Chapter 14: Network Reconnaissance Tools

Implementation

The whois command itself is simple. The command takes the hostname of a whois server on the command line using a h flag. The rest of the command indicates the query we wish to send. The fwhois command (found on Linux systems) has the query specified first, with the optional @whois_server specified at the end.

This command,

 bash% whois -h whois.alldomains.com yahoo.com 

is the same as

 bash% fwhois yahoo.com@whois.alldomains.com 

The default whois server is usually http://whois.internic.net or http://www.whois.crsnic.net. We can run a whois without specifying a whois server to get basic information about the domain:

 [Paris:~] mike% whois yahoo.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic  .net for detailed information. YAHOO.COM.ZZZZ.DNSW.COM YAHOO.COM.WANADOODOO.COM YAHOO.COM.TWIXTEARS.COM YAHOO.COM.TW YAHOO.COM.TACTICALBATON.COM YAHOO.COM.SG YAHOO.COM.PURRFURRED.COM YAHOO.COM.OPTIONSCORNER.COM YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM YAHOO.COM.DALLARIVA.COM YAHOO.COM.BR YAHOO.COM.BERKELEYNATURALBEAUTIES.COM YAHOO.COM.AU YAHOO.COM To single out one record, look it up with "xxx", where xxx is one  of the records displayed above. If the records are the same,  look them up with "=xxx" to receive a full display for each record. >>> Last update of whois database: Fri, 23 Sep 2005 14:02:50 EDT <<< 

In this example, we've discovered several matches for "http://www.yahoo.com." To obtain further information, we need to put an equal sign in front of our target.

 [Paris:~] mike% whois =yahoo.com Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic .net for detailed information. Domain Name: YAHOO.COM    Registrar: EMARKMONITOR INC. DBA MARKMONITOR    Whois Server: whois.markmonitor.com    Referral URL: http://www.markmonitor.com    Name Server: NS1.YAHOO.COM    Name Server: NS5.YAHOO.COM    Name Server: NS2.YAHOO.COM    Name Server: NS3.YAHOO.COM    Name Server: NS4.YAHOO.COM    Status: REGISTRAR-LOCK    Updated Date: 22-jul-2005    Creation Date: 18-jan-1995    Expiration Date: 19-jan-2012 

This tells us the name servers authoritative for the domain and when the record was last updated, but it doesn't give us information such as location or contacts. Thankfully, there's a referral to another whois server that should have this information. So if we try whois h http://whois.markmonitor.com http://www.yahoo.com, we should receive the same information we received here, as well as contact and location information.

 Registrant:         Yahoo! Inc.         (DOM-272993)         701 First Avenue Sunnyvale         CA         94089 US     Domain Name: yahoo.com         Registrar Name: Markmonitor.com         Registrar Whois: whois.markmonitor.com         Registrar Homepage: http://www.markmonitor.com     Administrative Contact:         Domain Administrator         (NIC-1382062)         Yahoo! Inc.         701 First Avenue Sunnyvale         CA         94089 US         domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301     Technical Contact, Zone Contact:         Domain Administrator         (NIC-1372925)         Yahoo! Inc.         701 First Avenue Sunnyvale         CA         94089 US         domainadmin@yahoo-inc.com +1.4083493300 Fax- +1.4083493301     Created on.............. : 1995-Jan-18.     Expires on.............. : 2012-Jan-19.     Record last updated on..: 2005-Aug-11 15:05:12.     Domain servers in listed order:     NS4.YAHOO.COM     NS5.YAHOO.COM     NS1.YAHOO.COM     NS2.YAHOO.COM     NS3.YAHOO.COM 

There's a lot of information here! And we have e-mail addresses for both the technical and administrative contacts. Notice, however, that Yahoo! has been clever and has not put any real people's names in its list of contacts. This makes it more difficult for hackers to use social engineering tactics against them. If a hacker knows the name and address of an organization's administrator, he might be able to use that information to coax other members of the organization into revealing information they normally wouldn't, either by masquerading as the administrator or claiming that he's working for the administrator.

