WHOIS
Domain/IP registration lookup on 43. A passive recon source for owners, contacts, name servers and netblocks; a handful of legacy whois daemons were also injectable.
Ports
| Port | Proto | Notes |
|---|---|---|
43 | tcp | WHOIS |
Fingerprint
- Plain-text query/response on 43
- Server banner varies by registry
Exploitation primitives
- Recon: registrant, admin/tech contacts, name servers, creation/expiry, netblock
- Pivot ASN/IP ranges from the netblock data into your target list
- Legacy daemons occasionally allowed SQLi/format-string in the query
Overview
WHOIS on 43 answers “who owns this domain/IP”. It’s a passive recon building block — contacts for phishing, name servers and netblocks for scoping.
Enumeration
Standard lookup:
whois inlanefreight.comQuery a specific WHOIS server directly:
whois -h <TARGET> -p 43 "inlanefreight.com"Raw query:
echo "inlanefreight.com" | nc -nv <TARGET> 43Hardening
Not an attack surface you host on internal nets — rate-limit public WHOIS and avoid running old injectable daemons.