# 43 - Pentesting WHOIS ## Basic Information **WHOIS** (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. (From [here](https://en.wikipedia.org/wiki/WHOIS)) **Default port:** 43 ``` PORT STATE SERVICE 43/tcp open whois? ``` ## Enumerate Get all the information that a whois service has about a domain: ```bash whois -h -p "domain.tld" echo "domain.ltd" | nc -vn ``` Notice than sometimes when requesting for some information to a WHOIS service the database being used appears in the response: ![](<../.gitbook/assets/image (147).png>) Also, the WHOIS service always needs to use a **database** to store and extract the information. So, a possible **SQLInjection** could be present when **querying** the database from some information provided by the user. For example doing: `whois -h 10.10.10.155 -p 43 "a') or 1=1#"` you could be able to **extract all** the **information** saved in the database. ## Shodan * `port:43 whois` ## HackTricks Automatic Commands ``` Protocol_Name: WHOIS #Protocol Abbreviation if there is one. Port_Number: 43 #Comma separated if there is more than one. Protocol_Description: WHOIS #Protocol Abbreviation Spelled out Entry_1: Name: Notes Description: Notes for WHOIS Note: | WHOIS (pronounced as the phrase "who is") is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information. https://book.hacktricks.xyz/pentesting/pentesting-smtp Entry_2: Name: Banner Grab Description: Grab WHOIS Banner Command: whois -h {IP} -p 43 {Domain_Name} && echo {Domain_Name} | nc -vn {IP} 43 ```