Whois 簡單來說,就是一個用來查詢域名是否已經被注冊,以及注冊域名的詳細信息的數據庫(如域名所有人、域名注冊商、域名注冊日期和過期日期等)。通過域名Whois服務器查詢,可以查詢域名歸屬者聯(lián)系方式,以及注冊和到期時間。通常情況下,whois信息均為真實信息,通過whois信息可以找到域名注冊人的很多真實信息,像電話,郵箱,NS記錄,是對網站進行社工非常好的信息來源,對于安全從業(yè)人員來說,快速獲取whois信息,能夠幫助自己掌握目標網站的很多有用信息。
而whois信息通常是保存在各級域名注冊機構中,平常我們要查詢whois信息都是通過godaddy、name.com、萬網、新網等域名注冊商網站通過查詢頁面提交域名進行查詢,既慢又不能批量查詢,太費勁了,這里我就把我珍藏很久的一個PS function貢獻給大家,這個腳本支持140多種后綴的域名進行查詢,尤其是一些生僻的域,找一個能支持這個域注冊的注冊商就不容易了,現在你不需要再為這個事情發(fā)愁了。
老規(guī)矩,先上代碼,然后對關鍵操作進行解釋:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
=====文件名:Get-whois.ps1===== function Get-WhoIs {<# Author:fuhj(powershell#live.cn ,http://fuhaijun.com) # Does a raw WHOIS query and returns the results # The simplest whois search #.Example # get-whois dnspod.com # # This example is one that forwards to a second whois server ... #.Example # get-whois baidu.com -NoForward # # Returns the partial results you get when you don't follow forwarding to a new whois server # get-whois n 128.11.5.98 -server whois.arin.net # # Does an ip lookup at arin.net #> [CmdletBinding()] param( # The query to send to WHOIS servers [Parameter(Position=0, ValueFromRemainingArguments=$true)] [string]$query, # A specific whois server to search [string]$server, # Disable forwarding to new whois servers [switch]$NoForward ) end { $TLDs = DATA { @{ ".com"= "whois.verisign-grs.com","whois.crsnic.net" ".net"= "whois.verisign-grs.com","whois.crsnic.net" ".org"= "whois.pir.org","whois.publicinterestregistry.net" ".info"= "whois.afilias.info","whois.afilias.net" ".biz"= "whois.neulevel.biz" ".us"= "whois.nic.us" ".uk"= "whois.nic.uk" ".ca"= "whois.cira.ca" ".tel"= "whois.nic.tel" ".ie"= "whois.iedr.ie","whois.domainregistry.ie" ".it"= "whois.nic.it" ".li"= "whois.nic.li" ".no"= "whois.norid.no" ".cc"= "whois.nic.cc" ".eu"= "whois.eu" ".nu"= "whois.nic.nu" ".au"= "whois.aunic.net","whois.ausregistry.net.au" ".de"= "whois.denic.de" ".ws"= "whois.worldsite.ws","whois.nic.ws","www.nic.ws" ".sc"= "whois2.afilias-grs.net" ".mobi" = "whois.dotmobiregistry.net" ".pro"= "whois.registrypro.pro","whois.registry.pro" ".edu"= "whois.educause.net","whois.crsnic.net" ".tv"= "whois.nic.tv","tvwhois.verisign-grs.com" ".travel" = "whois.nic.travel" ".name" = "whois.nic.name" ".in"= "whois.inregistry.net","whois.registry.in" ".me"= "whois.nic.me","whois.meregistry.net" ".at"= "whois.nic.at" ".be"= "whois.dns.be" ".cn"= "whois.cnnic.cn","whois.cnnic.net.cn" ".edu.cn"="whois.edu.cn" ".asia"= "whois.nic.asia" ".ru"= "whois.ripn.ru","whois.ripn.net" ".ro"= "whois.rotld.ro" ".aero" = "whois.aero" ".fr"= "whois.nic.fr" ".se"= "whois.iis.se","whois.nic-se.se","whois.nic.se" ".nl"= "whois.sidn.nl","whois.domain-registry.nl" ".nz"= "whois.srs.net.nz","whois.domainz.net.nz" ".mx"= "whois.nic.mx" ".tw"= "whois.apnic.net","whois.twnic.net.tw" ".ch"= "whois.nic.ch" ".hk"= "whois.hknic.net.hk" ".ac"= "whois.nic.ac" ".ae"= "whois.nic.ae" ".af"= "whois.nic.af" ".ag"= "whois.nic.ag" ".al"= "whois.ripe.net" ".am"= "whois.amnic.net" ".as"= "whois.nic.as" ".az"= "whois.ripe.net" ".ba"= "whois.ripe.net" ".bg"= "whois.register.bg" ".bi"= "whois.nic.bi" ".bj"= "www.nic.bj" ".br"= "whois.nic.br" ".br.com"="whois.centralnic.net" ".eu.org"="whois.eu.org" ".bt"= "whois.netnames.net" ".by"= "whois.ripe.net" ".bz"= "whois.belizenic.bz" ".cd"= "whois.nic.cd" ".ck"= "whois.nic.ck" ".cl"= "nic.cl" ".coop"= "whois.nic.coop" ".cx"= "whois.nic.cx" ".cy"= "whois.ripe.net" ".cz"= "whois.nic.cz" ".dk"= "whois.dk-hostmaster.dk" ".dm"= "whois.nic.cx" ".dz"= "whois.ripe.net" ".ee"= "whois.eenet.ee" ".eg"= "whois.ripe.net" ".es"= "whois.ripe.net" ".fi"= "whois.ficora.fi" ".fo"= "whois.ripe.net" ".gb"= "whois.ripe.net" ".ge"= "whois.ripe.net" ".gl"= "whois.ripe.net" ".gm"= "whois.ripe.net" ".gov"= "whois.nic.gov" ".gr"= "whois.ripe.net" ".gs"= "whois.adamsnames.tc" ".hm"= "whois.registry.hm" ".hn"= "whois2.afilias-grs.net" ".hr"= "whois.ripe.net" ".hu"= "whois.ripe.net" ".il"= "whois.isoc.org.il" ".int"= "whois.isi.edu" ".iq"= "vrx.net" ".ir"= "whois.nic.ir" ".is"= "whois.isnic.is" ".je"= "whois.je" ".jp"= "whois.jprs.jp" ".kg"= "whois.domain.kg" ".kr"= "whois.nic.or.kr" ".la"= "whois2.afilias-grs.net" ".lt"= "whois.domreg.lt" ".lu"= "whois.restena.lu" ".lv"= "whois.nic.lv" ".ly"= "whois.lydomains.com" ".ma"= "whois.iam.net.ma" ".mc"= "whois.ripe.net" ".md"= "whois.nic.md" ".mil"= "whois.nic.mil" ".mk"= "whois.ripe.net" ".ms"= "whois.nic.ms" ".mt"= "whois.ripe.net" ".mu"= "whois.nic.mu" ".my"= "whois.mynic.net.my" ".nf"= "whois.nic.cx" ".pl"= "whois.dns.pl" ".pr"= "whois.nic.pr" ".pt"= "whois.dns.pt" ".sa"= "saudinic.net.sa" ".sb"= "whois.nic.net.sb" ".sg"= "whois.nic.net.sg" ".sh"= "whois.nic.sh" ".si"= "whois.arnes.si" ".sk"= "whois.sk-nic.sk" ".sm"= "whois.ripe.net" ".st"= "whois.nic.st" ".su"= "whois.ripn.net" ".tc"= "whois.adamsnames.tc" ".tf"= "whois.nic.tf" ".th"= "whois.thnic.net" ".tj"= "whois.nic.tj" ".tk"= "whois.nic.tk" ".tl"= "whois.domains.tl" ".tm"= "whois.nic.tm" ".tn"= "whois.ripe.net" ".to"= "whois.tonic.to" ".tp"= "whois.domains.tl" ".tr"= "whois.nic.tr" ".ua"= "whois.ripe.net" ".uy"= "nic.uy" ".uz"= "whois.cctld.uz" ".va"= "whois.ripe.net" ".vc"= "whois2.afilias-grs.net" ".ve"= "whois.nic.ve" ".vg"= "whois.adamsnames.tc" ".yu"= "whois.ripe.net" } } $EAP, $ErrorActionPreference = $ErrorActionPreference, "Stop" $query = $query.Trim() if($query -match "(?:\d{1,3}\.){3}\d{1,3}") { Write-Verbose "IP Lookup!" if($query -notmatch " ") { $query = "n $query" } if(!$server) { $server = "whois.arin.net" } } elseif(!$server) { $server = $TLDs.GetEnumerator() | Where { $query -like ("*"+$_.name) } | Select -Expand Value | Get-Random } if(!$server) { $server = "whois.arin.net" } $maxRequery = 3 do { Write-Verbose "Connecting to $server" $client = New-Object System.Net.Sockets.TcpClient $server, 43 try { $stream = $client.GetStream() Write-Verbose "Sending Query: $query" $data = [System.Text.Encoding]::Ascii.GetBytes( $query + "`r`n" ) $stream.Write($data, 0, $data.Length) Write-Verbose "Reading Response:" $reader = New-Object System.IO.StreamReader $stream, [System.Text.Encoding]::ASCII $result = $reader.ReadToEnd() if($result -match "(?s)Whois Server:\s*(\S+)\s*") { Write-Warning "Recommended WHOIS server: ${server}" if(!$NoForward) { Write-verbose "Non-Authoritative Results:`n${result}" # cache, in case we can't get an answer at the forwarder if(!$cachedResult) { $cachedResult = $result $cachedServer = $server } $server = $matches[1] $query = ($query -split " ")[-1] $maxRequery-- } else { $maxRequery = 0 } } else { $maxRequery = 0 } } finally { if($stream) { $stream.Close() $stream.Dispose() } } } while ($maxRequery -gt 0) $result if($cachedResult -and ($result -split "`n").count -lt 5) { Write-Warning "Original Result from ${cachedServer}:" $cachedResult } $ErrorActionPreference = $EAP } } |
函數里定義了三個參數,兩個[string]類型,一個[switch]類型,分別用于接收要進行whois查詢的域名,指定whois域名服務器,以及是否允許將查詢請求轉發(fā)到其他域名解析服務器。隨后創(chuàng)建了一個枚舉值的哈希表,目的是用于存儲不同域名后綴和whois服務器的對應關系,因為不同的域名后綴對應的域名信息是存儲在不同的服務器上的。需要強調的是像.com、.net、.org、.info這幾個注冊量特別大的域名后綴指定了多個whois服務器,避免查詢量過大無法有效返回結果的問題。
接下來通過New-Object創(chuàng)建一個System.Net.Sockets.TcpClient的TCP對象,連接上面指定的whois服務器的43端口用于查詢whois信息,在通過一個System.IO.StreamReader對象接收whois信息返回的數據,并對數據進行解析。除此之外再加上try{}cache{}finally{}進行容錯處理,在數據解析是也用到了正則表達式用于匹配目標字符串。
程序的運行方法有如下四種:
get-whois dnspod.com
先看看dnspod在被騰訊收購后有沒有更改whois信息,貌似鵝廠沒有改過
get-whois jd.com –NoForward
get-whois n 128.11.5.98 -server whois.arin.net
