How to use DNSTwist? OSINT RECON
DNSTwist is a tool that is used to search and check for a list of similar domain names as the one entered, while verifying if they are available to be registered or currently active. The most common use cases for this tool is to detect possible:
- typosquatters
- phishing attacks
- fraud
- brand impersonation
If hired for a penetration test, where social engineering is in scope, this tool can be handy to register similar domain names to conduct social engineering.
DNS fuzzing is an automated workflow for discovering potentially malicious domains targeting your organization. DNSTwist works by generating a large list of permutations based on a domain name you provide and then checking if any of those permutations are in use. Additionally, it can generate fuzzy hashes of the web pages to see if they are part of an ongoing phishing attack or brand impersonation, and much more!
This tool can be used either by using the command line or a web application. Command line tool installation instructions can be found on the official GitHub repository (https://github.com/elceef/dnstwist)
| Argument | Example | Description |
|---|---|---|
| –all | $ dnstwist –all facebook.com | Show all dns records |
| –banners | $ dnstwist –banners facebook.com | Determine HTTP and SMTP service banners |
| –dictionary | $ dnstwist –dictionary file.dict facebook.com | Generate more domains using dictionary file |
| –format | $ dnstwist –format list facebook.com | Output format (cli, csv, json, list) |
| –geoip | $ dnstwist –geoip facebook.com | Lookup for GeoIP location |
| –mxcheck | $ dnstwist –mxcheck facebook.com | Check if MX can be used to intercept emails |
| –output | $ dnstwist –all facebook.com –output file1.txt | Save output to a file |
| –registered | $ dnstwist –registered facebook.com | Show only registered domain names |
| –ssdeep | $ dnstwist –ssdeep facebook.com | Fetch web pages and compare their fuzzy hashes to evaluate similarity |
| –ssdeep-url | $ dnstwist –ssdeep –ssdeep-url https://different.domain/owa/ domain.name | Override URL to fetch the original web page from |
| –threads | $ dnstwist –all facebook.com –threads 20 | Start specified number of threads (default is 10) |
| –whois | $ dnstwist –whois facebook.com | Lookup WHOIS database for creation date |
| –tld | $ dnstwist –tld dictionaries/common_tlds.dict example.com | Generate more domains by swapping TLD from file name |
| –nameservers | $ dnstwist –registered example.com –nameservers ns1.example.com | DNS servers to query (separated by commas) |
| –useragent | default: Mozilla/5.0 dnstwist/20201228 | User-Agent STRING to send with HTTP requests |
| –debug | $ dnstwist –debug facebook.com | -Display debug messages |
DNSTwist Cheat Sheet
DNSTwist –all Argument
$ dnstwist –all facebook.com
The dnstwist –all shows all DNS records.
DNSTwist –banners Argument
The dnstwist -banners argument determines HTTP and SMTP service banners.
$ dnstwist --banners facebook.com
DNSTwist –dictionary {FILE} Argument
If domain permutations generated by the fuzzing algorithms are insufficient, please supply dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in phishing campaigns are included.
dnstwist --dictionary file.dict facebook.com
DNSTwist –format {FILE} Argument
Dnstwist –format the tool allows exporting results to CSV and JSON. In case you need just the permutations without making any DNS lookups, use --format list argument.
– column -t is for table
– column -s is separator
$ dnstwist --format csv facebook.com | column -t -s,$ dnstwist --format json facebook.com | jq$ dnstwist --format list facebook.com
DNSTwist –geoip Argument
Dnstwist –geoip can perform real-time lookups to return geographical location (approximated to the country) of IPv4 addresses. The GeoIP2 library is used by default. Country database location has to be specified with $GEOLITE2_MMDB environment variable. If the library or the database are not present, the tool will fall-back to the older GeoIP Legacy. To display all available options with brief descriptions simply execute the tool without any arguments.
$ dnstwist --geoip facebook.com
DNSTwist –mxcheck Argument
Sometimes attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows performing a simple test on each mail server (advertised through DNS MX record) to check which one can be used for such hostile intent. Suspicious servers will be flagged with SPYING-MX string.
$ dnstwist --mxcheck facebook.comNote: Be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent “directory harvesting attack”.
DNSTwist –output {FILE} Argument
The dnstwist –output argument saves the output to a file with a specified name.
$ dnstwist --all facebook.com --output file1.txt
DNSTwist –registered Argument
Typically thousands of domain permutations are generated – especially for longer input domains. In such cases, it may be practical to display only the ones that are registered by using the –registered argument.
$ dnstwist --registered facebook.com
DNSTwist –ssdeep Argument
Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept that involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage.
$ dnstwist --ssdeep facebook.comNote: Keep in mind it’s rather unlikely to get 100% match for a dynamically generated web page, and that a phishing site can have completely different HTML source code. However, each notification is a strong indicator and should be inspected carefully regardless of the score.
DNSTwist –ssdeep-url {URL} Argument
In some cases, phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. Additionally you can use --ssdeep-url to override URL to fetch the original web page from. This is obviously useful only with the fuzzy hashing feature.
$ dnstwist --ssdeep --ssdeep-url https://different.domain/owa/ domain.nameDNSTwist –threads {NUMBER} Argument
The dnstwist –threads argument is used to specify a specific number of threads to be used. The default threads used for this tool is 10.
$ dnstwist --all facebook.com --threads 20
DNSTwist –whois Argument
The dnstwist –whois argument will lookup WHOIS database for creation date.
$ dnstwist --whois facebook.com
The examples above use the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Although dnstwist does not actively scan the network, it is important to check to make sure no other commands are ran against this domain if not in a public bounty program. Please visit this link to make sure the Facebook program is still open before attempting any other commands.
