Provided by: dnstwist_0~20230509-1_all bug

NAME

       dnstwist - domain name permutation engine

SYNOPSIS

       dnstwist [OPTION...] DOMAIN

DESCRIPTION

       Find  similar-looking  domain  names  that  adversaries  can  use  to  attack  you. Detect
       typosquatters, phishing attacks, fraud and brand impersonation.

COMMAND-LINE OPTIONS

       -a, --all
              Print all DNS records instead of the first ones.

       -b, --banners
              Determine HTTP and SMTP service banners.

       -d, --dictionary FILE
              Generate additional domains using a dictionary read from FILE.

       -f, --format FORMAT
              Select the output format. Supported values are: cli (default), csv, list, json.

       --fuzzers LIST
              Use only selected fuzzing algorithms (separated with commas).

       -g, --geoip
              Perform lookup for GeoIP location.

       --lsh [LSH]
              Evaluate web page similarity with LSH algorithm: ssdeep (default), tlsh

       --lsh-url URL
              Override URL to fetch the original web page from.

       -h, --help
              Display help message and exit.

       -m, --mxcheck
              Check if MX host can be used to intercept e-mails.

       -o, --output FILE
              Save output to FILE.

       -r, --registered
              Show only registered domain names.

       -u, --unregistered
              Show only unregistered domain names.

       -p, --phash
              Render web pages and compare their perceptual hashes to evaluate visual similarity.

       --phash-url URL
              Override URL to render the original web page from.

       --screenshots DIR
              Save web page screenshots into DIR.

       -t, --threads NUM
              Start specified NUM of threads.

       -w, --whois
              Lookup WHOIS database for creation date and registrar.

       --nameservers LIST
              DNS or DNS-over-HTTPS servers to query (comma-separated LIST).

       --tld FILE
              Generate additional domains by swapping TLD as read from FILE.

       --useragent STRING
              Set User-Agent STRING (default: Mozilla/5.0 (platform arch) dnstwist/version).

NOTES

       DNS fuzzing is an automated workflow for discovering potentially malicious domain names.

       The tool will run the provided domain name through its fuzzing algorithms and  generate  a
       list  of  potential  phishing domains along with DNS records.  Usually thousands of domain
       permutations are generated - especially for longer input domains. In such cases, it may be
       practical to display only registered (resolvable) ones using --registered argument.

       Ensure  your  local  DNS  server can handle thousands of requests within a short period of
       time.  Otherwise,  you  can  specify  an  external  DNS  or  DNS-over-HTTPS  server   with
       --nameservers argument.

   Fuzzy hashing
       Manually  checking  each  domain  name  in terms of serving a phishing site might be time-
       consuming. To address this, dnstwist  makes  use  of  so-called  fuzzy  hashes  (locality-
       sensitive  hash,  LSH)  and  perceptual  hashes  (pHash).  Fuzzy hashing is a concept that
       involves the ability to compare two inputs (HTML code) and determine a  fundamental  level
       of  similarity,  while perceptual hash is a fingerprint derived from visual features of an
       image (web browser screenshot). The level of similarity is expressed as a percentage.

       Keep in mind it's rather unlikely to get 100% match for a dynamically generated web  page.
       However,  each  notification  is  a  strong  indicator  and  should be inspected carefully
       regardless of the score.

   Dictionaries
       If domain permutations generated by the fuzzing algorithms are  insufficient,  please  use
       --dictionary  option  with  a file to generate more domain variants.  If you need to check
       whether domains with different TLDs exist, you can use --tld argument.

   Coverage
       Along with the length of the domain, the number of variants generated  by  the  algorithms
       increases  considerably,  and therefore the time and resources needed to verify them. It's
       mathematically impossible to check all domain permutations - especially for  longer  input
       domains  which would require millions of DNS lookups. For this reason, this tool generates
       and checks domains very close to the original  one.  Theoretically,  these  are  the  most
       attractive  domains  from  the  attacker's  point  of  view.  However,  be  aware that the
       imagination of the aggressors is unlimited.

       Unicode tables consist of thousands of characters with many of them  visually  similar  to
       each  other.  However,  despite  the fact certain characters are encodable using punycode,
       most TLD authorities will reject them during domain registration process. In general,  TLD
       authorities  disallow  mixing  of  characters  coming  from  different  Unicode scripts or
       maintain their own sets of acceptable characters. With  that  being  said,  the  homoglyph
       fuzzer  was  build on top of carefully researched range of Unicode characters (homoglyphs)
       to ensure that generated domains can be registered in practice.

AUTHOR

       Marcin Ulikowski <marcin@ulikowski.pl>

                                          December 2022                               DNSTWIST(1)