Is it a good idea to have all this information publicly available? Well, much of it is necessary to keep the Internet running. From one perspective, this information enables an administrator to contact someone at an organization or network from which some port scan or attack has originated. But what if we don't have a hostname in our logs? We're more likely to only have an IP address in the logfile. Thankfully, there's a whois server that handles IP-based queries.

If we're interested in a particular IP address, then we query the whois.arin.net server. This server maps IP addresses to network blocks.

 [Paris:~] mike% whois -h whois.arin.net 66.94.234.13 OrgName:    Yahoo! OrgID:      YAOO Address:    701 First Ave City:       Sunnyvale StateProv:  CA PostalCode: 94089 Country:    US NetRange:   66.94.224.0 - 66.94.255.255 CIDR:       66.94.224.0/19 NetName:    YAHOO-3 NetHandle:  NET-66-94-224-0-1 Parent:     NET-66-0-0-0-0 NetType:    Direct Allocation NameServer: NS1.YAHOO.COM NameServer: NS2.YAHOO.COM Comment: RegDate:     2003-07-17 Updated:     2005-05-20 OrgAbuseHandle: NETWO857-ARIN OrgAbuseName:   Network Abuse OrgAbusePhone:  +1-408-349-3300 OrgAbuseEmail:  network-abuse@cc.yahoo-inc.com OrgTechHandle: NA258-ARIN OrgTechName:   Netblock Admin OrgTechPhone:  +1-408-349-3300 OrgTechEmail:  netblockadmin@yahoo-inc.com 

We can also look up network block handles to track down ownership. In the previous example, Yahoo! is listed as the owner for the 22.94.224.0/19 range. This corresponds to the NET-66-94-224-0-1 network block. We could also check out the Parent block: NET-66-0-0-0-0.

 [Paris:~] mike% whois -h whois.arin.net NET-66-0-0-0-0 OrgName:    American Registry for Internet Numbers OrgID:      ARIN Address:    3635 Concorde Parkway, Suite 200 City:       Chantilly StateProv:  VA PostalCode: 20151 Country:    US NetRange:   66.0.0.0 - 66.255.255.255 CIDR:       66.0.0.0/8 NetName:    NET66 NetHandle:  NET-66-0-0-0-0 Parent: NetType:    Allocated to ARIN NameServer: chia.arin.net NameServer: dill.arin.net NameServer: epazote.arin.net NameServer: figwort.arin.net NameServer: BASIL.ARIN.NET NameServer: henna.arin.net NameServer: indigo.arin.net Comment: RegDate:     2000-07-01 Updated:     2004-07-22 OrgNOCHandle: ARINN-ARIN OrgNOCName:   ARIN NOC OrgNOCPhone:  +1-703-227-9840 OrgNOCEmail:  noc@arin.net OrgTechHandle: ARIN-HOSTMASTER OrgTechName:   Registration Services Department OrgTechPhone:  +1-703-227-0660 OrgTechEmail:  hostmaster@arin.net 

Following is a list of popular whois servers and their purposes. Chances are that if these servers don't know about your domain name or IP, one of them will be able to tell you who does.

More recent versions of whois are much more sophisticated than older versions. For one, whois will now try to identify the proper whois server depending on the target you provide. It does this by using the special whois-servers.net domain. The DNS entries for this domain are actually pointers to whois servers. For example, com.whois-servers.net points to whois.crsnic.net, and org.whois-servers.net points to whois.publicinterestregistry.net. Each top-level domain (.com, .org, .net, and so on) has an alias that points to the proper authoritative whois server. This keeps users from having to remember all of the specific whois server information we just discussed! Additionally, whois will scan the output it receives from the default whois server looking for a referral (such as whois.alldomains.com in our yahoo.com example) and automatically perform the same whois query with the referral server. Whois on FreeBSD even has command-line arguments to save typing (such as using a as a shortcut for h whois.arin.net ).