Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Expansion on whois.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Mon, 8 Jul 2013 23:37:37 +0300

Hi there,

The last days i was investigating the whois protocol.

Our whois.nse script performs an IP address query to the right whois server.
This is pretty complicated, that's why the script contains more than 2k lines.
One of the *hard* parts is to find out which whois server to query. The script
holds the information of the 5 biggest whois servers that hold information about
all the IP addresses allocated in the Internet and based on IANA assignments
[1], the script knows which one of them to query. For more information, check
out the relevant thread [2]. 

But the whois protocol supports both IP address and domain name queries. For
example, on Linux if you type "whois snf-59115.vm.okeanos.grnet.gr" it will
bring different results than "whois 83.212.115.76" even though they point to the
same machine.

So, what i wanted to do is make the script to perform a domain name query as
well. This is harder because the whois servers that hold information about
domain names are many more (these are different than those for IPs) and there
are no official assignments to know which one to query. I found out this
unofficial assignment [3] but there are more than 100 servers in there and there
are actually many more because the whois protocol works with references. That
means that if i query the whois.verisign-grs.com that is responsible for the
".com" domains it will most likely point me to another one.

Eventually, i came up with a another way of doing this. The script starts by
quering the whois.iana.org (which is the root of the whois servers). Using some
patterns the script can determine if the response represents a refferal to a
record hosted elsewhere. If that's the case i will query that refferal. The
script keeps repeating this until the response don't match with any of the
patterns, meaning that there are no other referrals and prints the output.

So, the output now looks like this: (The new part is after the "Domain record
found at ..." sentence)

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack

    Host script results:
    | whois3: Record found at whois.arin.net
    | netrange: 199.19.112.0 - 199.19.119.255
    | netname: WEBRULON-NETWORK
    | orgname: webRulon, LLC
    | orgid: WL-1
    | country: US stateprov: NY
    | 
    | orgtechname: webRulon Support
    | orgtechemail: support () webrulon com
    | 
    | Domain name record found at whois.enom.com
    | 
    | Registration Service Provided By: Namecheap.com
    | Contact: support () namecheap com
    | Visit: http://namecheap.com
    | Registered through: eNom, Inc.
    | 
    | Domain name: foo.com
    | 
    | Registrant Contact:
    |    Example
    |    John Foo ()
    |    
    |    Fax: 
    |    Dimosthenous 215 
    |    Athens, Attiki 17673
    |    GR
    | 
    | Administrative Contact:
    |    Example
    |    John Foo (john () gmail com)
    |    +30.69425555555
    |    Fax: +1.5555555555
    |    Dimosthenous 215
    |    Athens, Attiki 17673
    |    GR
    | 
    | Technical Contact:
    |    Example
    |    John Foo (john () gmail com)
    |    +30.69425555555
    |    Fax: +1.5555555555
    |    Dimosthenous 215
    |    Athens, Attiki 17673
    |    GR
    | 
    | Status: Active
    | 
    | Name Servers:
    |    dns1.registrar-servers.com
    |    dns2.registrar-servers.com
    |    dns3.registrar-servers.com
    |    dns4.registrar-servers.com
    |    dns5.registrar-servers.com
    |    
    | Creation date: 14 Oct 2011 13:41:00
    | Expiration date: 14 Oct 2013 05:41:00


My primary concern is why this feature wasn't existing before? I checked the
nmap-dev's archives to see if there is a discussion on why this wasn't done, but
couldn't find anything. Am i missing something?

Note that my patch is not ready yet, that's why i have not attached it. I just
wanted to make sure there aren't any obstacles i can't see.

[1]: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
[2]: http://seclists.org/nmap-dev/2008/q1/226
[3]: http://www.nirsoft.net/whois-servers.txt

-- 
George Chatzisofroniou

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault