قالب وردپرس درنا توس
Home / Tips and Tricks / Hundreds of phishing domains generate «zero byte :: WonderHowTo

Hundreds of phishing domains generate «zero byte :: WonderHowTo



A compelling domain name is critical to the success of a phishing attack. With a single Python script, it is possible to find hundreds of available phishing domains and even identify phishing sites used by other hackers, for example, to steal user credentials.

Dnstwist, created by @elceef is a domain name permutation search engine that detects phishing domains, bitquatting, typosquatting, and fraudulent sites with similar-looking domain names. Dnstwist takes the specified target domain name and generates a list of potential phishing domains. The generated domain names are then queried. When a discovered domain redirects to a Web server, Dnstwist records the IP address of the domain.

Like most tools developed for penetration testing, Dnstwist is a double-edged sword. Attackers can use attackers to find ideal candidate domains for phishing attacks, where they can clone the original site and cause users to enter their credentials into a fake website, or they can be used by cybersecurity experts and system administrators to create Quickly locate and identify domains from enemies and attackers.

Supported Naming Schemes

Dsntwist supports a variety of phishing domain schemas and types that create a wide range of potential phishing domains. I will go into each one before going directly into the procedure.

. 1 Addition

Letters are appended to the end of the specified domain name. Below is an example of Bank of America, one of the largest banks in the United States. Unlike some other options, a simple addition to an end user is easy to see when he or she only looks at the URL.

2. Bitsquatting

Bitsquatting refers to the registration of domain names that differ by 1 bit from a legitimate domain. Below is an example of Wikipedia, the largest and most popular general reference website on the Internet. This is a bit trickier for the eyes than the above "additions", as many people have read words based on the first and last letters and do not look at each letter individually.

3. Homoglyph

Phishing campaigns using homoglyphs are called homosexual attacks although the alternative characters are called homoglyphs rather than homographs. This type of attack still affects Firefox and most Android devices, and was recently introduced to Xudong Zheng, who created the first homoglyph phishing address for apple.com. Using the example of Facebook, I found that many homoglyph phishing domains are still available for only $ 11.

To compare the discovered domain name with a domain registrar, copy and paste the domain from the Dnstwist terminal into the search bar of the registrar.

4. Omission

Letters are simply removed from the domain name. To my surprise, all Instagram domain names were listed as available. Probably someone will notice that the first or last letter in the domain name is missing, but in the middle may no longer exist.

5. Subdomain

A period inserted at various locations in the specified domain name. Using the example of Gizmodo we can see the domains "odo.com" and "zmodo.com". It's just a matter of creating compelling subdomains to create an effective phishing domain. Like "supplements," this could be more obvious than the other tricks here.

6. Vowel Swap

Vowels found in the specified domain are exchanged for different vowels. At a glance, many of these domains will likely get most victims to click on fraudulent links. Again, this works because most people scan words with the first and last letters, not necessarily with each letter in the middle. If a replaced vowel is the first or last letter, it probably will not work so well.

Now that you know that all the tricks that Dnstwist can use are available and available in phishing domains, let's see how the tool can actually be used.

Step 1: Set Dnstwist

Dnstwist relies on several Python dependencies that can be installed in Kali Linux by typing the following command in a terminal. 19659029] apt-get install python-dnspython python-geoip python-whois python-requests python-ssdeep python-cffi

Read package lists … Done
Create dependency tree
Status information is read … Done
The following additional packages will be installed:
libfuzzy2 python-certifi python-openssl-python-ply python-pycparser python-simplejson python-urllib3 whois
Suggested packages:
python-openssl-doc python-openssl-dbg python-ply-doc python-socks python-ntlm
The following NEW packages will be installed:
libfuzzy2 python-certifi python-cffi python-dnspython python-geoip python-openssl python-ply python-pycparser python-requests python-simplejson python-ssdeep python-urllib3 python -is whois
0 updated, 14 reinstalled, 0 removed and 164 not updated
You need 778 kB / 893 kB archives
After this process, 3,842 kB of additional memory is needed.
Do you want to proceed [Y/n] y

Then clone the Dnstwist GitHub repository.

  git clone https://github.com/elceef/dnstwist

Cloning in "dnstwist" ...
remote: count objects: 670, done.
Remote: Total 670 (Delta 0), Reused 1 (Deltaa 0), Reused Pack 669
Reception objects: 100% (670/670), 3.18 MiB | 89.00 KiB / s, finished.
Deltas resolve: 100% (352/352), done. 

