Years ago I was reading through the whois information for an IP and started to wonder what all the fields where that I couldn’t recognise. The whois data for an IP is very different than what you might be used to for a domain and is handled by a different type of organisation. But first, check out part my current IP’s whois data.

inetnum: -
netname:        DTAG-DIAL25
descr:          Deutsche Telekom AG
org:            ORG-DTAG1-RIPE
country:        DE
admin-c:        DTIP
tech-c:         DTST
status:         ASSIGNED PA
mnt-by:         DTAG-NIC
created:        2008-02-14T08:46:03Z
last-modified:  2014-06-18T06:29:34Z
source:         RIPE

Because I’m in Europe this information is supplied by RIPE NNC, the ‘Regional Internet Registry’ (see the last line, source: RIPE). If you’re not familiar with them, here is wikipedias definition.

The Réseaux IP Européens Network Coordination Centre (RIPE NCC) is the Regional Internet Registry (RIR) for Europe, the Middle East and parts of Central Asia. It is headquartered in Amsterdam.

An RIR oversees the allocation and registration of Internet number resources  (IPv4 addresses, IPv6 addresses and autonomous system numbers) in a specific region.


The Internet Assigned Numbers Authority (IANA) delegates Internet resources to the RIRs who, in turn, follow their regional policies to delegate resources to their customers, which include Internet service providers and end-user organizations


You can tell from my whois data that I’m with Detusche Telekom and their assigned IP range is maintained by (mnt-by) DTAG-NIC. We can find more info about this mnt-by object

# whois -h DTAG-NIC
% This is the RIPE Database query service.
% The objects are in RPSL format.
% The RIPE Database is subject to Terms and Conditions.
% See

% Note: this output has been filtered.
%       To receive output for a database update, use the "-B" flag.

% Information related to 'DTAG-NIC'

mntner:         DTAG-NIC
descr:          Deutsche Telekom Internet Services NIC
admin-c:        DTAG1-RIPE
tech-c:         DTAG1-RIPE
auth:           MD5-PW # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           MD5-PW # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
auth:           SSO # Filtered
mnt-by:         DTAG-NIC
created:        2001-10-25T13:35:49Z
last-modified:  2017-03-08T12:11:49Z
source:         RIPE # Filtered

role:           DTAG Internet Routing Registry
address:        Deutsche Telekom Technischer Service GmbH
                Zentraler Service
                Ammerlaender Heerstrasse 138
                DE 26129 Oldenburg
admin-c:        HI56-RIPE
admin-c:        ES4155-RIPE
admin-c:        VZ56-RIPE
tech-c:         HI56-RIPE
tech-c:         ES4155-RIPE
tech-c:         VZ56-RIPE
nic-hdl:        DTAG1-RIPE
mnt-by:         DTAG-RR
created:        2008-11-03T12:08:34Z
last-modified:  2009-02-20T09:04:06Z
source:         RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.89.2 (HEREFORD)

I hope like me you were immediately drawn to the ‘auth’ fields. As the name implies this field contains authentication information for controlling this object in the RIPE database. RIPE supports a couple of different auth types like Single Sign On (SSO), public key cryptography, and of course md5.

Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who whois’d the maintainer object and used md5 passwords. Which was nearly all of them in my experience.

Naturally I pulled down all the hashes I could and started cracking them. I stopped pretty quickly because it had immediately cracked a fair few of them - the passwords were the name of the MNT or a variation of that or the organisations name. There was also a few superhero passwords (superman, batman, spiderman, all lower case).

But in todays super secure world we’d never just give out the password hashes like that right?

Mntner:         DTAG-NIC
Descr:          Deutsche Telekom Internet Services NIC
Admin-c:        KK281-RIPE
Tech-c:         HI56-RIPE
Auth:           MD5-PW $1$KQ3NSRfS$/bcvLAz2BKyf5HF4VkPMh/
Mnt-by:         DTAG-NIC
Referral-by:    RIPE-DBM-MNT