Network Information Centers (NICs) store useful information in WHOIS databases, primarily as network, route, or person objects. WHOIS database objects define which areas of Internet space are registered to which organizations, with other information such as routing and contact details in the case of abuse. There are three primary regions under which all public Internet-based network blocks and IP address spaces fall. The following international registrars around the world can retrieve useful information (including names of technical IT staff, details of IP network blocks, and physical office locations):
Each respective regional registrar's WHOIS database contains information relevant to that particular region. For example, the RIPE WHOIS database doesn't contain information about network space and other objects that are found in the Americas. 3.2.1 NIC Querying Tools and ExamplesTools that are used to query NIC WHOIS databases include:
3.2.1.1 Using the Sam Spade Windows clientThe Sam Spade client is a powerful and easy-to-use Windows tool that can perform many public-record query functions, as shown in Figure 3-4. Figure 3-4. The Sam Spade Windows clientIn this case, I used it to submit a WHOIS query of 144.51.92.35, which reveals that the IP address is part of an IP network block called NCSC (144.51.0.0 to 144.51.255.255), belonging to the NCSC. Information also provided includes contact details and DNS name server information.
3.2.1.2 Using the Unix whois utilityThe Unix whois command-line utility can perform WHOIS queries against specific servers. In Example 3-1, I submit a query of cs-security-mnt. The client is intelligent in the way that it attempts to collect this information from all three of the Network Information Centers (ARIN, RIPE, and APNIC), so I don't need to specify within which database to look for the string. Example 3-1. Enumerating the cs-security-mnt object from RIPE# whois cs-security-mnt % This is the RIPE Whois server. % The objects are in RPSL format. % Please visit http://www.ripe.net/rpsl for more information. % Rights restricted by copyright. % See http://www.ripe.net/ripencc/pub-services/db/copyright.html mntner: CS-SECURITY-MNT descr: Charles Stanley & Co Ltd maintainer admin-c: SN1329-RIPE tech-c: SN1329-RIPE upd-to: sukan.nair@charles-stanley.co.uk mnt-nfy: sukan.nair@charles-stanley.co.u auth: MAIL-FROM sukan.nair@charles-stanley.co.uk auth: MAIL-FROM .*@uk.easynet.net mnt-by: CS-SECURITY-MNT referral-by: RIPE-DBM-MNT changed: phil.duffen@uk.easynet.net 20020111 source: RIPE person: Sukan Nair address: Charles-Stanley address: 25 Luke Street address: London EC2A 4AR address: UK phone: +44 20 8491 5889 e-mail: sukan.nair@charles-stanley.co.uk nic-hdl: SN1329-RIPE notify: ripe@ftech.net mnt-by: AS5611-MNT changed: ripe@ftech.net 19991021 source: RIPE Maintenance objects are used for administrative purposes within the RIPE and APNIC databases. For further information relating to NIC security, please see a white paper I wrote in June 2002, available from the Matta web site at http://www.trustmatta.com/downloads/Matta_NIC_Security.pdf. 3.2.1.3 Directly querying ARINWeb interfaces at ARIN, APNIC, and RIPE can enumerate useful information. In Figure 3-5, I use the WHOIS web interface at ARIN to launch a query of microsoft. Figure 3-5. Using ARIN to list Microsoft entriesWHOIS requests can take many forms, from specific object queries (of which the interesting types of objects are networks, people, and routes), to vague searches of organization names or IP addresses. 3.2.1.4 Harvesting user details through WHOISUser details relating to a specific domain can easily be harvested from the Unix command line with the whois utility. Example 3-2 shows a query launched against citicorp.com through ARIN, revealing usernames, email addresses, and telephone numbers. Example 3-2. Enumerating Citicorp staff through ARIN# whois "@citicorp.com"@whois.arin.net [whois.arin.net] Bleak, Glen (GB375-ARIN) glen.bleak@citicorp.com +1-725-768-3812 Ching, David (DCH37-ARIN) David.ching@citicorp.com +1-302-126-2879 Ciati, John (JC2107-ARIN) john.ciati@citicorp.com +1-725-768-6570 Isle, Toby (TI21-ARIN) toby.isle@citicorp.com +1-302-154-7642 Lamb, Rudolph (RL3908-ARIN) rudy.lamb@citicorp.com +1-725-218-1565 Nixon, Tom (TN69-ARIN) Tom.Nixon@citicorp.com +1-725-768-1154 Sabol, Gary (GS364-ARIN) gary.sabol@citicorp.com +1-302-132-7168 Sadler, Katie (KS330-ARIN) katie.sadler@citicorp.com +1-354-132-5481 Strafe, Walter (WS86-ARIN) walter.strafe@citicorp.com +1-542-120-5464 Wood, Mark (MW340-ARIN) mark.wood@citicorp.com +1-743-120-4052 Yarr, Diane (DY613-ARIN) diane.yarr@citicorp.com +1-542-249-1553 After gathering details of Internet network blocks, usernames and email addresses, you can probe further to identify potential weaknesses that can be leveraged. After querying public records, such as web search engines and WHOIS databases, DNS querying can find network-specific information that may be useful. |