欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页  >  IT编程

PowerShell小技巧之获取域名whois信息

程序员文章站 2022-06-25 10:08:43
whois 简单来说,就是一个用来查询域名是否已经被注册,以及注册域名的详细信息的数据库(如域名所有人、域名注册商、域名注册日期和过期日期等)。通过域名whois服务器查询...

whois 简单来说,就是一个用来查询域名是否已经被注册,以及注册域名的详细信息的数据库(如域名所有人、域名注册商、域名注册日期和过期日期等)。通过域名whois服务器查询,可以查询域名归属者联系方式,以及注册和到期时间。通常情况下,whois信息均为真实信息,通过whois信息可以找到域名注册人的很多真实信息,像电话,邮箱,ns记录,是对网站进行社工非常好的信息来源,对于安全从业人员来说,快速获取whois信息,能够帮助自己掌握目标网站的很多有用信息。

而whois信息通常是保存在各级域名注册机构中,平常我们要查询whois信息都是通过godaddy、name.com、万网、新网等域名注册商网站通过查询页面提交域名进行查询,既慢又不能批量查询,太费劲了,这里我就把我珍藏很久的一个ps function贡献给大家,这个脚本支持140多种后缀的域名进行查询,尤其是一些生僻的域,找一个能支持这个域注册的注册商就不容易了,现在你不需要再为这个事情发愁了。

老规矩,先上代码,然后对关键操作进行解释:

=====文件名:get-whois.ps1=====
 function get-whois {
<# author:fuhj(powershell#live.cn ,http://fuhaijun.com) 
  # does a raw whois query and returns the results
  #  the simplest whois search
  #.example
  #  get-whois dnspod.com
  #
  #  this example is one that forwards to a second whois server ...
  #.example
  #  get-whois baidu.com -noforward
  #
  #  returns the partial results you get when you don't follow forwarding to a new whois server
  #  get-whois n 128.11.5.98 -server whois.arin.net
  #
  #  does an ip lookup at arin.net
  #>

  [cmdletbinding()]
  param(
    # the query to send to whois servers
    [parameter(position=0, valuefromremainingarguments=$true)]
    [string]$query,

