|Project Name||Stars||Downloads||Repos Using This||Packages Using This||Most Recent Commit||Total Releases||Latest Release||Open Issues||License||Language|
|Hackingtool||30,485||3 days ago||16||mit||Python|
|ALL IN ONE Hacking Tool For Hackers|
|Wifiphisher||11,709||2||3 months ago||3||January 13, 2018||272||gpl-3.0||Python|
|The Rogue Access Point Framework|
|Evilginx2||7,410||23 days ago||13||February 08, 2021||64||bsd-3-clause||Go|
|Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication|
|Dnstwist||3,955||2||16 days ago||13||January 31, 2022||16||apache-2.0||Python|
|Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation|
|Evilginx||938||a year ago||40||mit||Python|
|PLEASE USE NEW VERSION: https://github.com/kgretzky/evilginx2|
|Evilurl||871||a year ago||10||bsd-3-clause||Python|
|Generate unicode domains for IDN Homograph Attack and detect them.|
|Thephish||653||7 months ago||17||agpl-3.0||Python|
|ThePhish: an automated phishing email analysis tool|
|O365 Attack Toolkit||563||3 years ago||10||Go|
|A toolkit to attack Office365|
|Opensquat||485||4 days ago||10||gpl-3.0||Python|
|The openSquat project is an open-source solution for detecting phishing domains and domain squatting. It searches for newly registered domains that impersonate legitimate domains on a daily basis. This project aims to help protect individuals and organizations from cyber threats by identifying and alerting them to potentially malicious domains.|
|Awesome Windows Red Team||340||3 years ago||mit|
|A curated list of awesome Windows frameworks, libraries, software and resources for Red Teams|
See what sort of trouble users can get in trying to type your domain name. Find lookalike domains that adversaries can use to attack you. Can detect typosquatters, phishing attacks, fraud, and brand impersonation. Useful as an additional source of targeted threat intelligence.
DNS fuzzing is an automated workflow that aims to uncover potentially malicious domains that target your organization. This tool generates a comprehensive list of permutations based on a provided domain name, and subsequently verifies whether any of these permutations are in use. Additionally, it can generate fuzzy hashes of web pages to detect ongoing phishing attacks or brand impersonation, and much more!
In a hurry? Try it in your web browser: dnstwist.it
$ pip install dnstwist[full]
Alternatively install the bare minimum and add other requirements manually depending on your needs:
$ pip install dnstwist
If you want to run the latest version of the code, you can install it from Git:
$ git clone https://github.com/elceef/dnstwist.git $ cd dnstwist $ pip install .
Invoke the following command to install the tool with all extra packages:
$ sudo apt install dnstwist
$ sudo dnf install dnstwist
This will install
dnstwist along with all dependencies, and the binary will
be added to
$ brew install dnstwist
Pull and run official image from the Docker Hub:
$ docker run -it elceef/dnstwist
Alternatively you can build your local images:
$ docker build -t dnstwist . $ docker build -t dnstwist:phash --build-arg phash=1 .
The tool will run the provided domain name through its fuzzing algorithms and generate a list of potential phishing domains along with DNS records.
Usually thousands of domain permutations are generated - especially for longer input domains. In such cases, it may be practical to display only the ones that are registered:
$ dnstwist --registered domain.name
Ensure your DNS server can handle thousands of requests within a short period
of time. Otherwise, you can specify an external DNS or DNS-over-HTTPS server
If domain permutations generated by the fuzzing algorithms are insufficient,
dnstwist with a dictionary file. Some dictionary samples with
a list of the most common words used in phishing campaigns are included.
$ dnstwist --dictionary dictionaries/english.dict domain.name
If you need to check whether domains with different TLD exist, just supply a dictionary file with the list of TLD.
$ dnstwist --tld dictionaries/common_tlds.dict domain.name
On the other hand, if only selected algorithms need to be used,
argument is available, which takes a comma-separated list.
Note: non-existent algorithm names will be silently ignored.
$ dnstwist --fuzzers homoglyph,hyphenation domain.name
Apart from the colorful terminal output, the tool allows exporting results to CSV and JSON:
$ dnstwist --format csv domain.name | column -t -s, $ dnstwist --format json domain.name | jq
In case you need just the bare permutations without making any DNS lookups, use
--format list argument:
$ dnstwist --format list domain.name
The tool can perform real-time lookups to return geographical location (approximated to the country) of IPv4 addresses.
