How to Easily Generate Hundreds of Phishing Domains

Apr 20, 2018 07:02 PM
Nov 16, 2018 11:23 PM
636598220651239592.jpg

A convincing domain name is critical to the success of any phishing attack. With a single Python script, it's possible to find hundreds of available phishing domains and even identify phishing websites deployed by other hackers for purposes such as stealing user credentials.

Dnstwist, created by @elceef, is a domain name permutation search tool which detects phishing domains, bitsquatting, typosquatting, and fraudulent websites which share similar-looking domain names. Dnstwist takes the given target domain name and generates a list of potential phishing domains. The generated domain names are then queried. If a discovered domain redirects to a web server, Dnstwist will record the domain's IP address.

Like most tools designed for penetration testing, Dnstwist is a double-edged sword. It can be used by attackers to find ideal candidate domains for phishing attacks where they could clone the original website and get users to input their credentials into a fake website, or it can be used by cybersecurity professionals and sysadmins to quickly locate and identify domains created by adversaries and attackers.

Supported Naming Schemes

Dsntwist supports a variety of phishing domain schemes and types which are used to generate a vast selection of potential phishing domains. I'll cover each below before jumping right into the how-to.

1. Addition

Letters are appended to the end of the given domain name. Below is an example of Bank of America, one of the largest banks in the United States. Unlike some of the other options below, a simple addition is easy enough to spot by an end user if he or she just glances at the URL.

636595900495484489.jpg

2. Bitsquatting

Bitsquatting refers to the registration of a domain names 1-bit different from a legitimate domain. Below is an example for Wikipedia, the largest and most popular general reference website on the internet. This is a little trickier on the eyes than the "additions" above since a lot of people read words based on the first and last letter and don't look at every letter individually.

636595900697047313.jpg

3. Homoglyph

Phishing campaigns using homoglyphs are referred to as homograph attacks, even though the alternative characters are referred to as homoglyphs and not homographs. These type of attacks still affect Firefox and most Android devices, and were recently made famous by Xudong Zheng, who created the first homoglyph phishing address for apple.com. Using Facebook as an example, I found there were many homoglyph phishing domains still available for as little as $11.

636595900871421990.jpg

To check the discovered domain name against a domain registrar, copy and paste the domain from the Dnstwist terminal into the registrar's search bar.

636595901050484231.jpg

4. Omission

Letters are simply removed from the domain name. To my surprise, all of the Instagram domain names were listed as available. While someone will probably notice if the first or last letter in the domain name is missing, they might not notice one in the middle gone.

636595901239859716.jpg

5. Subdomain

A period inserted at varying positions in the given domain name. Using Gizmodo as an example, we can see the domains "odo.com" and "zmodo.com" are available. It's just a matter of creating convincing subdomains to make an effective phishing domain. Like "additions," this might be more obvious than the other tricks here.

636595901418296900.jpg

6. Vowel-Swap

Vowels found in the given domain are swapped for different vowels. At a glance, many of these domains will likely fool most victims into clicking on fraudulent links. Again, this works since most people scan words using the first and last letter, not necessarily every letter in the middle. If a replaced vowel is the first or last letter, it probably won't work as well.

636595901591421772.jpg

Now that you know all of the tricks Dnstwist can use to find used and available phishing domains, let's see how to actually use the tool.

Step 1: Set Up Dnstwist

Dnstwist relies on several Python dependencies which can be installed in Kali Linux by typing the below command into a terminal.

apt-get install python-dnspython python-geoip python-whois python-requests python-ssdeep python-cffi

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libfuzzy2 python-certifi python-openssl-python-ply python-pycparser python-simplejson python-urllib3 whois
Suggested packages:
  python-openssl-doc python-openssl-dbg python-ply-doc python-socks python-ntlm
The following NEW packages will be installed:
  libfuzzy2 python-certifi python-cffi python-dnspython python-geoip python-openssl python-ply python-pycparser python-requests python-simplejson python-ssdeep python-urllib3 python-whois whois
0 upgraded, 14 newly installed, 0 to remove and 164 not upgraded
Need to get 778 kB/893 kB of archives
After this operation, 3,842 kB of additional disk space will be used.
Do you want to continue [Y/n] y

Next, clone the Dnstwist GitHub repository.

git clone https://github.com/elceef/dnstwist

Cloning into 'dnstwist'...
remote: Counting objects: 670, done.
remote: Total 670 (delta 0), reused 1 (deltaa 0), pack-reused 669
Receieving objects: 100% (670/670), 3.18 MiB | 89.00 KiB/s, done.
Resolving deltas: 100% (352/352), done.

