dnstwist v20200521releases: Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
See what sort of trouble users can get in trying to type your domain name. Find similar-looking domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud, and corporate espionage. Useful as an additional source of targeted threat intelligence.
The idea is quite straightforward: dnstwist takes in your domain name as a seed, generates a list of potential phishing domains and then checks to see if they are registered. Additionally, it can test if the mail server from MX record can be used to intercept misdirected corporate e-mails and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.
- A wide range of efficient domain fuzzing algorithms
- Unicode domain names (IDN)
- Multithreaded job distribution
- Queries A, AAAA, NS and MX records
- Evaluates web page similarity with fuzzy hashes to find live phishing sites
- Tests if MX host (mail server) can be used to intercept misdirected e-mails
- Additional domain variants using dictionary files
- GeoIP location information
- Grabs HTTP and SMTP service banners
- WHOIS lookups for creation and modification date
- Output in CSV and JSON format
Ubuntu Linux is the primary development platform. If running Ubuntu 15.04 or newer, you can install dependencies like this:
Alternatively, you can use Python tooling. This can be done within a virtual environment to avoid conflicts with other installations. However, you will still need a couple of libraries installed at the system level.
If you’re on a Mac, you can install dnstwist via Homebrew like so:
This is going to install dnstwist.py as dnstwist only, along with all requirements mentioned above. The usage is the same, you can just omit the file extension, and the binary will be added to PATH.
If you use Docker, you can pull an official image from Docker Hub and run it:
How to use
To start, it’s a good idea to enter only the domain name as an argument. The tool will run it through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS, and MX.
Usually generated list of domains has more than a hundred rows – especially for longer domain names. In such cases, it may be practical to display only registered (resolvable) ones using –registered argument.
Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with –ssdeep argument. For each generated domain, dnstwist will fetch content from responding to an HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage. Please keep in mind it’s rather unlikely to get 100% match for a dynamically generated web page, but each notification should be inspected carefully regardless of the percentage level.