1DNSTWIST(1) User Commands DNSTWIST(1)
2
3
4
6 dnstwist - domain name permutation engine
7
8
10 dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE]
11 [-f|--format FORMAT] [-g|--geoip] [-m|--mxcheck]
12 [-r|--registered] [-s|--ssdeep] [-t|--threads NUMBER]
13 [-w|--whois] [--nameservers LIST] [--port NUMBER] [--tld FILE]
14 [--useragent STRING] DOMAIN
15
16
18 Find similar-looking domain names that adversaries can use to attack
19 you. Detect typosquatters, phishing attacks, fraud and corporate espi‐
20 onage. Useful as an additional source of targeted threat intelligence.
21
22
24 -a, --all
25 Show all DNS records.
26
27 -b, --banners
28 Determine HTTP and SMTP service banners.
29
30 -d, --dictionary FILE
31 Generate additional domains using a dictionary read from FILE.
32
33 -f, --format FORMAT
34 Select the output format. Supported values are: cli (default),
35 csv, idle, json.
36
37 -g, --geoip
38 Perform lookup for GeoIP location.
39
40 -h, --help
41 Display a help message and exit.
42
43 -m, --mxcheck
44 Check if MX host can be used to intercept e-mails.
45
46 -r, --registered
47 Show only registered domain names.
48
49 -s, --ssdeep
50 Fetch web pages and compare their fuzzy hashes to evaluate simi‐
51 larity.
52
53 -t, --threads NUMBER
54 Start specified NUMBER of threads (default: 10).
55
56 -w, --whois
57 Perform lookup for WHOIS creation/update time (slow).
58
59 --nameservers LIST
60 DNS servers to query (comma-separated LIST).
61
62 --port NUMBER
63 DNS server port number (default: 53).
64
65 --tld FILE
66 Generate additional domains by swapping TLD as read from FILE.
67
68 --useragent STRING
69 User-Agent to send with HTTP requests (default: Mozilla/5.0
70 dnstwist/version).
71
72
74 The program will run the provided domain through its fuzzing algorithms
75 and generate a list of potential phishing domains with the following
76 DNS records: A, AAAA, NS and MX. Usually thousands of domain permuta‐
77 tions are generated - especially for longer input domains. In such
78 cases, it may be practical to display only registered (resolvable) ones
79 using --registered argument. Ensure your local DNS server can handle
80 thousands of requests within a short period of time. Otherwise, you
81 can specify an external DNS server with --nameservers argument.
82
83
84 Fuzzy hashing
85 Manually checking each domain name in terms of serving a phishing site
86 might be time-consuming. To address this, dnstwist makes use of so-
87 called fuzzy hashes (context triggered piecewise hashes). Fuzzy hash‐
88 ing is a concept which involves the ability to compare two inputs (in
89 this case HTML code) and determine a fundamental level of similarity.
90 This unique feature of dnstwist can be enabled with --ssdeep argument.
91 For each generated domain, dnstwist will fetch content from responding
92 HTTP server (following possible redirects) and compare its fuzzy hash
93 with the one for the original (initial) domain. The level of similar‐
94 ity will be expressed as a percentage.
95
96 Please keep in mind it's rather unlikely to get 100% match for a dynam‐
97 ically generated web page. However, each notification should be
98 inspected carefully regardless of the score.
99
100 In some cases, phishing sites are served from a specific URL. If you
101 provide a full or partial URL address as an argument, dnstwist will
102 parse it and apply for each generated domain name variant. This is
103 obviously useful only with the fuzzy hashing feature.
104
105
106 MX checking
107 Very often attackers set up e-mail honey pots on phishing domains and
108 wait for mistyped e-mails to arrive. In this scenario, attackers would
109 configure their server to vacuum up all e-mail addressed to that
110 domain, regardless of the user it was sent towards. Another dnstwist
111 feature allows performing a simple test on each mail server (advertised
112 through DNS MX record) in order to check which one can be used for such
113 hostile intent. Suspicious servers will be marked with the SPYING-MX
114 string.
115
116 Please be aware of possible false positives. Some mail servers only
117 pretend to accept incorrectly addressed e-mails but then discard those
118 messages. This technique is used to prevent "directory harvesting
119 attack".
120
121
122 Dictionaries
123 If domain permutations generated by the fuzzing algorithms are insuffi‐
124 cient, please use --dictionary option with a file to generate more
125 domain variants. If you need to check whether domains with different
126 TLDs exist, you can use --tld argument.
127
128
129 Coverage
130 Along with the length of the domain, the number of variants generated
131 by the algorithms increases considerably, and therefore the number of
132 DNS queries needed to verify them. For example, to check all variants
133 for google.com, you would have to send over 300k queries. For the
134 domain facebook.com the number increases to over 5 million. It is easy
135 to guess it takes a lot of resources and, most importantly, even more
136 time. For longer domains, checking all options is simply not feasible.
137
138 For this reason, dnstwist generates and checks domains very close to
139 the original one. Theoretically, these are the most attractive domains
140 from the attacker's point of view. However, be aware that the imagina‐
141 tion of the aggressors is unlimited.
142
143
144
145 2020-02-29 DNSTWIST(1)