Provided by: dnstwist_0~20220131-1_all bug

NAME
       dnstwist - domain name permutation engine


SYNOPSIS
       dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE] [-f|--format FORMAT]
                [-g|--geoip] [-m|--mxcheck] [-o|--output FILE] [-r|--registered] [-s|--ssdeep]
                [--ssdeep-url URL] [-t|--threads NUMBER] [-w|--whois] [--nameservers LIST]
                [--tld FILE] [--useragent STRING] DOMAIN


DESCRIPTION
       Find similar-looking domain names that adversaries can use to attack you.

       Detect typosquatters, phishing attacks, fraud and brand impersonation.

       Useful as an additional source of targeted threat intelligence.


OPTIONS
       -a, --all
              Show all DNS records.

       -b, --banners
              Determine HTTP and SMTP service banners.

       -d, --dictionary FILE
              Generate additional domains using a dictionary read from FILE.

       -f, --format FORMAT
              Select the output format. Supported values are: cli (default), csv, list, json.

       -g, --geoip
              Perform lookup for GeoIP location.

       -h, --help
              Display a help message and exit.

       -m, --mxcheck
              Check if MX host can be used to intercept e-mails.

       -o, --output FILE
              Save output to FILE.

       -r, --registered
              Show only registered domain names.

       -s, --ssdeep
              Fetch web pages and compare their fuzzy hashes to evaluate similarity.

       --ssdeep-url URL
              Override URL to fetch the original web page from.

       -t, --threads NUMBER
              Start specified NUMBER of threads (default: 10).

       -w, --whois
              Perform lookup for WHOIS creation date.

       --nameservers LIST
              DNS servers to query (comma-separated LIST).

       --tld FILE
              Generate additional domains by swapping TLD as read from FILE.

       --useragent STRING
              User-Agent to send with HTTP requests (default: Mozilla/5.0 dnstwist).


NOTES
       The program will run the provided domain through its fuzzing  algorithms  and  generate  a
       list  of  potential  phishing  domains with the following DNS records: A, AAAA, NS and MX.
       Usually thousands of domain permutations are  generated  -  especially  for  longer  input
       domains.   In such cases, it may be practical to display only registered (resolvable) ones
       using --registered argument.  Ensure  your  local  DNS  server  can  handle  thousands  of
       requests within a short period of time.  Otherwise, you can specify an external DNS server
       with --nameservers argument.

   Fuzzy hashing
       Manually checking each domain name in terms of serving a  phishing  site  might  be  time-
       consuming.   To  address  this,  dnstwist  makes  use  of  so-called fuzzy hashes (context
       triggered piecewise hashes).  Fuzzy hashing is a concept which  involves  the  ability  to
       compare  two  inputs  (in  this  case  HTML  code)  and  determine  a fundamental level of
       similarity.  This unique feature of dnstwist can be enabled with --ssdeep  argument.   For
       each  generated domain, dnstwist will fetch content from responding HTTP server (following
       possible redirects) and compare its fuzzy hash with the one  for  the  original  (initial)
       domain.  The level of similarity will be expressed as a percentage.

       Please keep in mind it's rather unlikely to get 100% match for a dynamically generated web
       page.  However, each notification should be inspected carefully regardless of the score.

       In some cases, phishing sites are served from a specific URL.  If you provide  a  full  or
       partial  URL  address  as an argument, dnstwist will parse it and apply for each generated
       domain name variant.  This is obviously useful only with the fuzzy hashing feature.

   MX checking
       Very often attackers set up e-mail honey pots on phishing domains and wait for mistyped e-
       mails  to  arrive.   In this scenario, attackers would configure their server to vacuum up
       all e-mail addressed to that domain, regardless of the user it was sent  towards.  Another
       dnstwist  feature  allows performing a simple test on each mail server (advertised through
       DNS MX record) in order  to  check  which  one  can  be  used  for  such  hostile  intent.
       Suspicious servers will be marked with the SPYING-MX string.

       Please  be  aware  of  possible false positives.  Some mail servers only pretend to accept
       incorrectly addressed e-mails but then discard those messages.  This technique is used  to
       prevent "directory harvesting attack".

   Dictionaries
       If  domain  permutations  generated by the fuzzing algorithms are insufficient, please use
       --dictionary option with a file to generate more domain variants.  If you  need  to  check
       whether domains with different TLDs exist, you can use --tld argument.

   Coverage
       Along  with  the  length of the domain, the number of variants generated by the algorithms
       increases considerably, and therefore the number of DNS queries  needed  to  verify  them.
       It's  mathematically  impossible  to check all domain permutations - especially for longer
       input domains.

       For this reason, dnstwist generates and checks domains very close  to  the  original  one.
       Theoretically,  these  are  the most attractive domains from the attacker's point of view.
       However, be aware that the imagination of the aggressors is unlimited.

                                            2020-07-05                                DNSTWIST(1)