Forum Thread: DNSTwist - Search for Potential Domains for Phishing by Mohamed

DNSTwist generates domain names similar to the one we enter, then checks to see if they are registered, and gives us the option to look for similarities in the HTML code, hasheandolo and making comparisons. In addition, it allows to check if the mail servers are misconfigured and allow the interception of mails.

Along with the length of the domain, the number of variants generated by the algorithms increases considerably and therefore the number of DNS queries necessary to verify them. For example, to check all variants of google.com, you would have to send more than 300k queries. For the domain facebook.com the number increases to more than 5 million. This translates into a lot of resources and time. For longer domains, checking all options is not feasible. For this reason, the tool generates and checks domains very close to the original - Levenshtein's distance does not exceed 2. Theoretically, these are the most attractive domains from the point of view of the attacker, however, you have to keep in mind that the imagination of the aggressors is unlimited.

  • Characteristics:-

1-Wide range of domain fuzzing algorithms
2-Unicode Domain Names (IDN)
3-Distribution of multithreaded jobs
4-Queries A, YYYY, NS and MX records
5-Evaluates the similarity of the web page with fuzzy hashes to find phishing sites live using the ssdeep algorithm
6-Test whether the MX host (mail server) can be used to intercept misdirected emails
7-Allow dictionary use
8-Location information with GeoIP
9-WHOIS searches for creation and modification date
10-Record HTTP and SMTP service banners
11-Output in CSV and JSON format

Installation:

To obtain the tool we can obtain it from your GitHub repository: https://github.com/elceef/dnstwist

The tool can be installed on Linux, OSX and Docker. In this tutorial I will show only the installation on Linux systems.

First we have to install the prerequisites, we can do it in two ways. I recommend the first one since it will not give you problems of compatibility with other facilities:

Code: Bash
1- sudo apt-get install python-dnspython python-geoip python-whois python-requests python-ssdeep python-cffi

Code: Bash
1- sudo apt-get install libgeoip-dev libffi-dev
2- BUILD_LIB = 1 pip install -r requirements.txt

  • Use:

The simplest use of the tool is to throw it without arguments. A list of possible phishing domains will be generated with the following DNS records: A, AAAA, NS and MX.

Code: Bash

  1. dnstwist.py --registered example.com

Normally we will have a fairly wide list, and checking if those domains are registered by hand would be a waste of time, for that we have the -registered option. With this option we are shown only the registered domains.

Code: Bash

  1. dnstwist.py --registered example.com

To further facilitate the task, DNSTwist allows you to search for active phising using the ssdeep algorithm. The ssdeep algorithm sequentially divides a file into equal groups of bytes, and calculates a hash on each of these groups. Then from these it is calculated a new hash that will represent the total of the file. For each domain generated, dnstwist will get the contents of the HTTP server that responds (following possible redirects) and will compare its diffuse hash with that of the original (initial) domain. The level of similarity will be expressed as a percentage. Note that you are unlikely to get 100% match for a dynamically generated web page,

Code: Bash

  1. dnstwist.py --ssdeep example.com
  2. dnstwist.py --ssdeep example.com / crm / login

Very often attackers create email honeypots in phishing domains and expect badly written emails to arrive. DNSTwist lets you check whether MX servers can be vulnerable to such attacks.

Code: Bash

  1. dnstwist.py --mxcheck example.com

If we prefer to use our own dictionary instead of the DNSTwist algorithms we also have the option.
Code: Bash

  1. dnstwist.py --dictionary dictionaries / english.dict example.com

The tool is integrated with the GeoIP database. Use the --geoip argument to display the geographic location (country name) for each IPv4 address.

Code: Bash

  1. dnstwist.py --geoip example.com

Apart from the console output, we can export the results in CSV or JSON format.

Code: Bash

  1. dnstwist.py --csv example.com > out.csv
  2. dnstwist.py --json example.com > out.json

see u
mr.mohamed ahmed

Never Miss a Hacking or Security Guide

Get new Null Byte guides every week.

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active