Wednesday, May 27, 2009

Querying WHOIS Webservice with Powershell

There's an interesting WHOIS Web service at TryNT. If you are scanning a range of addresses trying to determine the owner it's useful to automate.

Apparently TryNT gets banned from certain IP ranges, or simply going too hard at Whois servers, so sometimes the query returns error. But for the most part it works.

Here's how one can query Whois via TryNT webService:



PS C:\Users\dxs\Code\powershell> gc .\Whois-Webservice.ps1
function IpOwner(

[string]$ip="4.2.2.2"
){

BEGIN{
$whois=@{"query"=$ip};
$ErrorActionPreference="SilentlyContinue"
}

PROCESS {

#$uri="http://75.101.151.29/whois-api/v1/?h="+$ip+"&f=0"
$uri="http://www.trynt.com/whois-api/v1/?h="+$ip+"&f=0"
$resp=[xml](New-Object -TypeName System.Net.WebClient).Downloadstring($uri)
$whois.Add("organization",
$($resp.SelectNodes(
"descendant::Trynt/Whois/regrinfo/owner/organization") |
% { $_.InnerXml}) )
$whois.Add("TechEmail",
$($resp.SelectNodes(
"descendant::Trynt/Whois/regrinfo/tech/email") |
% { $_.InnerXml}) )
}

END{
Write-Host $whois.Values
}
}


1..254 | % { sleep(2); IpOwner("124.$_.165.1") }

The run:


PS C:\Users\dxs\Code\powershell> .\Whois-Webservice.ps1
SK Networks co., Ltd 124.1.165.1
WADONG ELEMENTARY SCHOOL 5ypascal@lycos.co.kr 124.2.165.1
Jeonrabukdo Wanju Education Office i3cc11@hanmail.net 124.3.165.1
GE Capital International Services munish.dargan@ge.com 124.4.165.1
KuRO TV noc@cnm.co.kr 124.5.165.1
NETWORK_VISMIN_DSL_IP_POOL aaa81020@globenet.com.ph 124.6.165.1
SIFY INFRASTRUCTURE ipadmin@sifycorp.com 124.7.165.1
Taiwan Fixed Network CO.,LTD. steve_huang@howin.com.tw 124.8.165.1
Taiwan Fixed Network CO.,LTD. steve_huang@howin.com.tw 124.9.165.1
Taiwan Fixed Network CO.,LTD. steve_huang@howin.com.tw 124.10.165.1
Taiwan Fixed Network CO.,LTD. steve_huang@howin.com.tw 124.11.165.1
Taiwan Fixed Network CO.,LTD. steve_huang@howin.com.tw 124.12.165.1
TELEKOM MALAYSIA BERHAD ssc@tmnet.com.my 124.13.165.1
6F Greatwall Bldg., A38 Xueyuan Road Haidian District,Beijing speed0822@sina.com 124.14.165.1
6F Greatwall Bldg., A38 Xueyuan Road Haidian District,Beijing speed0822@sina.com 124.15.165.1
China Science & Technology Network lihong@cstnet.net.cn 124.16.165.1



Posted by snow at 11:17 AM  

8 comments:

  1. GavinMay 28, 2009 at 12:38 AM

    FYI, Hexillion has a similar Whois API. It requires a paid account for more than a few queries per day but has 2 key advantages: 1) it gets blocked a lot less, and 2) it parses out more information. You can try it out here:
    Hexillion Whois API

    ReplyDelete
  2. snowMay 28, 2009 at 8:34 AM

    @Gavin:
    Looks interesting and comprehensive. One curious detail is that user credentials are clear text in the REST request:
    https://hexillion.com/rf/xml/1.0/auth/?username=XYZCorp&password=As42lg9o3

    I only looked at the docs - not sure if there are plans to wrap it more securely.

    ReplyDelete
  3. GavinMay 28, 2009 at 12:52 PM

    @snow:
    That's an HTTPS URL, so the password will be encrypted over the wire. It will be stored in plain text in the web server logs, however, so using a POST request would be better. The docs recommend POST, but I have updated them to emphasize the point.

    Also, I see that I botched the link in my comment (though you figured it out). It should be:
    Hexillion Whois API

    ReplyDelete
  4. snowMay 28, 2009 at 1:16 PM

    @Gavin:
    Sure. I was just thinking of client url histories and such. Thanks for clarification.

    ReplyDelete
  5. AnonymousFebruary 14, 2013 at 11:14 PM

    Interested in Connecting with Stanford University?
    Hi,
    My name is Brad. I’m contacting you on behalf of Stanford University, in regards to your blog http://techmeditation.blogspot.com/.I noticed that you talk about topics related to our certificate program. We were wondering if there was anything we could do to get mentioned on your website. Whether it's a guest post, you blogging about the program, or Stanford sponsoring a past post, we're open to just about anything. We ask you because your blog has the type of readers that would be interested in our Computer Security or Data Mining Courses.
    Here's a link to our program page: http://scpd.stanford.edu/courses/data-mining-courses.jsp
    If there are any requirements to get featured on your blog, please let us know.
    Thank you so much for your time to read our request!

    Brad Merkel
    SCPD.Standfor.edu

    ReplyDelete
  6. UnknownJanuary 28, 2015 at 12:44 AM

    nice

    ReplyDelete
  7. UnknownJanuary 28, 2015 at 12:54 AM

    Well ! This script is good , We can also embed the whois site WhoisXY.com with the above script and know the details of the domain owner .

    ReplyDelete
  8. johnnySeptember 12, 2016 at 3:16 AM

    Love to read it,Waiting For More new Update and I Already Read your Recent Post its Great Thanks.
    reverse whois lookup

    ReplyDelete

Subscribe to: Post Comments (Atom)