1DNSTWIST(1)                      User Commands                     DNSTWIST(1)
2
3
4

NAME

6       dnstwist - domain name permutation engine
7
8

SYNOPSIS

10       dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE]
11                [-f|--format FORMAT] [-g|--geoip] [-m|--mxcheck]
12                [-o|--output FILE] [-r|--registered] [-s|--ssdeep] [--ssdeep-
13                url URL] [-t|--threads NUMBER] [-w|--whois]
14                [--nameservers LIST] [--tld FILE] [--useragent STRING] DOMAIN
15
16

DESCRIPTION

18       Find  similar-looking  domain  names that adversaries can use to attack
19       you.
20
21       Detect typosquatters, phishing attacks, fraud and brand impersonation.
22
23       Useful as an additional source of targeted threat intelligence.
24
25

OPTIONS

27       -a, --all
28              Show all DNS records.
29
30       -b, --banners
31              Determine HTTP and SMTP service banners.
32
33       -d, --dictionary FILE
34              Generate additional domains using a dictionary read from FILE.
35
36       -f, --format FORMAT
37              Select the output format. Supported values are:  cli  (default),
38              csv, list, json.
39
40       -g, --geoip
41              Perform lookup for GeoIP location.
42
43       -h, --help
44              Display a help message and exit.
45
46       -m, --mxcheck
47              Check if MX host can be used to intercept e-mails.
48
49       -o, --output FILE
50              Save output to FILE.
51
52       -r, --registered
53              Show only registered domain names.
54
55       -s, --ssdeep
56              Fetch web pages and compare their fuzzy hashes to evaluate simi‐
57              larity.
58
59       --ssdeep-url URL
60              Override URL to fetch the original web page from.
61
62       -t, --threads NUMBER
63              Start specified NUMBER of threads (default: 10).
64
65       -w, --whois
66              Perform lookup for WHOIS creation date.
67
68       --nameservers LIST
69              DNS servers to query (comma-separated LIST).
70
71       --tld FILE
72              Generate additional domains by swapping TLD as read from FILE.
73
74       --useragent STRING
75              User-Agent to send  with  HTTP  requests  (default:  Mozilla/5.0
76              dnstwist).
77
78

NOTES

80       The program will run the provided domain through its fuzzing algorithms
81       and generate a list of potential phishing domains  with  the  following
82       DNS  records: A, AAAA, NS and MX.  Usually thousands of domain permuta‐
83       tions are generated - especially for longer  input  domains.   In  such
84       cases, it may be practical to display only registered (resolvable) ones
85       using --registered argument.  Ensure your local DNS server  can  handle
86       thousands  of  requests  within a short period of time.  Otherwise, you
87       can specify an external DNS server with --nameservers argument.
88
89
90   Fuzzy hashing
91       Manually checking each domain name in terms of serving a phishing  site
92       might  be  time-consuming.   To address this, dnstwist makes use of so-
93       called fuzzy hashes (context triggered piecewise hashes).  Fuzzy  hash‐
94       ing  is  a concept which involves the ability to compare two inputs (in
95       this case HTML code) and determine a fundamental level  of  similarity.
96       This  unique feature of dnstwist can be enabled with --ssdeep argument.
97       For each generated domain, dnstwist will fetch content from  responding
98       HTTP  server  (following possible redirects) and compare its fuzzy hash
99       with the one for the original (initial) domain.  The level of  similar‐
100       ity will be expressed as a percentage.
101
102       Please keep in mind it's rather unlikely to get 100% match for a dynam‐
103       ically generated  web  page.   However,  each  notification  should  be
104       inspected carefully regardless of the score.
105
106       In  some  cases, phishing sites are served from a specific URL.  If you
107       provide a full or partial URL address as  an  argument,  dnstwist  will
108       parse  it  and  apply  for each generated domain name variant.  This is
109       obviously useful only with the fuzzy hashing feature.
110
111
112   MX checking
113       Very often attackers set up e-mail honey pots on phishing  domains  and
114       wait for mistyped e-mails to arrive.  In this scenario, attackers would
115       configure their server to  vacuum  up  all  e-mail  addressed  to  that
116       domain,  regardless  of  the user it was sent towards. Another dnstwist
117       feature allows performing a simple test on each mail server (advertised
118       through DNS MX record) in order to check which one can be used for such
119       hostile intent.  Suspicious servers will be marked with  the  SPYING-MX
120       string.
121
122       Please  be  aware  of possible false positives.  Some mail servers only
123       pretend to accept incorrectly addressed e-mails but then discard  those
124       messages.   This  technique  is  used  to prevent "directory harvesting
125       attack".
126
127
128   Dictionaries
129       If domain permutations generated by the fuzzing algorithms are insuffi‐
130       cient,  please  use  --dictionary  option  with a file to generate more
131       domain variants.  If you need to check whether domains  with  different
132       TLDs exist, you can use --tld argument.
133
134
135   Coverage
136       Along  with  the length of the domain, the number of variants generated
137       by the algorithms increases considerably, and therefore the  number  of
138       DNS  queries  needed  to verify them. It's mathematically impossible to
139       check all domain permutations - especially for longer input domains.
140
141       For this reason, dnstwist generates and checks domains  very  close  to
142       the original one.  Theoretically, these are the most attractive domains
143       from the attacker's point of view.  However, be aware that the imagina‐
144       tion of the aggressors is unlimited.
145
146
147
148                                  2020-07-05                       DNSTWIST(1)
Impressum