From b6c26f1d184237aa11070f0de822af27dc07ea27 Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Sun, 19 May 2013 11:36:52 -0400
Subject: [PATCH] Improved parsing of Whois Records for ARIN, RIPE and APNIC.
 Added missing file save messages.

---
 dnsrecon.py  | 20 ++++++++++++++++----
 lib/whois.py |  9 ++++++++-
 2 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/dnsrecon.py b/dnsrecon.py
index 0556f002..96386610 100755
--- a/dnsrecon.py
+++ b/dnsrecon.py
@@ -578,10 +578,22 @@ def get_whois_nets_iplist(ip_list):
             # If we get a Whois server Process get the whois and process.
             if whois_server:
                 whois_data = whois(ip, whois_server)
-                net = get_whois_nets(whois_data)
-                if net:
-                    org = get_whois_orgname(whois_data)
-                    found_nets.append({'start': net[0][0], 'end': net[0][1], 'orgname': "".join(org)})
+                arin_style = re.search('NetRange', whois_data)
+                ripe_apic_style = re.search('netname', whois_data)
+                if (arin_style or ripe_apic_style):
+                    net = get_whois_nets(whois_data)
+                    if net:
+                        for network in net:
+                            org = get_whois_orgname(whois_data)
+                            found_nets.append({'start': network[0], 'end': network[1], 'orgname': "".join(org)})
+                else:
+                    for line in whois_data.splitlines():
+                        recordentrie = re.match('^(.*)\s\S*-\w*\s\S*\s(\S*\s-\s\S*)', line)
+                        if recordentrie:
+                            org = recordentrie.group(1)
+                            net = get_whois_nets(recordentrie.group(2))
+                            for network in net:
+                                found_nets.append({'start': network[0], 'end': network[1], 'orgname': "".join(org)})
     #Remove Duplicates
     return [seen.setdefault(idfun(e), e) for e in found_nets if idfun(e) not in seen]
 
diff --git a/lib/whois.py b/lib/whois.py
index 07252bd5..e60fc3b3 100644
--- a/lib/whois.py
+++ b/lib/whois.py
@@ -54,7 +54,10 @@ def whois(target, whois_srv):
     try:
         s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
         s.connect((whois_srv, WHOIS_PORT_NUMBER))
-        s.send(("n " + target + "\r\n").encode("utf-8"))
+        if whois_srv == "whois.arin.net":
+            s.send(("n " + target + "\r\n").encode("utf-8"))
+        else:
+            s.send((target + "\r\n").encode("utf-8"))
         response = ''
         while True:
             d = s.recv(WHOIS_RECEIVE_BUFFER_SIZE)
@@ -84,6 +87,10 @@ def get_whois_nets(data):
 def get_whois_orgname(data):
     org_pattern = "OrgName\:\s*(.*)\n"
     result = re.findall(org_pattern, data)
+    # Lets try RIPENET Format
+    if not result :
+        org_pattern = "netname\:\s*(.*)\n"
+        result = re.findall(org_pattern, data)
     if not result:
         result.append("Not Found")
     return result