    # a specific whois server to search
    [string]$server,

    # disable forwarding to new whois servers
    [switch]$noforward
  )
  end {
    $tlds = data {
     @{

      ".com"= "whois.verisign-grs.com","whois.crsnic.net"
      ".net"= "whois.verisign-grs.com","whois.crsnic.net"
      ".org"= "whois.pir.org","whois.publicinterestregistry.net"
      ".info"= "whois.afilias.info","whois.afilias.net"
      ".biz"= "whois.neulevel.biz"
      ".us"= "whois.nic.us"
      ".uk"= "whois.nic.uk"
      ".ca"= "whois.cira.ca"
      ".tel"= "whois.nic.tel"
      ".ie"= "whois.iedr.ie","whois.domainregistry.ie"
      ".it"= "whois.nic.it"
      ".li"= "whois.nic.li"
      ".no"= "whois.norid.no"
      ".cc"= "whois.nic.cc"
      ".eu"= "whois.eu"
      ".nu"= "whois.nic.nu"
      ".au"= "whois.aunic.net","whois.ausregistry.net.au"
      ".de"= "whois.denic.de"
      ".ws"= "whois.worldsite.ws","whois.nic.ws","www.nic.ws"
      ".sc"= "whois2.afilias-grs.net"
      ".mobi" = "whois.dotmobiregistry.net"
      ".pro"= "whois.registrypro.pro","whois.registry.pro"
      ".edu"= "whois.educause.net","whois.crsnic.net"
      ".tv"= "whois.nic.tv","tvwhois.verisign-grs.com"
      ".travel"  = "whois.nic.travel"
      ".name" = "whois.nic.name"
      ".in"= "whois.inregistry.net","whois.registry.in"
      ".me"= "whois.nic.me","whois.meregistry.net"
      ".at"= "whois.nic.at"
      ".be"= "whois.dns.be"
      ".cn"= "whois.cnnic.cn","whois.cnnic.net.cn"
      ".edu.cn"="whois.edu.cn"
      ".asia"= "whois.nic.asia"
      ".ru"= "whois.ripn.ru","whois.ripn.net"
      ".ro"= "whois.rotld.ro"
      ".aero" = "whois.aero"
      ".fr"= "whois.nic.fr"
      ".se"= "whois.iis.se","whois.nic-se.se","whois.nic.se"
      ".nl"= "whois.sidn.nl","whois.domain-registry.nl"
      ".nz"= "whois.srs.net.nz","whois.domainz.net.nz"
      ".mx"= "whois.nic.mx"
      ".tw"= "whois.apnic.net","whois.twnic.net.tw"
      ".ch"= "whois.nic.ch"
      ".hk"= "whois.hknic.net.hk"
      ".ac"= "whois.nic.ac"
      ".ae"= "whois.nic.ae"
      ".af"= "whois.nic.af"
      ".ag"= "whois.nic.ag"
      ".al"= "whois.ripe.net"
      ".am"= "whois.amnic.net"
      ".as"= "whois.nic.as"
      ".az"= "whois.ripe.net"
      ".ba"= "whois.ripe.net"
      ".bg"= "whois.register.bg"
      ".bi"= "whois.nic.bi"
      ".bj"= "www.nic.bj"
      ".br"= "whois.nic.br"
      ".br.com"="whois.centralnic.net"
      ".eu.org"="whois.eu.org"
      ".bt"= "whois.netnames.net"
      ".by"= "whois.ripe.net"
      ".bz"= "whois.belizenic.bz"
      ".cd"= "whois.nic.cd"
      ".ck"= "whois.nic.ck"
      ".cl"= "nic.cl"
      ".coop"= "whois.nic.coop"
      ".cx"= "whois.nic.cx"
      ".cy"= "whois.ripe.net"
      ".cz"= "whois.nic.cz"
      ".dk"= "whois.dk-hostmaster.dk"
      ".dm"= "whois.nic.cx"
      ".dz"= "whois.ripe.net"
      ".ee"= "whois.eenet.ee"
      ".eg"= "whois.ripe.net"
      ".es"= "whois.ripe.net"
      ".fi"= "whois.ficora.fi"
      ".fo"= "whois.ripe.net"
      ".gb"= "whois.ripe.net"
      ".ge"= "whois.ripe.net"
      ".gl"= "whois.ripe.net"
      ".gm"= "whois.ripe.net"
      ".gov"= "whois.nic.gov"
      ".gr"= "whois.ripe.net"
      ".gs"= "whois.adamsnames.tc"
      ".hm"= "whois.registry.hm"
      ".hn"= "whois2.afilias-grs.net"
      ".hr"= "whois.ripe.net"
      ".hu"= "whois.ripe.net"
      ".il"= "whois.isoc.org.il"
      ".int"= "whois.isi.edu"
      ".iq"= "vrx.net"
      ".ir"= "whois.nic.ir"
      ".is"= "whois.isnic.is"
      ".je"= "whois.je"
      ".jp"= "whois.jprs.jp"
      ".kg"= "whois.domain.kg"
      ".kr"= "whois.nic.or.kr"
      ".la"= "whois2.afilias-grs.net"
      ".lt"= "whois.domreg.lt"
      ".lu"= "whois.restena.lu"
      ".lv"= "whois.nic.lv"
      ".ly"= "whois.lydomains.com"
      ".ma"= "whois.iam.net.ma"
      ".mc"= "whois.ripe.net"
      ".md"= "whois.nic.md"
      ".mil"= "whois.nic.mil"
      ".mk"= "whois.ripe.net"
      ".ms"= "whois.nic.ms"
      ".mt"= "whois.ripe.net"
      ".mu"= "whois.nic.mu"
      ".my"= "whois.mynic.net.my"
      ".nf"= "whois.nic.cx"
      ".pl"= "whois.dns.pl"
      ".pr"= "whois.nic.pr"
      ".pt"= "whois.dns.pt"
      ".sa"= "saudinic.net.sa"
      ".sb"= "whois.nic.net.sb"
      ".sg"= "whois.nic.net.sg"
      ".sh"= "whois.nic.sh"
      ".si"= "whois.arnes.si"
      ".sk"= "whois.sk-nic.sk"
      ".sm"= "whois.ripe.net"
      ".st"= "whois.nic.st"
      ".su"= "whois.ripn.net"
      ".tc"= "whois.adamsnames.tc"
      ".tf"= "whois.nic.tf"
      ".th"= "whois.thnic.net"
      ".tj"= "whois.nic.tj"
      ".tk"= "whois.nic.tk"
      ".tl"= "whois.domains.tl"
      ".tm"= "whois.nic.tm"
      ".tn"= "whois.ripe.net"
      ".to"= "whois.tonic.to"
      ".tp"= "whois.domains.tl"
      ".tr"= "whois.nic.tr"
      ".ua"= "whois.ripe.net"
      ".uy"= "nic.uy"
      ".uz"= "whois.cctld.uz"
      ".va"= "whois.ripe.net"
      ".vc"= "whois2.afilias-grs.net"
      ".ve"= "whois.nic.ve"
      ".vg"= "whois.adamsnames.tc"
      ".yu"= "whois.ripe.net"
     }
    }

