1DNSTWIST(1)                      User Commands                     DNSTWIST(1)
2
3
4

NAME

6       dnstwist - domain name permutation engine
7
8

SYNOPSIS

10       dnstwist [OPTION...] DOMAIN
11
12

DESCRIPTION

14       Find  similar-looking  domain  names that adversaries can use to attack
15       you. Detect typosquatters, phishing attacks, fraud and brand  imperson‐
16       ation.
17
18

COMMAND-LINE OPTIONS

20       -a, --all
21              Print all DNS records instead of the first ones.
22
23       -b, --banners
24              Determine HTTP and SMTP service banners.
25
26       -d, --dictionary FILE
27              Generate additional domains using a dictionary read from FILE.
28
29       -f, --format FORMAT
30              Select  the  output format. Supported values are: cli (default),
31              csv, list, json.
32
33       --fuzzers LIST
34              Use only selected fuzzing algorithms (separated with commas).
35
36       -g, --geoip
37              Perform lookup for GeoIP location.
38
39       -h, --help
40              Display help message and exit.
41
42       -m, --mxcheck
43              Check if MX host can be used to intercept e-mails.
44
45       -o, --output FILE
46              Save output to FILE.
47
48       -r, --registered
49              Show only registered domain names.
50
51       -u, --unregistered
52              Show only unregistered domain names.
53
54       -p, --phash
55              Render web pages and compare their perceptual hashes to evaluate
56              visual similarity.
57
58       --phash-url URL
59              Override URL to render the original web page from.
60
61       --screenshots DIR
62              Save web page screenshots into DIR.
63
64       -s, --ssdeep
65              Fetch web pages and compare their fuzzy hashes to evaluate simi‐
66              larity.
67
68       --ssdeep-url URL
69              Override URL to fetch the original web page from.
70
71       -t, --threads NUM
72              Start specified NUM of threads.
73
74       -w, --whois
75              Lookup WHOIS database for creation date and registrar.
76
77       --nameservers LIST
78              DNS or DNS-over-HTTPS servers to query (comma-separated LIST).
79
80       --tld FILE
81              Generate additional domains by swapping TLD as read from FILE.
82
83       --useragent STRING
84              Set User-Agent  STRING  (default:  Mozilla/5.0  (platform  arch)
85              dnstwist/version).
86
87

NOTES

89       DNS  fuzzing is an automated workflow for discovering potentially mali‐
90       cious domain names.
91
92       The tool will run the provided domain name through  its  fuzzing  algo‐
93       rithms and generate a list of potential phishing domains along with DNS
94       records.  Usually thousands of domain permutations are generated -  es‐
95       pecially  for  longer input domains. In such cases, it may be practical
96       to display only registered (resolvable) ones using  --registered  argu‐
97       ment.
98
99       Ensure  your local DNS server can handle thousands of requests within a
100       short period of time. Otherwise, you can specify  an  external  DNS  or
101       DNS-over-HTTPS server with --nameservers argument.
102
103
104   Fuzzy hashing
105       Manually  checking each domain name in terms of serving a phishing site
106       might be time-consuming. To address this, dnstwist  makes  use  of  so-
107       called  fuzzy  hashes (context triggered piecewise hashes, often called
108       ssdeep) and perceptual hashes (pHash). Fuzzy hashing is a concept  that
109       involves  the ability to compare two inputs (HTML code) and determine a
110       fundamental level of similarity, while perceptual hash is a fingerprint
111       derived  from visual features of an image (web browser screenshot). The
112       level of similarity is be expressed as a percentage.
113
114       Keep in mind it's rather unlikely to get 100% match for  a  dynamically
115       generated  web  page.  However, each notification is a strong indicator
116       and should be inspected carefully regardless of the score.
117
118
119   Dictionaries
120       If domain permutations generated by the fuzzing algorithms are insuffi‐
121       cient,  please use --dictionary option with a file to generate more do‐
122       main variants.  If you need to check  whether  domains  with  different
123       TLDs exist, you can use --tld argument.
124
125
126   Coverage
127       Along  with  the length of the domain, the number of variants generated
128       by the algorithms increases considerably, and therefore  the  time  and
129       resources  needed  to  verify  them.  It's mathematically impossible to
130       check all domain permutations - especially  for  longer  input  domains
131       which would require millions of DNS lookups. For this reason, this tool
132       generates and checks domains very close to the original one.  Theoreti‐
133       cally,  these are the most attractive domains from the attacker's point
134       of view. However, be aware that the imagination of  the  aggressors  is
135       unlimited.
136
137       Unicode  tables  consist  of  thousands of characters with many of them
138       visually similar to each other. However, despite the fact certain char‐
139       acters  are  encodable using punycode, most TLD authorities will reject
140       them during domain registration process. In  general,  TLD  authorities
141       disallow  mixing of characters coming from different Unicode scripts or
142       maintain their own sets of acceptable characters. With that being said,
143       the  homoglyph fuzzer was build on top of carefully researched range of
144       Unicode characters (homoglyphs) to ensure that generated domains can be
145       registered in practice.
146
147

AUTHOR

149       Marcin Ulikowski <marcin@ulikowski.pl>
150
151
152
153                                 December 2022                     DNSTWIST(1)
Impressum