hacktricks/network-services-pentesting/43-pentesting-whois.md



<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>


# Basic Information

**WHOIS** (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. (From [here](https://en.wikipedia.org/wiki/WHOIS))

**Default port:** 43

```
PORT   STATE  SERVICE
43/tcp open   whois?
```

# Enumerate

Get all the information that a whois service has about a domain:

```bash
whois -h <HOST> -p <PORT> "domain.tld"
echo "domain.ltd" | nc -vn <HOST> <PORT>
```

Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:

![](<../.gitbook/assets/image (147).png>)

Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to **extract all** the **information** saved in the database.

# Shodan

* `port:43 whois`

# HackTricks Automatic Commands

```
Protocol_Name: WHOIS    #Protocol Abbreviation if there is one.
Port_Number:  43     #Comma separated if there is more than one.
Protocol_Description: WHOIS         #Protocol Abbreviation Spelled out

Entry_1:
  Name: Notes
  Description: Notes for WHOIS
  Note: |
    WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information.

    https://book.hacktricks.xyz/pentesting/pentesting-smtp

Entry_2:
  Name: Banner Grab
  Description: Grab WHOIS Banner
  Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
```


<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/carlospolopm)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-12 07:54:15 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-12 07:54:15 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-12 07:54:15 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`


fix mess 2 2022-05-01 12:49:36 +00:00			`# Basic Information`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. (From [here](https://en.wikipedia.org/wiki/WHOIS))`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Default port: 43`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`PORT STATE SERVICE`
			`43/tcp open whois?`
			```

fix mess 2 2022-05-01 12:49:36 +00:00			`# Enumerate`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			`Get all the information that a whois service has about a domain:`

			```bash
			`whois -h <HOST> -p <PORT> "domain.tld"`
			`echo "domain.ltd" \| nc -vn <HOST> <PORT>`
			```

			`Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:`

GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			`![](<../.gitbook/assets/image (147).png>)`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			Also, the WHOIS service always needs to use a database to store and extract the information. So, a possible SQLInjection could be present when querying the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to extract all the information saved in the database.

fix mess 2 2022-05-01 12:49:36 +00:00			`# Shodan`
GitBook: [master] one page modified 2020-09-24 19:59:49 +00:00
			* `port:43 whois`

fix mess 2 2022-05-01 12:49:36 +00:00			`# HackTricks Automatic Commands`
HAC 43 2021-08-12 12:49:03 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
HAC 43 2021-08-12 12:49:03 +00:00			`Protocol_Name: WHOIS #Protocol Abbreviation if there is one.`
			`Port_Number: 43 #Comma separated if there is more than one.`
			`Protocol_Description: WHOIS #Protocol Abbreviation Spelled out`

43 Yaml 2021-08-15 17:57:28 +00:00			`Entry_1:`
			`Name: Notes`
			`Description: Notes for WHOIS`
			`Note: \|`
			`WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information.`

			`https://book.hacktricks.xyz/pentesting/pentesting-smtp`

			`Entry_2:`
			`Name: Banner Grab`
			`Description: Grab WHOIS Banner`
			`Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} \| nc -vn {IP} 43`
HAC 43 2021-08-12 12:49:03 +00:00			```
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

			`<details>`

arte 2024-01-12 07:54:15 +00:00			`<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-12 07:54:15 +00:00			`Other ways to support HackTricks:`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
arte 2024-01-12 07:54:15 +00:00			`* If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the [SUBSCRIPTION PLANS](https://github.com/sponsors/carlospolop)!`
			`* Get the [official PEASS & HackTricks swag](https://peass.creator-spring.com)`
			`* Discover [The PEASS Family](https://opensea.io/collection/the-peass-family), our collection of exclusive [NFTs](https://opensea.io/collection/the-peass-family)`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow me on Twitter 🐦 [@carlospolopm](https://twitter.com/carlospolopm).`
			`* Share your hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`