Scroll to navigation

DNSTWIST(1) User Commands DNSTWIST(1)

NAME

dnstwist - domain name permutation engine

SYNOPSIS

dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE] [-f|--format FORMAT] [-g|--geoip] [-m|--mxcheck] [-o|--output FILE] [-r|--registered] [-s|--ssdeep] [--ssdeep-url URL] [-t|--threads NUMBER] [-w|--whois] [--nameservers LIST] [--tld FILE] [--useragent STRING] DOMAIN

DESCRIPTION

Find similar-looking domain names that adversaries can use to attack you.

Detect typosquatters, phishing attacks, fraud and brand impersonation.

Useful as an additional source of targeted threat intelligence.

OPTIONS

Show all DNS records.
Determine HTTP and SMTP service banners.
Generate additional domains using a dictionary read from FILE.
Select the output format. Supported values are: cli (default), csv, list, json.
Perform lookup for GeoIP location.
Display a help message and exit.
Check if MX host can be used to intercept e-mails.
Save output to FILE.
Show only registered domain names.
Fetch web pages and compare their fuzzy hashes to evaluate similarity.
Override URL to fetch the original web page from.
Start specified NUMBER of threads (default: 10).
Perform lookup for WHOIS creation date.
DNS servers to query (comma-separated LIST).
Generate additional domains by swapping TLD as read from FILE.
User-Agent to send with HTTP requests (default: Mozilla/5.0 dnstwist).

NOTES

The program will run the provided domain through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. Usually thousands of domain permutations are generated - especially for longer input domains. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. Ensure your local DNS server can handle thousands of requests within a short period of time. Otherwise, you can specify an external DNS server with --nameservers argument.

Fuzzy hashing

Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage.

Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page. However, each notification should be inspected carefully regardless of the score.

In some cases, phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This is obviously useful only with the fuzzy hashing feature.

MX checking

Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows performing a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with the SPYING-MX string.

Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent "directory harvesting attack".

Dictionaries

If domain permutations generated by the fuzzing algorithms are insufficient, please use --dictionary option with a file to generate more domain variants. If you need to check whether domains with different TLDs exist, you can use --tld argument.

Coverage

Along with the length of the domain, the number of variants generated by the algorithms increases considerably, and therefore the number of DNS queries needed to verify them. It's mathematically impossible to check all domain permutations - especially for longer input domains.

For this reason, dnstwist generates and checks domains very close to the original one. Theoretically, these are the most attractive domains from the attacker's point of view. However, be aware that the imagination of the aggressors is unlimited.

2020-07-05