1DNSTWIST(1) User Commands DNSTWIST(1)
2
3
4
6 dnstwist - domain name permutation engine
7
8
10 dnstwist [OPTION...] DOMAIN
11
12
14 Find similar-looking domain names that adversaries can use to attack
15 you. Detect typosquatters, phishing attacks, fraud and brand imperson‐
16 ation.
17
18
20 -a, --all
21 Print all DNS records instead of the first ones.
22
23 -b, --banners
24 Determine HTTP and SMTP service banners.
25
26 -d, --dictionary FILE
27 Generate additional domains using a dictionary read from FILE.
28
29 -f, --format FORMAT
30 Select the output format. Supported values are: cli (default),
31 csv, list, json.
32
33 --fuzzers LIST
34 Use only selected fuzzing algorithms (separated with commas).
35
36 -g, --geoip
37 Perform lookup for GeoIP location.
38
39 -h, --help
40 Display help message and exit.
41
42 -m, --mxcheck
43 Check if MX host can be used to intercept e-mails.
44
45 -o, --output FILE
46 Save output to FILE.
47
48 -r, --registered
49 Show only registered domain names.
50
51 -u, --unregistered
52 Show only unregistered domain names.
53
54 -p, --phash
55 Render web pages and compare their perceptual hashes to evaluate
56 visual similarity.
57
58 --phash-url URL
59 Override URL to render the original web page from.
60
61 --screenshots DIR
62 Save web page screenshots into DIR.
63
64 -s, --ssdeep
65 Fetch web pages and compare their fuzzy hashes to evaluate simi‐
66 larity.
67
68 --ssdeep-url URL
69 Override URL to fetch the original web page from.
70
71 -t, --threads NUM
72 Start specified NUM of threads.
73
74 -w, --whois
75 Lookup WHOIS database for creation date and registrar.
76
77 --nameservers LIST
78 DNS or DNS-over-HTTPS servers to query (comma-separated LIST).
79
80 --tld FILE
81 Generate additional domains by swapping TLD as read from FILE.
82
83 --useragent STRING
84 Set User-Agent STRING (default: Mozilla/5.0 (platform arch)
85 dnstwist/version).
86
87
89 DNS fuzzing is an automated workflow for discovering potentially mali‐
90 cious domain names.
91
92 The tool will run the provided domain name through its fuzzing algo‐
93 rithms and generate a list of potential phishing domains along with DNS
94 records. Usually thousands of domain permutations are generated - es‐
95 pecially for longer input domains. In such cases, it may be practical
96 to display only registered (resolvable) ones using --registered argu‐
97 ment.
98
99 Ensure your local DNS server can handle thousands of requests within a
100 short period of time. Otherwise, you can specify an external DNS or
101 DNS-over-HTTPS server with --nameservers argument.
102
103
104 Fuzzy hashing
105 Manually checking each domain name in terms of serving a phishing site
106 might be time-consuming. To address this, dnstwist makes use of so-
107 called fuzzy hashes (context triggered piecewise hashes, often called
108 ssdeep) and perceptual hashes (pHash). Fuzzy hashing is a concept that
109 involves the ability to compare two inputs (HTML code) and determine a
110 fundamental level of similarity, while perceptual hash is a fingerprint
111 derived from visual features of an image (web browser screenshot). The
112 level of similarity is be expressed as a percentage.
113
114 Keep in mind it's rather unlikely to get 100% match for a dynamically
115 generated web page. However, each notification is a strong indicator
116 and should be inspected carefully regardless of the score.
117
118
119 Dictionaries
120 If domain permutations generated by the fuzzing algorithms are insuffi‐
121 cient, please use --dictionary option with a file to generate more do‐
122 main variants. If you need to check whether domains with different
123 TLDs exist, you can use --tld argument.
124
125
126 Coverage
127 Along with the length of the domain, the number of variants generated
128 by the algorithms increases considerably, and therefore the time and
129 resources needed to verify them. It's mathematically impossible to
130 check all domain permutations - especially for longer input domains
131 which would require millions of DNS lookups. For this reason, this tool
132 generates and checks domains very close to the original one. Theoreti‐
133 cally, these are the most attractive domains from the attacker's point
134 of view. However, be aware that the imagination of the aggressors is
135 unlimited.
136
137 Unicode tables consist of thousands of characters with many of them
138 visually similar to each other. However, despite the fact certain char‐
139 acters are encodable using punycode, most TLD authorities will reject
140 them during domain registration process. In general, TLD authorities
141 disallow mixing of characters coming from different Unicode scripts or
142 maintain their own sets of acceptable characters. With that being said,
143 the homoglyph fuzzer was build on top of carefully researched range of
144 Unicode characters (homoglyphs) to ensure that generated domains can be
145 registered in practice.
146
147
149 Marcin Ulikowski <marcin@ulikowski.pl>
150
151
152
153 December 2022 DNSTWIST(1)