قالب وردپرس درنا توس
Home / Tips and Tricks / How to easily generate hundreds of phishing domains "Null Byte :: WonderHowTo

How to easily generate hundreds of phishing domains "Null Byte :: WonderHowTo



A persuasive domain name is crucial to the success of any phishing attacks. With a single Python script, it is possible to find hundreds of available phishing domains and also identify phishing sites used by other hackers to set user information.

Dnstwist, created by @elceef is a domain name permutation search tool that detects phishing domains, bitsquatting, typosquatting and fraudulent websites that share similar domain names. Dnstwist takes the specified target domain name and generates a list of potential phishing domains. The generated domain names are then asked. If a detected domain is redirected to a web server, Dnstwist registers the domain's IP address.

Like most tools designed for penetration testing, Dnstwist is a double-edged sword. It can be used by attackers to find ideal candidate domains for phishing attacks where they could clone the original site and allow users to type their data into a fake site or it can be used by cybersecurity professionals and sysadminer to quickly find and identify domains like created by opponents and attackers.

Supported Naming Systems

Dsntwist supports a variety of phishing domain schedules and types used to generate a large selection of potential phishing domains. I cover each below before jumping directly into how.

first Addition

Letter attached to the end of the given domain name. Below is an example of Bank of America, one of the largest banks in the United States. Unlike any of the other options below, a simple addition is easy to detect by an end user if he or she just looks at the URL.

2. Bitsquatting

Bitsquatting refers to the registration of a domain name 1 bit differently than a legitimate domain. Below is an example of Wikipedia, the largest and most popular public reference website on the internet. This is a bit trickier than the "add-on" above because many people read words based on the first and last letters and do not look at each letter individually.

3. Homoglyph

Phishing campaigns using homoglyphs are called homographic attacks, although the alternative characters are called homoglyphs and not homographies. These types of attacks still affect Firefox and most Android devices and became recently known by Xudong Zheng, who created the first homoglyph phishing address for apple.com. Using Facebook as an example, I saw that there were many homoglyph phishing domains that are still available for as little as $ 11.

To check the detected domain name against a domain registrar , copy and paste the domain from the Dnstwist terminal to the registrar's search field.

4. Omission

Letter is simply removed from the domain name. To my surprise, all Instagram domain names were listed as available. While someone probably will notice if the first or last letter of the domain name is missing, they may not notice anyone in the middle.

5. Subdomain

A period inserted at different positions in the given domain name. Using Gizmodo as an example, we can see the domains "odo.com" and "zmodo.com" are available. It's just about creating convincing subdomains to create an effective phishing domain. As an "add-on", this may be more obvious than the other tricks here.

6. Vowel-Swap

Waves present in the given domain are exchanged for different vowels. In a moment, many of these domains will probably fool most victims to click on fraudulent links. Again, this works because most scan words with the first and last letters, not necessarily every letter in the middle. If a replaced vocal is the first or last letter, it probably will not work.

Now that you know all the tricks that Dnstwist can use to find used and available phishing domains, let's see how to actually use the tool.

Step 1: Configure Dnstwist

Dnstwist builds on several Python addres that can be installed in Kali Linux by typing the command below to a terminal. 19659029] apt-get install python-dnspython python-geoip python-whois python-request python-ssdeep python-cffi

Reading package lists … Done
Build dependency trees
Reading government information … Ready
The following additional packages will be installed:
libfuzzy2 python-certifi python-openssl-python-ply python-pycparser python-simplejson python urllib3 whois
Suggested Packages:
python-openssl-doc python-openssl-dbg python-ply-doc python-trunk python-ntlm
The following new packages will be installed:
libfuzzy2 python-certifi python-cffi python-dnspyton python-geoip python-openssl python-ply python-pycparser python-request python-simonis python-ssdeep python-urllib3 python-whois whois
0 upgraded, 14 new installed, 0 to delete and 164 not upgraded
Need to get 778 kB / 893 kbyte of archive
After this operation, 3 842 kB of extra disk space will be used.
Do you want to continue [Y/n] y

Then you clone the Dnstwist GitHub repository.

  git klon https://github.com/elceef/dnstwist

Cloning in "dnstwist" ...
remote control: count objects: 670, done.
remote control: total 670 (delta 0), reuse 1 (delta 0), packet reuse 669
Receive items: 100% (670/670), 3.18 MiB | 89.00 KiB / s, made.
Resolution of participant: 100% (352/352), completed. 

