Nmap Development mailing list archives
Expansion on whois.nse
From: George Chatzisofroniou <sophron () latthi com>
Date: Mon, 8 Jul 2013 23:37:37 +0300
Hi there, The last days i was investigating the whois protocol. Our whois.nse script performs an IP address query to the right whois server. This is pretty complicated, that's why the script contains more than 2k lines. One of the *hard* parts is to find out which whois server to query. The script holds the information of the 5 biggest whois servers that hold information about all the IP addresses allocated in the Internet and based on IANA assignments [1], the script knows which one of them to query. For more information, check out the relevant thread [2]. But the whois protocol supports both IP address and domain name queries. For example, on Linux if you type "whois snf-59115.vm.okeanos.grnet.gr" it will bring different results than "whois 83.212.115.76" even though they point to the same machine. So, what i wanted to do is make the script to perform a domain name query as well. This is harder because the whois servers that hold information about domain names are many more (these are different than those for IPs) and there are no official assignments to know which one to query. I found out this unofficial assignment [3] but there are more than 100 servers in there and there are actually many more because the whois protocol works with references. That means that if i query the whois.verisign-grs.com that is responsible for the ".com" domains it will most likely point me to another one. Eventually, i came up with a another way of doing this. The script starts by quering the whois.iana.org (which is the root of the whois servers). Using some patterns the script can determine if the response represents a refferal to a record hosted elsewhere. If that's the case i will query that refferal. The script keeps repeating this until the response don't match with any of the patterns, meaning that there are no other referrals and prints the output. So, the output now looks like this: (The new part is after the "Domain record found at ..." sentence) PORT STATE SERVICE REASON 80/tcp open http syn-ack Host script results: | whois3: Record found at whois.arin.net | netrange: 199.19.112.0 - 199.19.119.255 | netname: WEBRULON-NETWORK | orgname: webRulon, LLC | orgid: WL-1 | country: US stateprov: NY | | orgtechname: webRulon Support | orgtechemail: support () webrulon com | | Domain name record found at whois.enom.com | | Registration Service Provided By: Namecheap.com | Contact: support () namecheap com | Visit: http://namecheap.com | Registered through: eNom, Inc. | | Domain name: foo.com | | Registrant Contact: | Example | John Foo () | | Fax: | Dimosthenous 215 | Athens, Attiki 17673 | GR | | Administrative Contact: | Example | John Foo (john () gmail com) | +30.69425555555 | Fax: +1.5555555555 | Dimosthenous 215 | Athens, Attiki 17673 | GR | | Technical Contact: | Example | John Foo (john () gmail com) | +30.69425555555 | Fax: +1.5555555555 | Dimosthenous 215 | Athens, Attiki 17673 | GR | | Status: Active | | Name Servers: | dns1.registrar-servers.com | dns2.registrar-servers.com | dns3.registrar-servers.com | dns4.registrar-servers.com | dns5.registrar-servers.com | | Creation date: 14 Oct 2011 13:41:00 | Expiration date: 14 Oct 2013 05:41:00 My primary concern is why this feature wasn't existing before? I checked the nmap-dev's archives to see if there is a discussion on why this wasn't done, but couldn't find anything. Am i missing something? Note that my patch is not ready yet, that's why i have not attached it. I just wanted to make sure there aren't any obstacles i can't see. [1]: https://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt [2]: http://seclists.org/nmap-dev/2008/q1/226 [3]: http://www.nirsoft.net/whois-servers.txt -- George Chatzisofroniou
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Expansion on whois.nse George Chatzisofroniou (Jul 08)
- Re: Expansion on whois.nse George Chatzisofroniou (Jul 15)
- Re: Expansion on whois.nse George Chatzisofroniou (Jul 24)
- Re: Expansion on whois.nse George Chatzisofroniou (Jul 15)