$ dnstwist --geoip domain.name
The GeoIP2 library is used by default. Country database location has to be
$GEOLITE2_MMDB environment variable. If the library or the
database are not present, the tool will fall-back to the older GeoIP Legacy.
To display all available options with brief descriptions simply execute the tool without any arguments.
Manually checking each domain name in terms of serving a phishing site might be
time-consuming. To address this,
dnstwist makes use of so-called fuzzy hashes
(locality-sensitive hash, LSH) and perceptual hashes (pHash). Fuzzy hashing is
a concept that involves the ability to compare two inputs (HTML code) and
determine a fundamental level of similarity, while perceptual hash is
a fingerprint derived from visual features of an image (web page screenshot).
The unique feature of detecting similar HTML source code can be enabled with
--lsh argument. For each generated domain,
dnstwist will fetch content
from responding HTTP server (following possible redirects), normalize HTML code
and compare its fuzzy hash with the one for the original (initial) domain. The
level of similarity is expressed as a percentage.
In cases when the effective URL is the same as for the original domain, the fuzzy hash is not calculated at all in order to reject false positive indications.
Note: Keep in mind it's rather unlikely to get 100% match, even for MITM attack frameworks, and that a phishing site can have a completely different HTML source code.
$ dnstwist --lsh domain.name
In some cases, phishing sites are served from a specific URL. If you provide a
full or partial URL address as an argument,
dnstwist will parse it and apply
for each generated domain name variant. Use
--lsh-url to override URL to
fetch the original web page from.
$ dnstwist --lsh https://domain.name/owa/ $ dnstwist --lsh --lsh-url https://different.domain/owa/ domain.name
By default, ssdeep is used as LSH algorithm, but TLSH is also available and can be enabled like so:
$ dnstwist --lsh tlsh domain.name
If Chromium browser is installed,
dnstwist can utilize its headless mode,
which operates without a graphical user interface, to capture web page
screenshots, render them, and calculate pHash values. These pHash values are
then compared to evaluate the visual similarity, expressed as a percentage.
$ dnstwist --phash domain.name
Moreover, it is possible to save the captured screenshots in the PNG format to a location of choice:
$ dnstwist --phash --screenshots /tmp/domain domain.name
Note: Due to the multi-threaded use of a fully functional web browser, an appropriate amount of free resources (mainly memory) should be provided.
In case you need to consume the data produced by the tool within your code, the most convenient and efficient way is to pass the input as follows.
>>> import dnstwist >>> data = dnstwist.run(domain='domain.name', registered=True, format='null')
The arguments for
dnstwist.run() are translated internally, so the usage is
very similar to the command line. The returned data structure is an
easy-to-process list of dictionaries. Keep in mind that
a number of daemon threads.
As the length of the input domain increases, the number of variants generated by the algorithms increases significantly, resulting in a substantial increase in the time and resources required to verify them. Checking every possible domain permutation is impractical, especially for longer input domains, which would require millions of DNS lookups. Thus, this tool generates and checks domains that are very similar to the original one. Theoretically, these domains are the most appealing from an attacker's point of view. However, it's essential to note that attackers' imagination is unlimited.
Unicode tables comprise thousands of characters with many of them visually similar to one another. However, despite the fact certain characters are encodable using punycode, most TLD authorities will reject them during domain registration process. In general, TLD authorities disallow mixing of characters coming from different Unicode scripts or maintain their own sets of acceptable characters. With that being said, the homoglyph fuzzer was build on top of carefully researched range of Unicode characters (homoglyphs) to ensure that generated domains can be registered in practice.
The scanner is utilized by tens of SOC and incident response teams around the globe, as well as independent information security analysts and researchers. On top of this, it's integrated into products and services of many security providers, in particular but not only:
Splunk ESCU, RecordedFuture, SpiderFoot, DigitalShadows, SecurityRisk, SmartFense, ThreatPipes, PaloAlto Cortex XSOAR, Rapid7 InsightConnect SOAR, Mimecast, Watcher, Intel Owl, PatrOwl, VDA Labs, Appsecco, Maltego, Conscia ThreatInsights, Fortinet FortiSOAR, ThreatConnect.
To send questions, thoughts or a bar of chocolate, just drop an e-mail at [email protected]. Any feedback is appreciated. If you have found some confirmed phishing domains or just like this tool, please don't hesitate and send a message. Thank you.