dnstwist(1)

1DNSTWIST(1)                      User Commands                     DNSTWIST(1)
2
3
4

NAME

6       dnstwist - domain name permutation engine
7
8

SYNOPSIS

10       dnstwist [OPTION...] DOMAIN
11
12

DESCRIPTION

14       Find  similar-looking  domain  names that adversaries can use to attack
15       you. Detect typosquatters, phishing attacks, fraud and brand  imperson‐
16       ation.
17
18

COMMAND-LINE OPTIONS

20       -a, --all
21              Print all DNS records instead of the first ones.
22
23       -b, --banners
24              Determine HTTP and SMTP service banners.
25
26       -d, --dictionary FILE
27              Generate additional domains using a dictionary read from FILE.
28
29       -f, --format FORMAT
30              Select  the  output format. Supported values are: cli (default),
31              csv, list, json.
32
33       --fuzzers LIST
34              Use only selected fuzzing algorithms (separated with commas).
35
36       -g, --geoip
37              Perform lookup for GeoIP location.
38
39       --lsh [LSH]
40              Evaluate web page similarity with  LSH  algorithm:  ssdeep  (de‐
41              fault), tlsh
42
43       --lsh-url URL
44              Override URL to fetch the original web page from.
45
46       -h, --help
47              Display help message and exit.
48
49       -m, --mxcheck
50              Check if MX host can be used to intercept e-mails.
51
52       -o, --output FILE
53              Save output to FILE.
54
55       -r, --registered
56              Show only registered domain names.
57
58       -u, --unregistered
59              Show only unregistered domain names.
60
61       -p, --phash
62              Render web pages and compare their perceptual hashes to evaluate
63              visual similarity.
64
65       --phash-url URL
66              Override URL to render the original web page from.
67
68       --screenshots DIR
69              Save web page screenshots into DIR.
70
71       -t, --threads NUM
72              Start specified NUM of threads.
73
74       -w, --whois
75              Lookup WHOIS database for creation date and registrar.
76
77       --nameservers LIST
78              DNS or DNS-over-HTTPS servers to query (comma-separated LIST).
79
80       --tld FILE
81              Generate additional domains by swapping TLD as read from FILE.
82
83       --useragent STRING
84              Set User-Agent  STRING  (default:  Mozilla/5.0  (platform  arch)
85              dnstwist/version).
86
87

NOTES

89       DNS  fuzzing is an automated workflow for discovering potentially mali‐
90       cious domain names.
91
92       The tool will run the provided domain name through  its  fuzzing  algo‐
93       rithms and generate a list of potential phishing domains along with DNS
94       records.  Usually thousands of domain permutations are generated -  es‐
95       pecially  for  longer input domains. In such cases, it may be practical
96       to display only registered (resolvable) ones using  --registered  argu‐
97       ment.
98
99       Ensure  your local DNS server can handle thousands of requests within a
100       short period of time. Otherwise, you can specify  an  external  DNS  or
101       DNS-over-HTTPS server with --nameservers argument.
102
103
104   Fuzzy hashing
105       Manually  checking each domain name in terms of serving a phishing site
106       might be time-consuming. To address this, dnstwist  makes  use  of  so-
107       called  fuzzy  hashes  (locality-sensitive  hash,  LSH)  and perceptual
108       hashes (pHash). Fuzzy hashing is a concept that involves the ability to
109       compare  two  inputs  (HTML  code) and determine a fundamental level of
110       similarity, while perceptual hash is a fingerprint derived from  visual
111       features  of an image (web browser screenshot). The level of similarity
112       is expressed as a percentage.
113
114       Keep in mind it's rather unlikely to get 100% match for  a  dynamically
115       generated  web  page.  However, each notification is a strong indicator
116       and should be inspected carefully regardless of the score.
117
118
119   Dictionaries
120       If domain permutations generated by the fuzzing algorithms are insuffi‐
121       cient,  please use --dictionary option with a file to generate more do‐
122       main variants.  If you need to check  whether  domains  with  different
123       TLDs exist, you can use --tld argument.
124
125
126   Coverage
127       Along  with  the length of the domain, the number of variants generated
128       by the algorithms increases considerably, and therefore  the  time  and
129       resources  needed  to  verify  them.  It's mathematically impossible to
130       check all domain permutations - especially  for  longer  input  domains
131       which would require millions of DNS lookups. For this reason, this tool
132       generates and checks domains very close to the original one.  Theoreti‐
133       cally,  these are the most attractive domains from the attacker's point
134       of view. However, be aware that the imagination of  the  aggressors  is
135       unlimited.
136
137       Unicode  tables  consist  of  thousands of characters with many of them
138       visually similar to each other. However, despite the fact certain char‐
139       acters  are  encodable using punycode, most TLD authorities will reject
140       them during domain registration process. In  general,  TLD  authorities
141       disallow  mixing of characters coming from different Unicode scripts or
142       maintain their own sets of acceptable characters. With that being said,
143       the  homoglyph fuzzer was build on top of carefully researched range of
144       Unicode characters (homoglyphs) to ensure that generated domains can be
145       registered in practice.
146
147

AUTHOR

149       Marcin Ulikowski <marcin@ulikowski.pl>
150
151
152
153                                 December 2022                     DNSTWIST(1)