Whois Plugin

phil_pearce · February 10, 2021, 9:40am

Hi,

I added the whois plugin into a workflow and tested with the following:

rapid7/WHOIS:3.0.1. Step name: domain
Getting whois information for [“bbc.co.uk”]
Error occurred: Unknown TLD: uk"]

Is there a way to sort this?

joey_mcadams · February 10, 2021, 2:20pm

Yes. This usually comes down to the firewall blocking the whois calls. If you ssh into your orcha and try a whois call does it work?

EDIT: You may have to install it. You can follow the directions here:

phil_pearce · February 10, 2021, 2:40pm

whois www.bbc.co.uk
This domain cannot be registered because it contravenes the Nominet UK naming rules.
The reason is: the domain name contains too many parts.

Are you sure the plugin can handle .co.uk domains?

tyler_terenzoni · February 10, 2021, 2:57pm

@phil_pearce from your first post, it looks like you are passing input to the plugin as an array rather than the string it is expecting. You may need to loop over your array and do the lookup in the loop.

When I pass the same domain in as a string, I get results on my end.

phil_pearce · February 10, 2021, 3:03pm

Hi,
yeah its in the loop, in the WHOis domain field, Im adding {{[“URL_Loop”].[$item]}}

I think its my extraction of the domain using extractit

tyler_terenzoni · February 10, 2021, 3:15pm

Ahh that might make sense, is this a Slack or Teams triggered workflow or something else?

phil_pearce · February 10, 2021, 3:22pm

Slack trigger

tyler_terenzoni · February 10, 2021, 3:28pm

The good news is you should not need an extractit step here.

After your Slack trigger, you can loop over {{[“Slack Trigger”].[message].[indicators].[domains]}} and then just pass your {{[“Loop Step”].[$item]}} right as input to WHOIS.

phil_pearce · February 10, 2021, 3:43pm

Literally just tried that and it errored, probably going to be parent domain?

[“Slack_Trigger”].[message].[indicators].[domains]

Input: domain:[“www.bbc.co.uk”]

Initial Message: {"$step_id":"4d20f226-c7f2-4ff3-afd3-4a932718c676","channel_id":"CFR1P2MAL","timestamp":"1612971643.011200"}
message text: <@U01A1QN37NF> url [http://www.bbc.co.uk|www.bbc.co.uk](http://www.bbc.co.uk%7Cwww.bbc.co.uk/)
indicators: {"domains":["www.bbc.co.uk"],"email_addresses":[],"hashes":{"md5_hashes":[],"sha1_hashes":[],"sha256_hashes":[]},"ip_addresses":{"ipv4_addresses":[],"ipv6_addresses":[]},"mac_addresses":[],"parent_domains":["bbc.co.uk"],"urls":["http://www.bbc.co.uk"]}

Still didnt work with parent domain, using the whois and using the cloud orchestrator

tyler_terenzoni · February 10, 2021, 3:56pm

If your input still has the [""] around it then it means that it is still an array being passed in so it will continue to fail.

Your loop input should look like this Screen Shot 2021-02-10 at 10.54.10 AM

and your WHOIS step should look like this
Screen Shot 2021-02-10 at 10.54.41 AM