    $eap, $erroractionpreference = $erroractionpreference, "stop"

    $query = $query.trim()

    if($query -match "(?:\d{1,3}\.){3}\d{1,3}") {
      write-verbose "ip lookup!"
      if($query -notmatch " ") {
        $query = "n $query"
      }
      if(!$server) { $server = "whois.arin.net" }
    } elseif(!$server) {
      $server = $tlds.getenumerator() |
        where { $query -like ("*"+$_.name) } |
        select -expand value | get-random
    }

    if(!$server) { $server = "whois.arin.net" }
    $maxrequery = 3 

    do {
      write-verbose "connecting to $server"
      $client = new-object system.net.sockets.tcpclient $server, 43

      try {
        $stream = $client.getstream()

        write-verbose "sending query: $query"
        $data = [system.text.encoding]::ascii.getbytes( $query + "`r`n" )
        $stream.write($data, 0, $data.length)

        write-verbose "reading response:"
        $reader = new-object system.io.streamreader $stream, [system.text.encoding]::ascii

        $result = $reader.readtoend()

        if($result -match "(?s)whois server:\s*(\s+)\s*") {
          write-warning "recommended whois server: ${server}"
          if(!$noforward) {
            write-verbose "non-authoritative results:`n${result}"
            # cache, in case we can't get an answer at the forwarder
            if(!$cachedresult) {
              $cachedresult = $result
              $cachedserver = $server
            }
            $server = $matches[1]
            $query = ($query -split " ")[-1]
            $maxrequery--
          } else { $maxrequery = 0 }
        } else { $maxrequery = 0 }
      } finally {
        if($stream) {
          $stream.close()
          $stream.dispose()
        }
      }
    } while ($maxrequery -gt 0)

    $result

    if($cachedresult -and ($result -split "`n").count -lt 5) {
      write-warning "original result from ${cachedserver}:"
      $cachedresult
    }

    $erroractionpreference = $eap
  }
 }

函数里定义了三个参数,两个[string]类型,一个[switch]类型,分别用于接收要进行whois查询的域名,指定whois域名服务器,以及是否允许将查询请求转发到其他域名解析服务器。随后创建了一个枚举值的哈希表,目的是用于存储不同域名后缀和whois服务器的对应关系,因为不同的域名后缀对应的域名信息是存储在不同的服务器上的。需要强调的是像.com、.net、.org、.info这几个注册量特别大的域名后缀指定了多个whois服务器,避免查询量过大无法有效返回结果的问题。

接下来通过new-object创建一个system.net.sockets.tcpclient的tcp对象,连接上面指定的whois服务器的43端口用于查询whois信息,在通过一个system.io.streamreader对象接收whois信息返回的数据,并对数据进行解析。除此之外再加上try{}cache{}finally{}进行容错处理,在数据解析是也用到了正则表达式用于匹配目标字符串。

程序的运行方法有如下四种:

get-whois dnspod.com

先看看dnspod在被腾讯收购后有没有更改whois信息,貌似鹅厂没有改过

PowerShell小技巧之获取域名whois信息

get-whois jd.com –noforward

PowerShell小技巧之获取域名whois信息

get-whois n 128.11.5.98 -server whois.arin.net

 PowerShell小技巧之获取域名whois信息