Years ago I was reading through the whois information for an IP and started to wonder what all the fields where that I couldn’t recognise. The whois data for an IP is very different than what you might be used to for a domain and is handled by a different type of organisation. But first, check out part my current IP’s whois data.

inetnum: 93.192.0.0 - 93.223.255.255 netname: DTAG-DIAL25 descr: Deutsche Telekom AG org: ORG-DTAG1-RIPE country: DE admin-c: DTIP tech-c: DTST status: ASSIGNED PA mnt-by: DTAG-NIC created: 2008-02-14T08:46:03Z last-modified: 2014-06-18T06:29:34Z source: RIPE

Because I’m in Europe this information is supplied by RIPE NNC, the ‘Regional Internet Registry’ (see the last line, source: RIPE). If you’re not familiar with them, here is wikipedias definition.

The Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia. It is headquartered in Amsterdam. An RIR oversees the allocation and registration of Internet number resources (IPv4 addresses, IPv6 addresses and autonomous system numbers) in a specific region. ... The Internet Assigned Numbers Authority (IANA) delegates Internet resources to the RIRs who, in turn, follow their regional policies to delegate resources to their customers, which include Internet service providers and end-user organizations

Cool.

You can tell from my whois data that I’m with Detusche Telekom and their assigned IP range is maintained by (mnt-by) DTAG-NIC. We can find more info about this mnt-by object

# whois -h whois.ripe.net DTAG-NIC % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to 'DTAG-NIC' mntner: DTAG-NIC descr: Deutsche Telekom Internet Services NIC admin-c: DTAG1-RIPE tech-c: DTAG1-RIPE auth: MD5-PW # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: MD5-PW # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered auth: SSO # Filtered mnt-by: DTAG-NIC created: 2001-10-25T13:35:49Z last-modified: 2017-03-08T12:11:49Z source: RIPE # Filtered role: DTAG Internet Routing Registry address: Deutsche Telekom Technischer Service GmbH Zentraler Service Ammerlaender Heerstrasse 138 DE 26129 Oldenburg Germany admin-c: HI56-RIPE admin-c: ES4155-RIPE admin-c: VZ56-RIPE tech-c: HI56-RIPE tech-c: ES4155-RIPE tech-c: VZ56-RIPE nic-hdl: DTAG1-RIPE mnt-by: DTAG-RR created: 2008-11-03T12:08:34Z last-modified: 2009-02-20T09:04:06Z source: RIPE # Filtered % This query was served by the RIPE Database Query Service version 1.89.2 (HEREFORD)

I hope like me you were immediately drawn to the ‘auth’ fields. As the name implies this field contains authentication information for controlling this object in the RIPE database. RIPE supports a couple of different auth types like Single Sign On (SSO), public key cryptography, and of course md5.

Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who whois’d the maintainer object and used md5 passwords. Which was nearly all of them in my experience.

Naturally I pulled down all the hashes I could and started cracking them. I stopped pretty quickly because it had immediately cracked a fair few of them - the passwords were the name of the MNT or a variation of that or the organisations name. There was also a few superhero passwords (superman, batman, spiderman, all lower case).

But in todays super secure world we’d never just give out the password hashes like that right?