Finally, use the cd command to change to the newly created "dnstwist" directory and use the command below to display the available options.

  cd dnstwist /
./dnstwist.py --help

Usage: ./dnstwist.py [OPTION] ... DOMAIN

Find similar-looking domain names that your opponents can use to attack you. Can detect typosquatters, phishing attacks, fraud and corporate espionage. Useful as an additional source of targeted threat information.

Positional arguments:
Domain Domain name or URL to verify

optional arguments:
-h, --help View and exit this help message
-a, --all show all DNS records
-b, banners determine HTTP and SMTP service banners
-c, --csv Printout in CSV format
-d FILE, --dictionary FILE generates additional domains with the Dictionary FILE
-g, --geoip Searches for GeoIP location
-j, --json Printout in JSON format
-m, --mxcheck Checks if the MX host can be used to catch emails
-r, --registered Displays only registered domain names
-s, --ssdeep Retrieves web pages and compares their fuzzy hashes to evaluate the similarity
-t NUMBER, --threads NUMBER starts specified number of threads (default: 10)
-w, --whois looking for WHOIS create / update time (slow) 

Step 2: Generate phishing domains with dnstwist

Use the following command to create phishing domains with dnstwist. My example command uses multiple arguments. Since we save the results in a file, no results will be displayed on the screen in this case.

  ./ dnstwist.py --ssdeep - -json --threads 40 website.com> website.com.json 
  • The argument – ssdeep tells Dnstwist to find the HTML found in each domain Code and compare with the HTML code of the given object) web page. The degree of similarity is expressed as a percentage. However, each site should be manually audited, regardless of the percentage specified by Dnstwist. These percentages are only intended to help security experts identify the domains that are most likely phishing domains.
  • Dnstwist supports two output formats that can be used with other applications. In my example above, the output format -json was used. However, it also supports CSV output, which can be enabled with the argument – cvs instead of the JSON format. To save one of the two formats in a file, you can use forwarding > filename to write the data to a specific file name.
  • By default, Dnstwist only lists 10 requests when listing available phishing domains. This number can be increased or decreased using argument thread and specifying a value.

If you want to display on-screen results rather than writing to a file, you can use the following command to swap "facebook.com" for the desired domain. At the bottom of the Dnstwist terminal, a progress bar is printed. Depending on the network speed and the number of threads, this may take several minutes.

  ./dnstwist.py --ssdeep --threads 40 facebook.com
_ _ _ _
__ | | _ __ ___ | | ___ _ (_) ___ | | _
/ _` | & # 39;  / __ | __   /  / / / __ | __ |
| (_ | | | |  __  | _  VV / |  __  | _
 __, _ | _ | | _ | ___ /  __ |  _ /  _ / | _ | ___ /  __ | {} 1.04b

Content is retrieved from: https://facebook.com ... 200 OK (541.4 Kbytes)
Processing of 284 domain variants ... 22% .. 42% ... 63% ... 88%. 210 Hits (73%) 

Always be aware of domain names

As an attacker preparing for a phishing campaign during a red team engagement, or a sysadmin preparing to defend against such attacks Dnstw is a fantastic tool that can be used to list viable domains that are likely to be used for nefarious purposes. Dnstwist offers several important advantages over similar tools, such as: For example, the ability to analyze and compare HTML codes of potential phishing domains, support for various output formats, and a variety of generated phishing domains.

If You Are Just a Regular End User Pay close attention to the URL on a website when you arrive there. While homoglyphs may not be recognizable, the rest can be easily noticed if you take more than one look.

I hope you liked this article about creating and detecting phishing domains with Dnstwist. Leave questions and comments or write me a message on Twitter @tokyoneon_ if you need more explanations.

Do not miss: Hack everyone's Wi-Fi password with a birthday card [19659047] Cover photo and screenshots of tokyoneon / zero byte




Source link