1DNSTWIST(1) User Commands DNSTWIST(1)
2
6 dnstwist - domain name permutation engine
7
10 dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE]
11 [-f|--format FORMAT] [-g|--geoip] [-m|--mxcheck]
12 [-o|--output FILE] [-r|--registered] [-s|--ssdeep] [--ssdeep-
13 url URL] [-t|--threads NUMBER] [-w|--whois]
14 [--nameservers LIST] [--tld FILE] [--useragent STRING] DOMAIN
15
18 Find similar-looking domain names that adversaries can use to attack
19 you.
20 Detect typosquatters, phishing attacks, fraud and brand impersonation.
22 Useful as an additional source of targeted threat intelligence.
24
27 -a, --all
28 Show all DNS records.
29 -b, --banners
31 Determine HTTP and SMTP service banners.
32 -d, --dictionary FILE
34 Generate additional domains using a dictionary read from FILE.
35 -f, --format FORMAT
37 Select the output format. Supported values are: cli (default),
38 csv, list, json.
39 -g, --geoip
41 Perform lookup for GeoIP location.
42 -h, --help
44 Display a help message and exit.
45 -m, --mxcheck
47 Check if MX host can be used to intercept e-mails.
48 -o, --output FILE
50 Save output to FILE.
51 -r, --registered
53 Show only registered domain names.
54 -s, --ssdeep
56 Fetch web pages and compare their fuzzy hashes to evaluate simi‐
57 larity.
58 --ssdeep-url URL
60 Override URL to fetch the original web page from.
61 -t, --threads NUMBER
63 Start specified NUMBER of threads (default: 10).
64 -w, --whois
66 Perform lookup for WHOIS creation date.
67 --nameservers LIST
69 DNS servers to query (comma-separated LIST).
70 --tld FILE
72 Generate additional domains by swapping TLD as read from FILE.
73 --useragent STRING
75 User-Agent to send with HTTP requests (default: Mozilla/5.0
76 dnstwist).
77
80 The program will run the provided domain through its fuzzing algorithms
81 and generate a list of potential phishing domains with the following
82 DNS records: A, AAAA, NS and MX. Usually thousands of domain permuta‐
83 tions are generated - especially for longer input domains. In such
84 cases, it may be practical to display only registered (resolvable) ones
85 using --registered argument. Ensure your local DNS server can handle
86 thousands of requests within a short period of time. Otherwise, you
87 can specify an external DNS server with --nameservers argument.
88 Fuzzy hashing
91 Manually checking each domain name in terms of serving a phishing site
92 might be time-consuming. To address this, dnstwist makes use of so-
93 called fuzzy hashes (context triggered piecewise hashes). Fuzzy hash‐
94 ing is a concept which involves the ability to compare two inputs (in
95 this case HTML code) and determine a fundamental level of similarity.
96 This unique feature of dnstwist can be enabled with --ssdeep argument.
97 For each generated domain, dnstwist will fetch content from responding
98 HTTP server (following possible redirects) and compare its fuzzy hash
99 with the one for the original (initial) domain. The level of similar‐
100 ity will be expressed as a percentage.
101 Please keep in mind it's rather unlikely to get 100% match for a dynam‐
103 ically generated web page. However, each notification should be
104 inspected carefully regardless of the score.
105 In some cases, phishing sites are served from a specific URL. If you
107 provide a full or partial URL address as an argument, dnstwist will
108 parse it and apply for each generated domain name variant. This is
109 obviously useful only with the fuzzy hashing feature.
110 MX checking
113 Very often attackers set up e-mail honey pots on phishing domains and
114 wait for mistyped e-mails to arrive. In this scenario, attackers would
115 configure their server to vacuum up all e-mail addressed to that
116 domain, regardless of the user it was sent towards. Another dnstwist
117 feature allows performing a simple test on each mail server (advertised
118 through DNS MX record) in order to check which one can be used for such
119 hostile intent. Suspicious servers will be marked with the SPYING-MX
120 string.
121 Please be aware of possible false positives. Some mail servers only
123 pretend to accept incorrectly addressed e-mails but then discard those
124 messages. This technique is used to prevent "directory harvesting
125 attack".
126 Dictionaries
129 If domain permutations generated by the fuzzing algorithms are insuffi‐
130 cient, please use --dictionary option with a file to generate more
131 domain variants. If you need to check whether domains with different
132 TLDs exist, you can use --tld argument.
133 Coverage
136 Along with the length of the domain, the number of variants generated
137 by the algorithms increases considerably, and therefore the number of
138 DNS queries needed to verify them. It's mathematically impossible to
139 check all domain permutations - especially for longer input domains.
140 For this reason, dnstwist generates and checks domains very close to
142 the original one. Theoretically, these are the most attractive domains
143 from the attacker's point of view. However, be aware that the imagina‐
144 tion of the aggressors is unlimited.
145 2020-07-05 DNSTWIST(1)