Working with a list of phishing domains

elceef / dnstwist

Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation

https://dnstwist.it

Apache License 2.0

4.76k stars 761 forks source link

Working with a list of phishing domains #157

Closed JStyle21 closed 1 year ago

JStyle21 commented 2 years ago

Hi,

I was wondering if it's possible to work with a list of phishing domains, i've tried adding the list as a dictionary and tld but i think i need it for ssdeep, afaik it only takes 1 url with --ssdeep-url, is there a way to provide a list ? am i missing something? I couldn't manage to provide a list of variations it will consider apart from the original domain name

elceef commented 2 years ago

The tool can only work with single domain name at a time. Have you considered using a script with simple loop?

JStyle21 commented 2 years ago

Actually no i haven't, i was so sure i was doing something wrong and there was a better way that i didn't try anything else yet.

Now that i tried what you suggested i can see it didn't produce the results i wanted so i will describe my use case better

i'm looking for domain keywords that are different from the original name i.e. word1.com - word2.com but the content is the same or very similar, is there a way to compare by content or is that ssdeep?
the original domain is a two word hyphened domain i.e. word1-word2.com i can see the tool only checks the first word, is there a way to make it check the second one as well?

elceef commented 2 years ago

I'm not sure I follow. Can you provide a specific example of input domain and desired output?

JStyle21 commented 2 years ago

Sure,

Lets take:

fast-refund.org

What i'm looking for is a way to check both words so i expected the results to provide something like:

fast-{words}.org

{words}-refund.org

{words}.org

{words}{words}.org

and with different suffix as well

What actually happens is only the first word and the suffix get searched

The other case is when there is a different domain that is very similar \ copied the original so i want to find those too, for this example that would be

instant-refund.world

But because it uses different words it isn't covered in the search

I'm looking to cover or mitigate both cases

elceef commented 2 years ago

Please pull the most recent code. I just updated the dictionary fuzzer to (partially) cover your use case.

JStyle21 commented 2 years ago

Thank you!

I've tried again after pulling but i haven't seen any differences in the results, maybe i'm not using it properly? This only works when -d is passed with a list of words correct?

Also, i'm wondering, why did you use 2 hyphens in the code? wouldn't that create things like

{word}--{word}.com

-{word}-{word}.com

elceef commented 2 years ago

This obviously works only when the dictionary fuzzer is enabled with -d <file> argument. If input domain contains hyphens, the fuzzer splits it and replaces the first and last chunk with provided dictionary words.

I did not use double hyphens in the code. I used .join() method of '-' string object.