《Nmap渗透测试指南》—第7章7.3节WHOIS查询

7.3　WHOIS查询
表7.3所示为本章节所需Nmap命令表，表中加粗命令为本小节所需命令——WHOIS查询。

WHOIS（读作“Who is”，而非缩写）是用来查询互联网中域名的IP以及所有者等信息的传输协议。早期的WHOIS查询多以命令行接口（Command Line）存在，但是现在出现了一些基于网页接口的简化在线查询工具，甚至可以一次向不同的数据库查询。网页接口的查询工具仍然依赖WHOIS协议向服务器发送查询请求，命令行接口的工具仍然被系统管理员广泛使用。

WHOIS通常使用TCP协议43端口。每个域名或IP的WHOIS信息由对应的管理机构保存，例如，以.com结尾的域名的WHOIS信息由.com域名运营商VeriSign管理，中国国家顶级域名.cn由CNNIC管理。

通常情况下，域名或IP的信息可以由公众自由查询获得，具体的查询方法是登录由管理机构提供的WHOIS服务器，输入待查询的域名进行查询。

操作步骤
使用命令“nmap --script whois 目标”即可查询目标域名whois信息。

root@Wing:~# nmap --script whois www.0day.co

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:10 CST
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.0063s latency).
Not shown: 998 filtered ports
PORT　　STATE SERVICE
80/tcp　open　http
443/tcp open　https

Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 210.209.122.0 - 210.209.122.255
| netname: NWTCRS-HK
| descr: NWT CRS Dynamic Pool
| country: HK
| person: Ivan Wong
|_email: ivanwong@newworldtel.com

Nmap done: 1 IP address (1 host up) scanned in 69.23 seconds
root@Wing:~#

分析
从返回的数据来看，我们可以确定目标域名的IP地址及其开放的端口，也搜集到了域名提供商的网址以及域名解析地址和E-mail地址。在使用whois查询的时候要切记whois都是小写字母。查询到的结果仅供参考，大部分的网站现在都启用了whois保护，对于域名所有者的姓名、电话等都会隐藏，我们可以查询该域名的历史whois，历史whois可能还没有启用whois保护。我们还可以启用其他的几个whois查询脚本。

root@Wing:~# nmap --script whois --script-args whois.whodb=nofollow www.0day.co

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:34 CST
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.012s latency).
Not shown: 998 filtered ports
PORT　　STATE SERVICE
80/tcp　open　http
443/tcp open　https

Host script results:
|_whois: ERROR: Script execution failed (use -d to debug)

Nmap done: 1 IP address (1 host up) scanned in 25.81 seconds
root@Wing:~#
不同的脚本返回的结果也不尽相同。

如果目标域名比较多，我们可以使用列表的方式进行查询。

root@Wing:~# nmap -sn --script whois -v -iL host.txt

Starting Nmap 6.40 ( http://nmap.org ) at 2014-06-12 16:39 CST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 16:39
Scanning 3 hosts [4 ports/host]
Completed Ping Scan at 16:39, 0.01s elapsed (3 total hosts)
Initiating Parallel DNS resolution of 3 hosts. at 16:39
Completed Parallel DNS resolution of 3 hosts. at 16:39, 2.16s elapsed
NSE: Script scanning 3 hosts.
Initiating NSE at 16:39
Completed NSE at 16:39, 5.88s elapsed
Nmap scan report for www.0day.co (210.209.122.11)
Host is up (0.0031s latency).

Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 210.209.122.0 - 210.209.122.255
| netname: NWTCRS-HK
| descr: NWT CRS Dynamic Pool
| country: HK
| person: Ivan Wong
|_email: ivanwong@newworldtel.com

Nmap scan report for www.google.com (74.125.128.103)
Host is up (0.0036s latency).
Other addresses for www.google.com (not scanned): 74.125.128.106 74.125.128.105 74.125.128.99 74.125.128.104 74.125.128.147
rDNS record for 74.125.128.103: hg-in-f103.1e100.net

Host script results:
| whois: Record found at whois.arin.net
| netrange: 74.125.0.0 - 74.125.255.255
| netname: GOOGLE
| orgname: Google Inc.
| orgid: GOGL
| country: US stateprov: CA
|
| orgtechname: Google Inc
|_orgtechemail: arin-contact@google.com

Nmap scan report for www.facebook.com (59.24.3.173)
Host is up (0.0034s latency).

Host script results:
| whois: Record found at whois.apnic.net
| inetnum: 59.0.0.0 - 59.31.255.255
| netname: KORNET
| descr: KOREA TELECOM
| country: KR
| person: IP Manager
|_email: kornet_ip@kt.com

NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
Nmap done: 3 IP addresses (3 hosts up) scanned in 8.18 seconds
　　　　　 Raw packets sent: 12 (456B) | Rcvd: 3 (120B)
root@Wing:~#

有时候whois查询到的信息并不准确，我们更热衷于查询whois的历史记录。