Detecting phishing domains with dnstwist
Trappers
A User's browser can be redirected to a domain name other than the one they intended in many ways. For example, URLs with mixed up letters or with similar names have proven to be an effective means of detouring a request.
Anyone responsible for the operation and maintenance of a company website is probably familiar with complaints and emergency calls from users saying that a website cannot be reached. Often users have simply made a typing error, which only becomes a problem if the incorrect address takes them to a page that actually harms the user's computer (e.g., by installing malware).
Things get even worse if, for example, customers arrive at what they think is the company's website, when it is in fact a malicious copy that, at best, only confuses the user or, in the worst case, installs malware or causes financial damage. Therefore, it makes sense for IT staff responsible for the company website to search for domains with similar names, check to see whether those domains distribute dangerous content, and warn users about them.
Automatic Name Finding
Although you could try out different domain name combinations by hand, this method is not only inconvenient, but also time-consuming and error-prone. Such a task can and should be automated. Marcin Ulikowski, who works as a security consultant at Sony, developed a Python script more than two years ago that handles this work very quickly and reliably. He explains on his website that a user who wants to check all variants of "google.com" manually would need more than 300,000 queries and that this number would then increase to more than 5 million queries for "facebook.com" – which is one good reason for assigning this task to Ulikowski's Python script dnstwist
[1].
This script works quite simply: You pass in a domain name. The script then uses this input to generate and verify domain names with different, matching variations and changes that could be used for phishing attacks (Figure 1, right window). The script then checks whether these names are registered in the Domain Name System and shows the IPv4 or IPv6 address to which they refer.
On an Ubuntu system (17.10, 64-bit) virtualized on a VMware workstation, we installed dnstwist
. According to information on the GitHub page for this open source software, the script can be installed from Ubuntu version 15.04 on with:
$ sudo apt-get install python-dnspython python-geoippython-whois python-requestspython-ssdeep python-cffi
This command worked without any problem on our platform. All the additional packages were also downloaded and installed on the system after confirming the prompt. The script worked without errors with Python v2.7.14, which was installed by default on the system. The developer explicitly points out that this script can only offer all of its feature set if the following Python modules are also installed (which was done automatically in our installation scenario):
- A DNS toolkit for Python that supports almost all DNS record types and can be used for queries, zone transfers, and dynamic updates.
- Python GeoIP database by MaxMind.
- Python WHOIS module/library that can be used to retrieve WHOIS information from domains.
- Requests: HTTP for Humans, an Apache2-licensed HTTP library, written in Python for simplifying work with HTTP/1.1 in Python.
ssdeep
Python wrapper, which processes context-triggered piecewise hashes (CTPH), also known as fuzzy hashes.
Furthermore, the developer provides tips on installing the script on Mac OS with Homebrew (Figure 1, left window), a package manager for the Apple systems, or as an official Docker image directly from Docker Hub.
After installation on the Linux system, the dnstwist
directory contains the dnstwist.py
Python file, as well as directories with documentation and an additional shell script tool. The documentation is essentially limited to a README file and example scans of the google.com website in CSV and JSON format, which can be found in the examples
subdirectory.
Tracking Down Phishers
Attackers that use a phishing attack to target a corporate site often try to lure users to a cloned version of the website and then infect their systems with malware. Of course, it would be very inconvenient and time-consuming to manually call up in a browser all the pages found by the script to determine whether a phishing page or a clone of your own company website has been set up and is being operated. To solve this problem, dnstwist
uses fuzzy hashes. This strategy, and the ssdeep
library used for this purpose, helps you compare two entries – in this case, HTML code – and determine a fundamental match.
If dnstwist
is called with the --ssdeep
(-s
) argument, the script downloads content for each generated domain name from the responding HTTP server and follows any redirects. The fuzzy hash of this content is then compared with that of the original website, and the script outputs a match score as a percentage. Although it is difficult to impossible to achieve a 100% match for a dynamically created website, you can get a good idea as to which of the displayed websites with a high match score you should look at more closely.
Attackers often try to intercept email that has been sent with a typing error in the address. In such a scenario, this page could then collect all email that would be sent to the wrong domain. dnstwist
has a way to run a simple test on any mail server specified by the DNS MX record to determine which can be used for this purpose. The corresponding servers are then labeled Spying MX
in the output. To do this, you need to call the script as follows:
$ dnstwist.py --mxcheck example.com
However, the developer points out that for security reasons, some mail servers are configured to accept incorrectly addressed email and then discard it immediately. All results of a script run can also be output directly to corresponding text files with the --csv
or --json
options.
Conclusions
All told, dnstwist
is a very useful tool that any IT administrator responsible for a web domain or who wants to protect their company name against phishing attacks should have in their virtual toolbox. However, if you don't work with Linux (a brief attempt to launch dnstwist
with Python on Windows failed) or if you don't have an employee in your company who is familiar with the command line, you might need some time to familiarize yourself with its use and handling, or you might have to invest the time and effort to set up and run a Linux system.
In these cases, the dnstwister website [2] is an alternative, although options such as --ssdeep
or determining geographic location are not available. That said, the website does let you filter the results so that only registered domains are displayed. Exporting the results to a JSON or CSV file is also possible with the help of the website, making it an interesting alternative for users who do not want to set up the script themselves.
Infos
- dnstwist: https://github.com/elceef/dnstwist
- dnstwister: https://dnstwister.report
Buy this article as PDF
(incl. VAT)