Finally, use the cd command to change into the newly create "dnstwist" directory and use the command underneath it to view the available options.

cd dnstwist/
./dnstwist.py --help

usage: ./dnstwist.py [OPTION]... DOMAIN

Find similar-looking domain names that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat intelligence.

positional arguments:
  domain                domain name or URL to check

optional arguments:
  -h, --help                  show this help message and exit
  -a, --all                   show all DNS records
  -b, -banners                determine HTTP and SMTP service banners
  -c, --csv                   print output in CSV format
  -d FILE, --dictionary FILE  generate additional domains using dictionary FILE
  -g, --geoip                 perform lookup for GeoIP location
  -j, --json                  print output in JSON format
  -m, --mxcheck               check if MX host can be used to intercept e-mails
  -r, --registered            show only registered domain names
  -s, --ssdeep                fetch web pages and compare their fuzzy hashes to evaluate similarity
  -t NUMBER, --threads NUMBER start specified NUMBER of threads (default: 10)
  -w, --whois                 perform lookup for WHOIS creation/update time (slow)

Step 2: Generate Phishing Domains with Dnstwist

To start generating phishing domains with Dnstwist, use the below command. There are several arguments being utilized in my example command, and in this case, since we're saving the results to a file, we won't see any results on the screen.

./dnstwist.py --ssdeep --json --threads 40 website.com > website.com.json
  • The --ssdeep argument instructs Dnstwist to analyze the HTML found on each domain and compare it to the HTML of the given (real) website. The level of similarity will be expressed as a percentage. However, each website should be inspected manually regardless of the percentage level issued by Dnstwist. These percentages are merely there to aid security professionals in identifying which domains are most likely to be phishing domains.
  • Dnstwist supports two output formats which can be used with other applications. The --json output format was used in my above example but there's also support for CSV outputs which can be enabled using the --cvs argument instead of the JSON format. To save either format to a file, the > filename redirect can be used to write the data to a given filename.
  • By default, Dnstwist will make only 10 requests at a time when enumerating available phishing domains. This number can be increased or decreased using the --threads argument and specifying a value.

If you want to see results on the screen and not write them to a file, you can use the below command, swapping out "facebook.com" with the domain you want. A progress bar will print at the bottom of the Dnstwist terminal. Depending on network speed and number of threads, this can take several minutes to complete.

./dnstwist.py --ssdeep --threads 40 facebook.com
     _           _            _     _
  __| |_ __  ___| |___      _(_)___| |_
 / _` | '_ \/ __| __\ \ /\ / / / __| __|
| (_| | | | \__ \ |_ \ V  V /| \__ \ |_
 \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.04b}

Fetching content from: http://facebook.com ... 200 OK (541.4 Kbytes)
Processing 284 domain variants ...22%..42%...63%...88%. 210 hits (73%)

Always Pay Close Attention the Domain Names

As an attacker preparing to perform a phishing campaign during a red team engagement or a sysadmin preparing to defend against such attacks, Dnstwist is a fantastic tool which can be used to enumerate viable domains likely to be used for nefarious purposes. Dnstwist offers several key advantages over similar tools such as the ability to analyze and compare HTML of potential phishing domains, support for different output formats, and a wide variety of generated phishing domains.

If you're just a regular end user visiting a website, pay extra close attention to the URL when you get there. While homoglyphs might be impossible to spot, the rest of these can be easily noticed if you spend more than a glance looking at them.

Hope you enjoyed this article on generating and detecting phishing domains with Dnstwist. Leave questions and comments below or message me on Twitter @tokyoneon_ if you need further explanation on any of this.

Cover image and screenshots by tokyoneon/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!