1 files changed, 173 insertions, 0 deletions
diff --git a/scripts/whois-domain.nse b/scripts/whois-domain.nse
new file mode 100644
index 0000000..8404929
--- /dev/null
+++ b/scripts/whois-domain.nse
@@ -0,0 +1,173 @@
+description = [[
+Attempts to retrieve information about the domain name of the target
+]]
+
+---
+-- @see whois-ip.nse
+--
+-- @usage nmap --script whois-domain.nse <target>
+--
+-- This script starts by querying the whois.iana.org (which is the root of the
+-- whois servers). Using some patterns the script can determine if the response
+-- represents a referral to a record hosted elsewhere. If that's the case it will
+-- query that referral. The script keeps repeating this until the response don't
+-- match with any of the patterns, meaning that there are no other referrals and
+-- prints the output.
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | whois-domain:
+-- | whois3: Record found at whois.arin.net
+-- | netrange: 199.19.112.0 - 199.19.119.255
+-- | netname: WEBRULON-NETWORK
+-- | orgname: webRulon, LLC
+-- | orgid: WL-1
+-- | country: US stateprov: NY
+-- |
+-- | orgtechname: webRulon Support
+-- | orgtechemail: support@webrulon.com
+-- |
+-- | Domain name record found at whois.enom.com
+-- |
+-- | Registration Service Provided By: Namecheap.com
+-- | Contact: support@namecheap.com
+-- | Visit: http://namecheap.com
+-- | Registered through: eNom, Inc.
+-- |
+-- | Domain name: random-foo-example.com
+-- |
+-- | Registrant Contact:
+-- |    Example
+-- |    John Foo ()
+-- |
+-- |    Fax:
+-- |    Dimosthenous 215
+-- |    Athens, Attiki 17673
+-- |    GR
+-- |
+-- | Administrative Contact:
+-- |    Example
+-- |    John Foo (john@gmail.com)
+-- |    +30.69425555555
+-- |    Fax: +1.5555555555
+-- |    Dimosthenous 215
+-- |    Athens, Attiki 17673
+-- |    GR
+-- |
+-- | Technical Contact:
+-- |    Example
+-- |    John Foo (john@gmail.com)
+-- |    +30.69425555555
+-- |    Fax: +1.5555555555
+-- |    Dimosthenous 215
+-- |    Athens, Attiki 17673
+-- |    GR
+-- |
+-- | Status: Active
+-- |
+-- | Name Servers:
+-- |    dns1.registrar-servers.com
+-- |    dns2.registrar-servers.com
+-- |    dns3.registrar-servers.com
+-- |    dns4.registrar-servers.com
+-- |    dns5.registrar-servers.com
+-- |
+-- | Creation date: 14 Oct 2011 13:41:00
+-- | Expiration date: 14 Oct 2013 05:41:00
+---
+
+author = "George Chatzisofroniou"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"discovery", "external", "safe"}
+
+local ipOps = require "ipOps"
+local nmap = require "nmap"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+
+hostrule = function( host )
+  local is_private, err = ipOps.isPrivate( host.ip )
+  if is_private == nil then
+    stdnse.debug1("Error in Hostrule: %s.", err )
+    return false
+  end
+
+  return not is_private
+end
+
+
+action = function( host )
+
+  local mutexes = {}
+
+  -- If the user has provided a domain name.
+  if host.targetname then
+
+    local referral_patterns = {"refer:%s*(.-)\n", "Whois%sServer:%s*(.-)\n"}
+
+    -- Remove www prefix and add a newline.
+    local query_data = string.gsub(host.targetname, "^www%.", "") .. "\n"
+
+    local result
+
+    -- First server to query is iana's.
+    local referral = "whois.iana.org"
+
+    while referral do
+
+      if not mutexes[referral] then
+        mutexes[referral] = nmap.mutex(referral)
+      end
+
+      mutexes[referral] "lock"
+
+      result = {}
+      local socket = nmap.new_socket()
+      local catch = function()
+        stdnse.debug1( "fail")
+        socket:close()
+      end
+
+      local status, line = {}
+      local try = nmap.new_try( catch )
+
+      socket:set_timeout( 50000 )
+
+      try( socket:connect(referral, 43 ) )
+      try( socket:send( query_data ) )
+
+      while true do
+        local status, lines = socket:receive_lines(1)
+        if not status then
+          break
+        else
+          result[#result+1] = lines
+        end
+      end
+
+      socket:close()
+
+      mutexes[referral] "done"
+
+      if #result == 0 then
+        return nil
+      end
+
+      table.insert(result, 1, "\n\nDomain name record found at " .. referral .. "\n")
+
+      -- Do we have a referral?
+      referral = false
+      for _, p in ipairs(referral_patterns) do
+        referral = referral or string.match(table.concat(result), p)
+      end
+
+    end
+
+    result = table.concat( result )
+    return result
+  end
+  return "You should provide a domain name."
+end
+