Way back Dec 2017, I have introduced an awesome tool that will perform an automation on handling whois transactions on a single or bulk IP addresses.
Here is the link to read on the algorithm of this tool >> https://kenciceron45.wixsite.com/krontek/main/ip2whois
Whether you be a cyber 'defender' or a hired penetration tester, you must always be aware of informations and details of the infrastracture you're defending or attacking. I remember the first time I threat hunt a risk, coming from a programming background little do I know on the essentials of networking command utilities that would help me achieve my goal on solving the given enigma. My seniors, introduced me to a simple ping, traceroute, netstat,etc.. I have heard some of these commands before, but I haven't fully utilized their feature nor used it in an application development.
Having know those commands, kept me curious and made me dwell on questions, that is why I further read on some more and lead me to a realization that these utilities are really helpful on dig deeping a certain resource. The field of cybersecurity is the mixture of system administration + networking concepts + security concepts. It is knowing these 3 essentials that would help one prosper on this interesting field.
There are lots of networking protocols that would aid you on investigation and make your tasks a lot easier. As for my own preference I chose 'whois' as one of the coolest. It is one of the basics, an invidual must know in day 1. It only not provide information on a registered domain or IP, but it would also help you a lot more in a way that this information would lead to your resolution.
WHOIS is the system that asks question, 'who is responsible for the domain name?' The traditional way of whois lookups are performed with the use of commandline interface application. But as time progress, this functionality upgrades as web-based as WHOIS extends to Referral Whois(Rwhois). Here are just some of the well-known whois sites today:
https://whois.icann.org/en
https://www.whois.net/
https://mxtoolbox.com/Whois.aspx
https://www.verisign.com/en_IN/domain-names/whois/index.xhtml
http://whois.domaintools.com/
WHOIS database are so large that it consists of a set of records for every entity.
The TOOL
Let's get in to the point. Sure is WHOIS has done a great job aiding us with the information we need. Here are some scenarios that we direly need this tool,
a.) Your SIEM or IPS has detected alot of remote IPs performing malicious attacks on your corporate resource for the last 3 years. Their are 2600 different IPs gathered, your superior wanted you to create a report and provide informations about the IPs you've gathered.
b.) You are a web app pentester, and you wanted to know the domain informations that are present on the web application.
Sure did, performing whois is so basic, simple and easy to execute, in a single or less than 10 transactions...
But what if it exceeds that?
Hundreds or thousands of transactions can eat up alot of your time. This is where my tool comes in.
<RUN>
A quick review of the process, you can refer to the diagram below.
<a> User will choose what platform to search and collate on IP(web or file)
* For now let's try as file, so we input '2'. Program will ask for the file name. I have gathered some IPs to be checked as file name for this test would be py_inp.txt
<b>IP parser will be executed and will be gathered for the first-phase check
<c>Its time for the second check. In this process, it will get rid of all the duplicate IP, arrange it in ascending order and conduct 2nd IP validation. Results will be printed on ip_all2.txt.
<d>Having all the IP collected on ip_all2.txt, it's now time for evaluation. The execution of whois in each IP will be performed, thus generating a JSON format as result. This could take time depending on the volume of IPs that will be evaluated. For the sake of this test,
it is identified that there are 2100 different IPs.
Below's the whois result in json format. Took some 15 minutes to complete the 2100 entries. Below's the simulation output on command prompt.
I did set the standard JSON format, so the output json file will flexible on any platform.
Sample results...
Below's the end of the simulation.
<e> After the JSON simulation, data from the output would be transferred to a csv file, same folder the program was run. We can see that the folder was modified and the .json and .csv file has been created.
Getting in the ip_whois.csv, all the IPs has been properly evaluated.
The program runs well, and these tool is indeed capable of making tasks tremendously easy. The final product would be an automated report creation in .csv. Who would bother to do the manual, when you have the resource to make it easier, more efficient? With these tool you can proceed with some tasks, while you run on this program. Just some productivity hack! Right?
That will wrap up this blog, if you want a copy of this tool, you can hit me an email.
Files:
> You can download the input and output file from the test below:
ip_whoisF1.xls - final report file whois_IP-test.odt - final list of IPs to be evaluated whois_json.odt - final json format whois result
<krontek>Halt