Find similar-looking domain names that adversaries can use to attack you.
Detect typosquatters, phishing attacks, fraud and brand impersonation.
Useful as an additional source of targeted threat intelligence.
- -a, --all
Show all DNS records.
- -b, --banners
Determine HTTP and SMTP service banners.
- -d, --dictionary FILE
Generate additional domains using a dictionary read from FILE.
- -f, --format FORMAT
Select the output format. Supported values are: cli (default), csv, list, json.
- -g, --geoip
Perform lookup for GeoIP location.
- -h, --help
Display a help message and exit.
- -m, --mxcheck
Check if MX host can be used to intercept e-mails.
- -o, --output FILE
Save output to FILE.
- -r, --registered
Show only registered domain names.
- -s, --ssdeep
Fetch web pages and compare their fuzzy hashes to evaluate similarity.
- --ssdeep-url URL
Override URL to fetch the original web page from.
- -t, --threads NUMBER
Start specified NUMBER of threads (default: 10).
- -w, --whois
Perform lookup for WHOIS creation date.
- --nameservers LIST
DNS servers to query (comma-separated LIST).
- --tld FILE
Generate additional domains by swapping TLD as read from FILE.
- --useragent STRING
User-Agent to send with HTTP requests (default: Mozilla/5.0 dnstwist).
The program will run the provided domain through its fuzzing algorithms and generate a list of potential phishing domains with the following DNS records: A, AAAA, NS and MX. Usually thousands of domain permutations are generated - especially for longer input domains. In such cases, it may be practical to display only registered (resolvable) ones using --registered argument. Ensure your local DNS server can handle thousands of requests within a short period of time. Otherwise, you can specify an external DNS server with --nameservers argument.
Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept which involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage.
Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web page. However, each notification should be inspected carefully regardless of the score.
In some cases, phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. This is obviously useful only with the fuzzy hashing feature.
Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows performing a simple test on each mail server (advertised through DNS MX record) in order to check which one can be used for such hostile intent. Suspicious servers will be marked with the SPYING-MX string.
Please be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent "directory harvesting attack".
If domain permutations generated by the fuzzing algorithms are insufficient, please use --dictionary option with a file to generate more domain variants. If you need to check whether domains with different TLDs exist, you can use --tld argument.
Along with the length of the domain, the number of variants generated by the algorithms increases considerably, and therefore the number of DNS queries needed to verify them. It's mathematically impossible to check all domain permutations - especially for longer input domains.
For this reason, dnstwist generates and checks domains very close to the original one. Theoretically, these are the most attractive domains from the attacker's point of view. However, be aware that the imagination of the aggressors is unlimited.