Finally, use the cd command to switch to the new creation "dnstwist" directory and use the command below it to display the available options.

  cd dnstwist /
./dnstwist.py - help

usage: ./dnstwist.py [OPTION] ... DOMAIN

Find similar domain names that opponents can use to attack you. Can detect typosquatters, phishing attacks, fraud and company espionage. Useful as an additional source of targeted hot intelligence.

position arguments:
domain name or URL to check

optional arguments:
-h, - help Show this help message and exit
-a, - View all DNS records
-b, banners determine HTTP and SMTP service banners
-c, - CSV print in CSV format
-d FILE, - Dictionary FILE generate additional domains using dictionary FILE
-g, - Geoip perform GeoIP site spreadsheets
-j, --json print output in JSON format
-m, --mxcheck check if MX host can be used to e-mail e-mail
-r, - Registered users only show registered domain names
-s, --ssdeep download web pages and compare their fuzzy hashes to evaluate similarity
-t NUMBER, - the thread NUMBER start indicates the specified number of threads (default: 10)
-w, - Who makes WHOIS creation / update time slower (slow) 

Step 2: Generating Phishing Domains with Dnstwist

To start generating phishing domains with Dnstwist, use the command below. There are several arguments used in my example command, and in this case, as we save the results to a file, we do not see any results on the screen.

  ./ dnstwist.py --ssdeep - -json -treads 40 website.com> website.com.json 
  • Argument – ssdeep instructs Dnstwist to analyze the HTML file that exists on each domain and compare it with the specified real-page HTML file. The level of equality will be expressed as a percentage. However, each site should be manually inspected regardless of the percentage level issued by Dnstwist. These percentages are only there to help security personnel identify which domains are likely to be phishing domains.
  • Dnstwist supports two output formats that can be used with other applications. The output format – json was used in my example above, but there are also support for CSV outputs that can be activated with the argument – cvs instead of the JSON format. To save the format to a file, > filename redirect can be used to write data to a particular file name.
  • By default, Dnstwist makes only 10 requests at a time when counting up available phishing domains. This number can be increased or decreased with the argument – threads and enter a value.

If you want to see results on screen and not write them to a file, you can use the command below, replace "facebook.com" with the domain you want. A status bar is printed at the bottom of the Dnstwist terminal. Depending on network speed and number of threads, this may take several minutes to complete.

  ./ dnstwist.py --ssdeep --threads 40 facebook.com
_ _ _ _
__ | | _ __ ___ | | ___ _ (_) ___ | | _
/ _` | & # 39; _  / __ | __   /  / / / __ | __ |
| (_ | | | | __  | _  V | |  __  | _
 __, _ | _ | | _ | ___ /  __ |  _ /  _ / | _ | ___ /  __ | {} 1.04b

Retrieving content from: https://facebook.com ... 200 OK (541.4 Kbytes)
Processing 284 domain variations ... 22% .. 42% ... 63% ... 88%. 210 Hits (73%) 

Always Pay Close Attention to Domain Names

As an attacker who prepares to perform a phishing campaign during an editorial decision or a sysadmin that is preparing to defend against such attacks, Dnstwist is a amazing tool that can be used to calculate profitable domains that are likely to be used for hostile purposes. Dnstwist offers several important advantages over similar tools such as the ability to analyze and compare HTML with potential phishing domains, support for different output formats, and a variety of generated phishing domains.

If you're just a regular end user, visit a website, pay particular attention to the URL when you get there. Although homoglyphs may be impossible to detect, the rest of these can easily be labeled if you spend more than one look at them.

Hope you enjoyed this article to generate and discover phishing domains with Dnstwist. Leave questions and comments below or notify me on Twitter @tokyoneon_ if you need further explanation about any of these.

Do not miss: Hack someone's Wi-Fi password with a birthday card [19659047] Cover screenshots and screenshots of tokyoneon / Null Byte




Source link