2. 软件开发
    3. 《Nmap渗透测试指南》—第7章7.3节WHOIS查询

    《Nmap渗透测试指南》—第7章7.3节WHOIS查询

    xiaoxiao2024-01-30  143

    本节书摘来自异步社区《Nmap渗透测试指南》一书中的第7章7.3节WHOIS查询,作者 商广明,更多章节内容可以访问云栖社区“异步社区”公众号查看。

    7.3 WHOIS查询表7.3所示为本章节所需Nmap命令表,表中加粗命令为本小节所需命令——WHOIS查询。

    WHOIS(读作“Who is”,而非缩写)是用来查询互联网中域名的IP以及所有者等信息的传输协议。早期的WHOIS查询多以命令行接口(Command Line)存在,但是现在出现了一些基于网页接口的简化在线查询工具,甚至可以一次向不同的数据库查询。网页接口的查询工具仍然依赖WHOIS协议向服务器发送查询请求,命令行接口的工具仍然被系统管理员广泛使用。

    WHOIS通常使用TCP协议43端口。每个域名或IP的WHOIS信息由对应的管理机构保存,例如,以.com结尾的域名的WHOIS信息由.com域名运营商VeriSign管理,中国国家顶级域名.cn由CNNIC管理。

    通常情况下,域名或IP的信息可以由公众自由查询获得,具体的查询方法是登录由管理机构提供的WHOIS服务器,输入待查询的域名进行查询。

    操作步骤使用命令“nmap --script whois 目标”即可查询目标域名whois信息。

    root@Wing:~# nmap --script whois www.0day.co Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:10 CST Nmap scan report for www.0day.co (210.209.122.11) Host is up (0.0063s latency). Not shown: 998 filtered ports PORT  STATE SERVICE 80/tcp open http 443/tcp open https Host script results: | whois: Record found at whois.apnic.net | inetnum: 210.209.122.0 - 210.209.122.255 | netname: NWTCRS-HK | descr: NWT CRS Dynamic Pool | country: HK | person: Ivan Wong |_email: ivanwong@newworldtel.com Nmap done: 1 IP address (1 host up) scanned in 69.23 seconds root@Wing:~#

    分析从返回的数据来看,我们可以确定目标域名的IP地址及其开放的端口,也搜集到了域名提供商的网址以及域名解析地址和E-mail地址。在使用whois查询的时候要切记whois都是小写字母。查询到的结果仅供参考,大部分的网站现在都启用了whois保护,对于域名所有者的姓名、电话等都会隐藏,我们可以查询该域名的历史whois,历史whois可能还没有启用whois保护。我们还可以启用其他的几个whois查询脚本。

    root@Wing:~# nmap --script whois --script-args whois.whodb=nofollow www.0day.co Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:34 CST Nmap scan report for www.0day.co (210.209.122.11) Host is up (0.012s latency). Not shown: 998 filtered ports PORT  STATE SERVICE 80/tcp open http 443/tcp open https Host script results: |_whois: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 25.81 seconds root@Wing:~# 不同的脚本返回的结果也不尽相同。 如果目标域名比较多,我们可以使用列表的方式进行查询。 root@Wing:~# nmap -sn --script whois -v -iL host.txt Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:39 CST NSE: Loaded 1 scripts for scanning. NSE: Script Pre-scanning. Initiating Ping Scan at 16:39 Scanning 3 hosts [4 ports/host] Completed Ping Scan at 16:39, 0.01s elapsed (3 total hosts) Initiating Parallel DNS resolution of 3 hosts. at 16:39 Completed Parallel DNS resolution of 3 hosts. at 16:39, 2.16s elapsed NSE: Script scanning 3 hosts. Initiating NSE at 16:39 Completed NSE at 16:39, 5.88s elapsed Nmap scan report for www.0day.co (210.209.122.11) Host is up (0.0031s latency). Host script results: | whois: Record found at whois.apnic.net | inetnum: 210.209.122.0 - 210.209.122.255 | netname: NWTCRS-HK | descr: NWT CRS Dynamic Pool | country: HK | person: Ivan Wong |_email: ivanwong@newworldtel.com Nmap scan report for www.google.com (74.125.128.103) Host is up (0.0036s latency). Other addresses for www.google.com (not scanned): 74.125.128.106 74.125.128.105 74.125.128.99 74.125.128.104 74.125.128.147 rDNS record for 74.125.128.103: hg-in-f103.1e100.net Host script results: | whois: Record found at whois.arin.net | netrange: 74.125.0.0 - 74.125.255.255 | netname: GOOGLE | orgname: Google Inc. | orgid: GOGL | country: US stateprov: CA | | orgtechname: Google Inc |_orgtechemail: arin-contact@google.com Nmap scan report for www.facebook.com (59.24.3.173) Host is up (0.0034s latency). Host script results: | whois: Record found at whois.apnic.net | inetnum: 59.0.0.0 - 59.31.255.255 | netname: KORNET | descr: KOREA TELECOM | country: KR | person: IP Manager |_email: kornet_ip@kt.com NSE: Script Post-scanning. Read data files from: /usr/bin/../share/nmap Nmap done: 3 IP addresses (3 hosts up) scanned in 8.18 seconds       Raw packets sent: 12 (456B) | Rcvd: 3 (120B) root@Wing:~#

     

    有时候whois查询到的信息并不准确,我们更热衷于查询whois的历史记录。

    相关资源:Nmap渗透测试指南
    最新回复(0)