Merge pull request #2033 from HackTricks-wiki/research_update_src_network-services-pentesting_43-pentesting-whois_20260319_205455

carlospolop · web-flow · commit 7a1c3301f2e1 · 2026-03-19T22:43:31.000+01:00
Research Update Enhanced src/network-services-pentesting/43-...
diff --git a/src/network-services-pentesting/43-pentesting-whois.md b/src/network-services-pentesting/43-pentesting-whois.md
@@ -8,33 +8,127 @@ The **WHOIS** protocol serves as a standard method for **inquiring about the reg
 
 **Default port:** 43
 
-```
+```text
 PORT   STATE  SERVICE
 43/tcp open   whois?
 ```
 
+From an offensive point of view, remember that **WHOIS is just a plain-text TCP service**: the client sends a query, the server returns human-readable text, and the **connection close marks the end of the response**. There is **no built-in authentication, integrity, or confidentiality** in the protocol.
+
+### Modern Reality: WHOIS vs RDAP
+
+For Internet domain registration data, **WHOIS is no longer the authoritative option for many public gTLD workflows**. ICANN sunset WHOIS for gTLD registration data on **2025-01-28**, making **RDAP** the protocol to prefer for machine-readable domain registration lookups.
+
+However, TCP/`43` is still worth testing because it keeps appearing in:
+
+- **Legacy or private WHOIS services**
+- **RIR / IP allocation workflows**
+- **Internal registries and custom asset databases**
+- **Third-party web tools and old automation** that still trust WHOIS responses
+
+If your goal is **reverse whois**, broader asset expansion, or recursive external recon, check [the External Recon Methodology page](../generic-methodologies-and-resources/external-recon-methodology/README.md) to avoid duplicating work here.
+
 ## Enumerate
 
 Get all the information that a whois service has about a domain:
 
 ```bash
 whois -h <HOST> -p <PORT> "domain.tld"
-echo "domain.ltd" | nc -vn <HOST> <PORT>
+printf 'domain.tld\r\n' | nc -vn <HOST> <PORT>
+```
+
+If you find a public-facing WHOIS service, test both **domain** and **IP/ASN** style queries because many implementations expose different backends or parsers depending on the object type:
+
+```bash
+# Domain
+printf 'example.com\r\n' | nc -vn <HOST> 43
+
+# IP / CIDR / ASN examples
+printf '8.8.8.8\r\n' | nc -vn <HOST> 43
+printf 'AS15169\r\n' | nc -vn <HOST> 43
 ```
 
 Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response:
 
 ![](<../images/image (301).png>)
 
+### Referral Chasing and Better Enumeration
+
+A lot of useful WHOIS enumeration is hidden behind **referrals**. For example, one server may only point you to the next authoritative WHOIS server for a TLD or an RIR. This is worth testing manually because some custom services mishandle follow-up queries, redact fields inconsistently, or leak extra backend metadata.
+
+Useful options and helpers:
+
+```bash
+# Ask IANA first and then follow the authoritative referral (common Linux whois clients)
+whois -I example.com
+whois -I 8.8.8.8
+
+# Let Nmap follow domain/IP WHOIS referrals automatically
+nmap --script whois-domain <target>
+nmap --script whois-ip <target>
+
+# For IP ranges, disable the WHOIS cache if you care about smaller delegated blocks
+nmap --script whois-ip --script-args whois.whodb=nocache <target>
+```
+
+Interesting fields to pivot on when the service is not fully redacted:
+
+- **Registrar / Org / abuse contact** for phishing reporting or org-mapping
+- **Creation / update / expiration times** to spot newly registered infrastructure
+- **Nameservers** to cluster domains managed by the same operator
+- **Referral server names** to find legacy or forgotten WHOIS infrastructure
+
+### RDAP as the Structured Successor
+
+Even if the exposed service is classic WHOIS on port `43`, check whether the same provider also offers **RDAP** because RDAP is often easier to parse and better for automation:
+
+```bash
+curl -s https://www.rdap.net/domain/example.com | jq
+curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq
+```
+
+A practical offensive nuance: a 2024 measurement study comparing WHOIS and RDAP at scale found that they are **not always interchangeable**, with inconsistencies in fields such as registrar identifiers, creation dates, and nameservers. If your recon pipeline depends on those values, compare both sources before making decisions.
+
+## Offensive Notes
+
+### Backend Injection in Custom WHOIS Gateways
+
 Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to **extract all** the **information** saved in the database.
 
+Do not limit testing to SQLi. In internal or niche WHOIS deployments, the query can be proxied to:
+
+- SQL / NoSQL backends
+- LDAP directories
+- shell wrappers around other lookup tools
+- HTTP APIs used by registrar or asset-management portals
+
+So fuzz with payloads for **SQLi**, **LDAP injection**, delimiter abuse, very long strings, and malformed UTF-8 / control characters. The protocol itself is simple; the dangerous part is usually the **parser or backend glue code**.
+
+### Rogue / Stale WHOIS Servers
+
+A relevant 2024-2025 attack path is abusing **outdated WHOIS trust**. If a registry or tool changes its WHOIS hostname and the old domain expires, an attacker may be able to register the old hostname and operate a **rogue WHOIS server**.
+
+That gives the attacker control over the response body seen by:
+
+- old WHOIS clients with hardcoded server mappings
+- web applications that fetch WHOIS output and render it back to users
+- automation that still uses WHOIS for domain validation or ownership workflows
+
+This matters because a rogue WHOIS response can become an entry point for:
+
+- **stored/reflected XSS** in web WHOIS frontends
+- **parser bugs / command injection / eval bugs** in libraries consuming the text response
+- **bad automation decisions** when systems trust attacker-controlled WHOIS contact data
+
+When you find a private or legacy WHOIS service, always check whether the returned `refer:` / `Whois Server:` values, banners, or TLD mappings point to **expired or attacker-registerable domains**.
+
 ## Shodan
 
 - `port:43 whois`
 
 ## HackTricks Automatic Commands
 
-```
+```yaml
 Protocol_Name: WHOIS    #Protocol Abbreviation if there is one.
 Port_Number:  43     #Comma separated if there is more than one.
 Protocol_Description: WHOIS         #Protocol Abbreviation Spelled out
@@ -51,10 +145,18 @@ Entry_1:
 Entry_2:
   Name: Banner Grab
   Description: Grab WHOIS Banner
-  Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43
+  Command: whois -h {IP} -p 43 {Domain_Name} && printf '{Domain_Name}\r\n' | nc -vn {IP} 43
+
+Entry_3:
+  Name: Nmap WHOIS Referrals
+  Description: Follow WHOIS referrals for domain and IP lookups
+  Command: nmap --script whois-domain,whois-ip --script-args whois.whodb=nocache {IP}
 ```
 
-{{#include ../banners/hacktricks-training.md}}
 
 
+## References
 
+- [ICANN Update: Launching RDAP; Sunsetting WHOIS](https://www.icann.org/en/announcements/details/icann-update-launching-rdap-sunsetting-whois-27-01-2025-en)
+- [watchTowr Labs - We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI](https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-became-the-admins-of-mobi/)
+{{#include ../banners/hacktricks-training.md}}
