Sunday, April 28, 2019

Finding WHOIS Information with Examples

The place you want to start is at iana.org. iana.org is the authrotive registery for all the Top Level Domains on the net. The Idea here is to traverse down the DNS hierarchy to a level where you can find the Registrant information you are looking for. The process goes from Registry to Registrar to finally the Registrant information you seek.

Querying IANA.org

To start off we will use the 'whois' utility included in most distributions. the '-h' option specifies which registry to use while we issue the query to the server. In our example we will use yahoo.com to find the registrant information we are looking for.

First we start off by looking up the whole 'com' TLD to see who it is handled by. 

root@asus:~/unix% whois com -h whois.iana.org
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

domain:       COM

organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States

contact:      administrative
name:         Registry Customer Service
organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States
phone:        +1 703 925-6999
fax-no:       +1 703 948 3978
e-mail:       info@verisign-grs.com

contact:      technical
name:         Registry Customer Service
organisation: VeriSign Global Registry Services
address:      12061 Bluemont Way
address:      Reston Virginia 20190
address:      United States
phone:        +1 703 925-6999
fax-no:       +1 703 948 3978
e-mail:       info@verisign-grs.com

nserver:      A.GTLD-SERVERS.NET 192.5.6.30 2001:503:a83e:0:0:0:2:30
nserver:      B.GTLD-SERVERS.NET 192.33.14.30 2001:503:231d:0:0:0:2:30
nserver:      C.GTLD-SERVERS.NET 192.26.92.30 2001:503:83eb:0:0:0:0:30
nserver:      D.GTLD-SERVERS.NET 192.31.80.30 2001:500:856e:0:0:0:0:30
nserver:      E.GTLD-SERVERS.NET 192.12.94.30 2001:502:1ca1:0:0:0:0:30
nserver:      F.GTLD-SERVERS.NET 192.35.51.30 2001:503:d414:0:0:0:0:30
nserver:      G.GTLD-SERVERS.NET 192.42.93.30 2001:503:eea3:0:0:0:0:30
nserver:      H.GTLD-SERVERS.NET 192.54.112.30 2001:502:8cc:0:0:0:0:30
nserver:      I.GTLD-SERVERS.NET 192.43.172.30 2001:503:39c1:0:0:0:0:30
nserver:      J.GTLD-SERVERS.NET 192.48.79.30 2001:502:7094:0:0:0:0:30
nserver:      K.GTLD-SERVERS.NET 192.52.178.30 2001:503:d2d:0:0:0:0:30
nserver:      L.GTLD-SERVERS.NET 192.41.162.30 2001:500:d937:0:0:0:0:30
nserver:      M.GTLD-SERVERS.NET 192.55.83.30 2001:501:b1f9:0:0:0:0:30
ds-rdata:     30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766

whois:        whois.verisign-grs.com

status:       ACTIVE
remarks:      Registration information: http://www.verisigninc.com

created:      1985-01-01
changed:      2017-10-05
source:       IANA

root@asus:~/unix%

If we look at the output of the command we see a field called 'whois'. This is the field we need to know in order to query the next server in the process. the host 'whois.verisign-grs.com' holds all the information for all '.com' addresses on the internet. 

root@asus:~/unix% whois yahoo.com -h whois.verisign-grs.com
   Domain Name: YAHOO.COM
   Registry Domain ID: 3643624_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.markmonitor.com
   Registrar URL: http://www.markmonitor.com
   Updated Date: 2018-02-02T01:07:18Z
   Creation Date: 1995-01-18T05:00:00Z
   Registry Expiry Date: 2023-01-19T05:00:00Z
   Registrar: MarkMonitor Inc.
   Registrar IANA ID: 292
   Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
   Registrar Abuse Contact Phone: +1.2083895740
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS1.YAHOO.COM
   Name Server: NS2.YAHOO.COM
   Name Server: NS3.YAHOO.COM
   Name Server: NS4.YAHOO.COM
   Name Server: NS5.YAHOO.COM
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2019-04-29T01:33:02Z <<<

For more information on Whois status codes, please visit https://icann.org/epp
root@asus:~/unix%

In the output here we see a field called 'Registrar WHOIS Server'. This next whois server should give us the information we are looking for when we query it with the appropriate information. 

root@asus:~/unix% whois yahoo.com -h whois.markmonitor.com
Domain Name: yahoo.com
Registry Domain ID: 3643624_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2018-10-23T11:09:46-0700
Creation Date: 1995-01-18T00:00:00-0800
Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID: 
Registrant Name: Domain Admin
Registrant Organization: Oath Inc.
Registrant Street: 22000 AOL Way
Registrant City: Dulles
Registrant State/Province: VA
Registrant Postal Code: 20166
Registrant Country: US
Registrant Phone: +1.4083493300
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: domain-admin@oath.com
Registry Admin ID: 
Admin Name: Domain Admin
Admin Organization: Oath Inc.
Admin Street: 22000 AOL Way
Admin City: Dulles
Admin State/Province: VA
Admin Postal Code: 20166
Admin Country: US
Admin Phone: +1.4083493300
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: domain-admin@oath.com
Registry Tech ID: 
Tech Name: Domain Admin
Tech Organization: Oath Inc.
Tech Street: 22000 AOL Way
Tech City: Dulles
Tech State/Province: VA
Tech Postal Code: 20166
Tech Country: US
Tech Phone: +1.4083493300
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: domain-admin@oath.com
Name Server: ns3.yahoo.com
Name Server: ns5.yahoo.com
Name Server: ns4.yahoo.com
Name Server: ns1.yahoo.com
Name Server: ns2.yahoo.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2019-04-28T18:34:44-0700 <<<

For more information on WHOIS status codes, please visit:
  https://www.icann.org/resources/pages/epp-status-codes

MarkMonitor.com reserves the right to modify these terms at any time.

By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiCounterfeiting(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
----
root@asus:~/unix%
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Reading local files with XXE attacks
    Today we will be exploring XXE XML External Entity Attacks. A XXE attack is a attack that is brought against an application that deals with...
  • Attacking SMTP on Debian Linux
    First lets do a quick service scan against the remote host. root@asus:/mnt% nmap -sV -T4 -p22,25 mail.acme.com Starting Nmap 7.01 ( https:...
  • Attacking NFS
    This is our data set we will work from which was gathered during the OSINT phase from the company website: http://www.acme.com k.madden@m...
  • VulnHub: RickdiculouslyEasy Walkthrough
    Lets first start off with a nmap scan of the remote host. root@ubuntu:~# nmap -p0-65355 -sV -O -sC -T5 192.168.0.48 Starting Nmap 7.60 (...
  • Exploring IMAP Servers
    Scanning the Remote Host We can use NMAP to scan the remote IMAP server and run enumeration scripts agaisnt it to see what all the server i...