How to use DNSTwist. Cyber security training.

How to use DNSTwist? OSINT RECON

DNSTwist is a tool that is used to search and check for a list of similar domain names as the one entered, while verifying if they are available to be registered or currently active. The most common use cases for this tool is to detect possible:

  • typosquatters
  • phishing attacks
  • fraud
  • brand impersonation

If hired for a penetration test, where social engineering is in scope, this tool can be handy to register similar domain names to conduct social engineering.

DNS fuzzing is an automated workflow for discovering potentially malicious domains targeting your organization. DNSTwist works by generating a large list of permutations based on a domain name you provide and then checking if any of those permutations are in use. Additionally, it can generate fuzzy hashes of the web pages to see if they are part of an ongoing phishing attack or brand impersonation, and much more!

This tool can be used either by using the command line or a web application. Command line tool installation instructions can be found on the official GitHub repository (

–all$ dnstwist –all facebook.comShow all dns records
–banners$ dnstwist –banners facebook.comDetermine HTTP and SMTP service banners
–dictionary$ dnstwist –dictionary file.dict facebook.comGenerate more domains using dictionary file
–format$ dnstwist –format list facebook.comOutput format (cli, csv, json, list)
–geoip$ dnstwist –geoip facebook.comLookup for GeoIP location
–mxcheck$ dnstwist –mxcheck facebook.comCheck if MX can be used to intercept emails
–output$ dnstwist –all –output file1.txtSave output to a file
–registered$ dnstwist –registered facebook.comShow only registered domain names
–ssdeep$ dnstwist –ssdeep facebook.comFetch web pages and compare their fuzzy hashes to evaluate similarity
–ssdeep-url$ dnstwist –ssdeep –ssdeep-url https://different.domain/owa/ domain.nameOverride URL to fetch the original web page from
–threads$ dnstwist –all –threads 20Start specified number of threads (default is 10)
–whois$ dnstwist –whois facebook.comLookup WHOIS database for creation date
–tld$ dnstwist –tld dictionaries/common_tlds.dict example.comGenerate more domains by swapping TLD from file name
–nameservers$ dnstwist –registered –nameservers ns1.example.comDNS servers to query (separated by commas)
–useragentdefault: Mozilla/5.0 dnstwist/20201228User-Agent STRING to send with HTTP requests
–debug$ dnstwist –debug debug messages

DNSTwist Cheat Sheet

DNSTwist Cheat Sheet

DNSTwist –all Argument

$ dnstwist –all

The dnstwist –all shows all DNS records.

DNSTwist Tutorial --all

DNSTwist –banners Argument

The dnstwist -banners argument determines HTTP and SMTP service banners.

$ dnstwist --banners
DNSTwist Tutorial --banners

DNSTwist –dictionary {FILE} Argument

If domain permutations generated by the fuzzing algorithms are insufficient, please supply dnstwist with a dictionary file. Some dictionary samples with a list of the most common words used in phishing campaigns are included.

 dnstwist --dictionary file.dict
DNSTwist Tutorial --dictionary

DNSTwist –format {FILE} Argument

Dnstwist –format the tool allows exporting results to CSV and JSON. In case you need just the permutations without making any DNS lookups, use --format list argument.
– column -t is for table
– column -s is separator

$ dnstwist --format csv | column -t -s,
$ dnstwist --format json | jq
$ dnstwist --format list
DNSTwist Tutorial --format

DNSTwist –geoip Argument

Dnstwist –geoip can perform real-time lookups to return geographical location (approximated to the country) of IPv4 addresses. The GeoIP2 library is used by default. Country database location has to be specified with $GEOLITE2_MMDB environment variable. If the library or the database are not present, the tool will fall-back to the older GeoIP Legacy. To display all available options with brief descriptions simply execute the tool without any arguments.

$ dnstwist --geoip
DNSTwist Tutorial --geoip

DNSTwist –mxcheck Argument

Sometimes attackers set up e-mail honey pots on phishing domains and wait for mistyped e-mails to arrive. In this scenario, attackers would configure their server to vacuum up all e-mail addressed to that domain, regardless of the user it was sent towards. Another dnstwist feature allows performing a simple test on each mail server (advertised through DNS MX record) to check which one can be used for such hostile intent. Suspicious servers will be flagged with SPYING-MX string.

$ dnstwist --mxcheck

Note: Be aware of possible false positives. Some mail servers only pretend to accept incorrectly addressed e-mails but then discard those messages. This technique is used to prevent “directory harvesting attack”.

DNSTwist Tutorial --mxcheck

DNSTwist –output {FILE} Argument

The dnstwist –output argument saves the output to a file with a specified name.

$ dnstwist --all --output file1.txt
DNSTwist Tutorial --output

DNSTwist –registered Argument

Typically thousands of domain permutations are generated – especially for longer input domains. In such cases, it may be practical to display only the ones that are registered by using the –registered argument.

$ dnstwist --registered
DNSTwist Tutorial --registered

DNSTwist –ssdeep Argument

Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes). Fuzzy hashing is a concept that involves the ability to compare two inputs (in this case HTML code) and determine a fundamental level of similarity. This unique feature of dnstwist can be enabled with --ssdeep argument. For each generated domain, dnstwist will fetch content from responding HTTP server (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain. The level of similarity will be expressed as a percentage.

$ dnstwist --ssdeep

Note: Keep in mind it’s rather unlikely to get 100% match for a dynamically generated web page, and that a phishing site can have completely different HTML source code. However, each notification is a strong indicator and should be inspected carefully regardless of the score.

DNSTwist Tutorial --ssdeep

DNSTwist –ssdeep-url {URL} Argument

In some cases, phishing sites are served from a specific URL. If you provide a full or partial URL address as an argument, dnstwist will parse it and apply for each generated domain name variant. Additionally you can use --ssdeep-url to override URL to fetch the original web page from. This is obviously useful only with the fuzzy hashing feature.

$ dnstwist --ssdeep --ssdeep-url https://different.domain/owa/

DNSTwist –threads {NUMBER} Argument

The dnstwist –threads argument is used to specify a specific number of threads to be used. The default threads used for this tool is 10.

$ dnstwist --all --threads 20
DNSTwist Tutorial --threads

DNSTwist –whois Argument

The dnstwist –whois argument will lookup WHOIS database for creation date.

$ dnstwist --whois
DNSTwist Tutorial --whois

The examples above use the domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Although dnstwist does not actively scan the network, it is important to check to make sure no other commands are ran against this domain if not in a public bounty program. Please visit this link to make sure the Facebook program is still open before attempting any other commands.

Similar Posts