WHOIS Pentesting Skill

A skill for enumerating and testing WHOIS services (TCP port 43) during reconnaissance and security assessments.

When to Use This Skill

Use this skill when you need to:

• Query WHOIS services for domain, IP, or ASN registration data
• Enumerate exposed WHOIS servers on port 43
• Follow WHOIS referral chains to find authoritative servers
• Test WHOIS services for injection vulnerabilities (SQLi, LDAP, command injection)
• Compare WHOIS vs RDAP data for consistency
• Identify rogue or stale WHOIS servers
• Perform asset expansion through registration data

Quick Start

# Basic domain query
whois -h <HOST> -p 43 "example.com"

# Basic IP query
printf '8.8.8.8\r\n' | nc -vn <HOST> 43

# Use bundled scripts for automation
./scripts/whois-enumerate.sh <HOST> <QUERY>

WHOIS Protocol Basics

WHOIS is a plain-text TCP service on port 43:

• Client sends a query string
• Server returns human-readable text
• Connection close marks end of response
• No authentication, integrity, or confidentiality

Modern Context: WHOIS vs RDAP

ICANN sunset WHOIS for gTLD registration data on 2025-01-28. RDAP is now the authoritative protocol for machine-readable domain lookups. However, TCP/43 remains relevant for:

• Legacy or private WHOIS services
• RIR / IP allocation workflows
• Internal registries and custom asset databases
• Third-party tools that still trust WHOIS responses

Enumeration Procedures

Step 1: Basic WHOIS Query

Test both domain and IP/ASN style queries:

# Domain query
printf 'example.com\r\n' | nc -vn <HOST> 43

# IP query
printf '8.8.8.8\r\n' | nc -vn <HOST> 43

# ASN query
printf 'AS15169\r\n' | nc -vn <HOST> 43

Why test multiple query types? Many WHOIS implementations expose different backends or parsers depending on the object type. One might leak more data than another.

Step 2: Follow Referral Chains

WHOIS responses often contain referrals to more authoritative servers:

# Use bundled script to chase referrals
./scripts/whois-referral-chase.sh <DOMAIN_OR_IP>

# Manual referral following
whois -I example.com
whois -I 8.8.8.8

# Nmap automatic referral following
nmap --script whois-domain <target>
nmap --script whois-ip <target>

Why chase referrals? Custom services may mishandle follow-up queries, redact fields inconsistently, or leak extra backend metadata. Some forgotten WHOIS infrastructure only appears through referral chains.

Step 3: Extract Key Fields

When the service is not fully redacted, pivot on these fields:

Step 4: Compare with RDAP

Even if port 43 is exposed, check for RDAP:

# Use bundled script
./scripts/rdap-lookup.sh <DOMAIN_OR_IP>

# Manual RDAP queries
curl -s https://www.rdap.net/domain/example.com | jq
curl -s https://rdap.arin.net/registry/ip/8.8.8.8 | jq

Why compare? A 2024 measurement study found WHOIS and RDAP are not always interchangeable, with inconsistencies in registrar identifiers, creation dates, and nameservers. If your recon pipeline depends on these values, compare both sources.

Security Testing

Injection Vulnerabilities

WHOIS services query databases, making them susceptible to injection attacks. Test for:

• SQL Injection in query parsing
• LDAP Injection in directory backends
• Command Injection in shell wrappers
• HTTP API injection in registrar portals

# Use bundled fuzzing script
./scripts/whois-fuzz.sh <HOST> <PORT>

# Manual SQLi test
whois -h <HOST> -p 43 "a') or 1=1#"

# Test other payloads
printf "'; DROP TABLE domains;--\r\n" | nc -vn <HOST> 43
printf "*\r\n" | nc -vn <HOST> 43  # LDAP wildcard
printf "$(whoami)\r\n" | nc -vn <HOST> 43  # Command injection

Why fuzz? The protocol itself is simple; the dangerous part is usually the parser or backend glue code. Internal or niche WHOIS deployments often have custom query handling.

Rogue/Stale WHOIS Servers

A 2024-2025 attack path involves abusing outdated WHOIS trust:

1. Registry changes WHOIS hostname
2. Old domain expires
3. Attacker registers old hostname
4. Attacker operates rogue WHOIS server

Impact: Rogue WHOIS responses can enable:

• Stored/reflected XSS in web WHOIS frontends
• Parser bugs / command injection in consuming libraries
• Bad automation decisions when systems trust attacker-controlled data

Check for: Returned

refer:

Whois Server:

Shodan Recon

Find exposed WHOIS services:

# Shodan query
port:43 whois

# Find specific implementations
port:43 "whois server"
port:43 "whois database"

Output Analysis

When reviewing WHOIS responses, look for:

1. Database identifiers - Sometimes the backend database appears in responses
2. Inconsistent redaction - Some fields redacted, others exposed
3. Referral chains - Pointers to more authoritative servers
4. Timestamps - Creation, update, expiration dates
5. Contact information - Abuse contacts, registrant details
6. Nameserver patterns - Clustering opportunities

Scripts Reference

scripts/whois-enumerate.sh

scripts/whois-referral-chase.sh

scripts/rdap-lookup.sh

scripts/whois-fuzz.sh

Best Practices

1. Always test multiple query types - Domain, IP, and ASN queries may hit different backends
2. Follow referrals - Authoritative data often lives on referred servers
3. Compare WHOIS vs RDAP - Inconsistencies can reveal misconfigurations or outdated data
4. Check for injection - Simple protocol, complex backends
5. Document referral chains - May reveal forgotten infrastructure
6. Verify timestamps - Spot newly registered or expiring infrastructure

References

• ICANN Update: Launching RDAP; Sunsetting WHOIS
• watchTowr Labs - We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI
• External Recon Methodology - For broader asset expansion