本节书摘来自异步社区《Nmap渗透测试指南》一书中的第7章7.3节WHOIS查询,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。
7.3 WHOIS查询
表7.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——WHOIS查询。
WHOIS(读作“Who is”,而非缩写)是用来查询互联网中域名的IP以及所有者等信息的传输协议。早期的WHOIS查询多以命令行接口(Command Line)存在,但是现在出现了一些基于网页接口的简化在线查询工具,甚至可以一次向不同的数据库查询。网页接口的查询工具仍然依赖WHOIS协议向服务器发送查询请求,命令行接口的工具仍然被系统管理员广泛使用。
WHOIS通常使用TCP协议43端口。每个域名或IP的WHOIS信息由对应的管理机构保存,例如,以.com结尾的域名的WHOIS信息由.com域名运营商VeriSign管理,中国国家顶级域名.cn由CNNIC管理。
通常情况下,域名或IP的信息可以由公众自由查询获得,具体的查询方法是登录由管理机构提供的WHOIS服务器,输入待查询的域名进行查询。
操作步骤
使用命令“nmap --script whois 目标”即可查询目标域名whois信息。
root@Wing:~# nmap --script whois www.0day.co
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:10 CST
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.0063s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 210.209.122.0 - 210.209.122.255
| netname: NWTCRS-HK
| descr: NWT CRS Dynamic Pool
| country: HK
| person: Ivan Wong
|_email: ivanwong@newworldtel.com
Nmap done: 1 IP address (1 host up) scanned in 69.23 seconds
root@Wing:~#
分析
从返回的数据来看,我们可以确定目标域名的IP地址及其开放的端口,也搜集到了域名提供商的网址以及域名解析地址和E-mail地址。在使用whois查询的时候要切记whois都是小写字母。查询到的结果仅供参考,大部分的网站现在都启用了whois保护,对于域名所有者的姓名、电话等都会隐藏,我们可以查询该域名的历史whois,历史whois可能还没有启用whois保护。我们还可以启用其他的几个whois查询脚本。
root@Wing:~# nmap --script whois --script-args whois.whodb=nofollow www.0day.co
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:34 CST
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Host script results:
|_whois: ERROR: Script execution failed (use -d to debug)
Nmap done: 1 IP address (1 host up) scanned in 25.81 seconds
root@Wing:~#
不同的脚本返回的结果也不尽相同。
如果目标域名比较多,我们可以使用列表的方式进行查询。
root@Wing:~# nmap -sn --script whois -v -iL host.txt
Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:39 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 16:39
Scanning 3 hosts [4 ports/host]
Completed Ping Scan at 16:39, 0.01s elapsed (3 total hosts)
Initiating Parallel DNS resolution of 3 hosts. at 16:39
Completed Parallel DNS resolution of 3 hosts. at 16:39, 2.16s elapsed
NSE: Script scanning 3 hosts.
Initiating NSE at 16:39
Completed NSE at 16:39, 5.88s elapsed
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.0031s latency).
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 210.209.122.0 - 210.209.122.255
| netname: NWTCRS-HK
| descr: NWT CRS Dynamic Pool
| country: HK
| person: Ivan Wong
|_email: ivanwong@newworldtel.com
Nmap scan report for www.google.com (74.125.128.103)
Host is up (0.0036s latency).
Other addresses for www.google.com (not scanned): 74.125.128.106 74.125.128.105 74.125.128.99 74.125.128.104 74.125.128.147
rDNS record for 74.125.128.103: hg-in-f103.1e100.net
Host script results:
| whois: Record found at whois.arin.net
| netrange: 74.125.0.0 - 74.125.255.255
| netname: GOOGLE
| orgname: Google Inc.
| orgid: GOGL
| country: US stateprov: CA
|
| orgtechname: Google Inc
|_orgtechemail: arin-contact@google.com
Nmap scan report for www.facebook.com (59.24.3.173)
Host is up (0.0034s latency).
Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 59.0.0.0 - 59.31.255.255
| netname: KORNET
| descr: KOREA TELECOM
| country: KR
| person: IP Manager
|_email: kornet_ip@kt.com
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 3 IP addresses (3 hosts up) scanned in 8.18 seconds
Raw packets sent: 12 (456B) | Rcvd: 3 (120B)
root@Wing:~#
有时候whois查询到的信息并不准确,我们更热衷于查询whois的历史记录。