuvutia za pivot wakati huduma haijafichwa kikamilifu:

  • Registrar / Org / abuse contact kwa kuripoti phishing au org-mapping
  • Creation / update / expiration times kutambua miundombinu iliyosajiliwa hivi karibuni
  • Nameservers kuweka pamoja domains zinazodhibitiwa na operator mmoja
  • Referral server names kutafuta miundombinu ya WHOIS ya zamani au iliyosahaulika

RDAP as the Structured Successor

Even if the exposed service is classic WHOIS on port 43, angalia kama mupeanaji huyo pia anatoa RDAP kwa sababu RDAP mara nyingi ni rahisi kuchambua na bora kwa ajili ya otomatiki:

curl -s https://www.rdap.net/domain/example.com | jq
curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq

A practical offensive nuance: a 2024 measurement study comparing WHOIS and RDAP at scale found that they are not always interchangeable, with inconsistencies in fields such as registrar identifiers, creation dates, and nameservers. If your recon pipeline depends on those values, compare both sources before making decisions.

Vidokezo vya Kushambulia

Backend Injection in Custom WHOIS Gateways

Pia, huduma ya WHOIS inahitaji daima kutumia database kuhifadhi na kutoa taarifa. Hivyo, inawezekana kuwepo kwa SQLInjection wakati wa kuuliza database kutoka kwa baadhi ya taarifa zinazotolewa na mtumiaji. Kwa mfano kufanya: whois -h 10.10.10.155 -p 43 "a') or 1=1#" unaweza kuwa na uwezo wa kutoa zote taarifa zilizohifadhiwa kwenye database.

Usizuilie upimaji kwa SQLi tu. Katika deployments za ndani au za niche za WHOIS, query inaweza kupitishwa kwa:

  • SQL / NoSQL backends
  • LDAP directories
  • shell wrappers around other lookup tools
  • HTTP APIs used by registrar or asset-management portals

Hivyo fuzz kwa payloads za SQLi, LDAP injection, matumizi mabaya ya delimiter, mfuatano mrefu sana wa herufi, na malformed UTF-8 / control characters. Protocol yenyewe ni rahisi; sehemu hatari kawaida ni kawaida parser or backend glue code.

Rogue / Stale WHOIS Servers

Njia ya kushambulia muhimu kwa 2024-2025 ni kutumia outdated WHOIS trust. Ikiwa registry au zana inabadilisha hostname yake ya WHOIS na domain ya zamani itaisha muda wake, mshambuliaji anaweza kusajili hostname ya zamani na kuendesha rogue WHOIS server.

Hii inampa mshambuliaji udhibiti wa mwili wa jibu unaoonekana na:

  • old WHOIS clients with hardcoded server mappings
  • web applications that fetch WHOIS output and render it back to users
  • automation that still uses WHOIS for domain validation or ownership workflows

Hili ni muhimu kwa sababu jibu la rogue WHOIS linaweza kuwa mlango wa kuingia kwa:

  • stored/reflected XSS in web WHOIS frontends
  • parser bugs / command injection / eval bugs in libraries consuming the text response
  • bad automation decisions when systems trust attacker-controlled WHOIS contact data

Unapopata huduma ya WHOIS ya kibinafsi au ya legacy, kila mara angalia kama thamani zilizorejeshwa za refer: / Whois Server:, banners, au TLD mappings zinaonyesha kwa expired or attacker-registerable domains.

Shodan

  • port:43 whois

HackTricks Automatic Commands

Protocol_Name: WHOIS    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: WHOIS         #Protocol Abbreviation Spelled out

Entry_1:
Name: Notes
Description: Notes for WHOIS
Note: |
The WHOIS protocol serves as a standard method for inquiring about the registrants or holders of various Internet resources through specific databases. These resources encompass domain names, blocks of IP addresses, and autonomous systems, among others. Beyond these, the protocol finds application in accessing a broader spectrum of information.


https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-smtp/index.html

Entry_2:
Name: Banner Grab
Description: Grab WHOIS Banner
Command: whois -h {IP} -p 43 {Domain_Name} && printf '{Domain_Name}\r\n' | nc -vn {IP} 43

Entry_3:
Name: Nmap WHOIS Referrals
Description: Follow WHOIS referrals for domain and IP lookups
Command: nmap --script whois-domain,whois-ip --script-args whois.whodb=nocache {IP}

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks