|
|
|
|
| |
| An unexpected behavior exists in some whois servers (for example, whois.internic.net), and might open up potential security holes. The unexpected behavior isn't in the implementation itself, but rather in the way the whois server searches for records. Automated programs that rely on information retrieved from the whois server (administrative contacts, phone numbers, etc) might be fooled, when the retrieved information is not the actual information in the domain registry database. |
| |
Credit:
Download whois tools for Windows:
To search for a whois tool (in CNET):
http://download.cnet.com/downloads/0,10150,0-10001-103-0-1-6,00.html?tag=st.dl.10001_103_1.lst.lst&qt=whois&
Or download this freeware product:
ftp://ftp.ccit.edu.tw/Windows/Windows95/WinSite/netutil/netlab95.zip
The information has been provided by Anonymous.
|
| |
'Whois' is generally used for retrieving domain information (such as administrative contacts of the domain, and DNS servers information).
A bug (which might be seen as a feature) in whois allows sub domains that contain a certain string (for example: microsoft.com) to be found before the actual identical domain name. For example:
MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
Will be found before
MICROSOFT.COM
To exploit this bug the attacker is not required to do anything except registering a sub domain under the legal domain name, where this subdomain contains the string that the attacker wants to 'spoof'.
Impact
Automated products that use whois information might return false information, since they resolve the content of the fake domain (which is the real subdomain) and not the actual top-level domain.
Example: Checking the whois information of Microsoft.com:
UNIX:
$ whois microsoft.com
Will retrieve the whois information for Microsoft.com.
Windows:
Download any whois utility (see below) and do a whois search on microsoft.com.
Whois Output:
$ whois microsoft.com
(Returns a partial match)
[whois.internic.net]
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.
MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
MICROSOFT.COM
To single out one record, look it up with "xxx", where xxx is one of the of the records displayed above. If the records are the same, look them up with "=xxx" to receive a full display for each record.
>>> Last update of whois database: Sun, 22 Oct 2000 10:04:50 EDT <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.
$ whois =microsoft.com
(Returns an exact match)
[whois.crsnic.net]
Whois Server Version 1.3
Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.
Server Name: MICROSOFT.COM.IS.SECRETLY.RUN.BY.ILLUMINATI.TERRORISTS.NET
IP Address: 170.1.75.143
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Domain Name: MICROSOFT.COM
Registrar: NETWORK SOLUTIONS, INC.
Whois Server: whois.networksolutions.com
Referral URL: www.networksolutions.com
Name Server: DNS4.CP.MSFT.NET
Name Server: DNS5.CP.MSFT.NET
Name Server: DNS7.CP.MSFT.NET
Name Server: DNS6.CP.MSFT.NET
Updated Date: 29-sep-2000
>>> Last update of whois database: Mon, 23 Oct 2000 11:07:46 EDT <<<
The Registry database contains ONLY .COM, .NET, .ORG, .EDU domains and Registrars.
As you can see, an automated script, doing a search on the results will attain the records of the "false" microsoft.com.
|
|
|
|
|
|
|
|
|
|
