Provided by: dnstwist_0~20220131-1_all bug

NAME
       dnstwist - domain name permutation engine


SYNOPSIS
       dnstwist [-a|--all] [-b|--banners] [-d|--dictionary FILE] [-f|--format FORMAT] [-g|--geoip]
                [-m|--mxcheck] [-o|--output FILE] [-r|--registered] [-s|--ssdeep] [--ssdeep-url URL]
                [-t|--threads NUMBER] [-w|--whois] [--nameservers LIST] [--tld FILE] [--useragent STRING] DOMAIN


DESCRIPTION
       Find similar-looking domain names that adversaries can use to attack you.

       Detect typosquatters, phishing attacks, fraud and brand impersonation.

       Useful as an additional source of targeted threat intelligence.


OPTIONS
       -a, --all
              Show all DNS records.

       -b, --banners
              Determine HTTP and SMTP service banners.

       -d, --dictionary FILE
              Generate additional domains using a dictionary read from FILE.

       -f, --format FORMAT
              Select the output format. Supported values are: cli (default), csv, list, json.

       -g, --geoip
              Perform lookup for GeoIP location.

       -h, --help
              Display a help message and exit.

       -m, --mxcheck
              Check if MX host can be used to intercept e-mails.

       -o, --output FILE
              Save output to FILE.

       -r, --registered
              Show only registered domain names.

       -s, --ssdeep
              Fetch web pages and compare their fuzzy hashes to evaluate similarity.

       --ssdeep-url URL
              Override URL to fetch the original web page from.

       -t, --threads NUMBER
              Start specified NUMBER of threads (default: 10).

       -w, --whois
              Perform lookup for WHOIS creation date.

       --nameservers LIST
              DNS servers to query (comma-separated LIST).

       --tld FILE
              Generate additional domains by swapping TLD as read from FILE.

       --useragent STRING
              User-Agent to send with HTTP requests (default: Mozilla/5.0 dnstwist).


NOTES
       The  program will run the provided domain through its fuzzing algorithms and generate a list of potential
       phishing domains with the following DNS records: A,  AAAA,  NS  and  MX.   Usually  thousands  of  domain
       permutations  are generated - especially for longer input domains.  In such cases, it may be practical to
       display only registered (resolvable) ones using --registered argument.  Ensure your local DNS server  can
       handle  thousands  of requests within a short period of time.  Otherwise, you can specify an external DNS
       server with --nameservers argument.

   Fuzzy hashing
       Manually checking each domain name in terms of serving a  phishing  site  might  be  time-consuming.   To
       address  this,  dnstwist makes use of so-called fuzzy hashes (context triggered piecewise hashes).  Fuzzy
       hashing is a concept which involves the ability to compare two  inputs  (in  this  case  HTML  code)  and
       determine  a  fundamental  level  of  similarity.   This  unique  feature of dnstwist can be enabled with
       --ssdeep argument.  For each generated domain, dnstwist will fetch content from  responding  HTTP  server
       (following possible redirects) and compare its fuzzy hash with the one for the original (initial) domain.
       The level of similarity will be expressed as a percentage.

       Please  keep  in  mind  it's  rather  unlikely  to  get  100% match for a dynamically generated web page.
       However, each notification should be inspected carefully regardless of the score.

       In some cases, phishing sites are served from a specific URL.  If you  provide  a  full  or  partial  URL
       address as an argument, dnstwist will parse it and apply for each generated domain name variant.  This is
       obviously useful only with the fuzzy hashing feature.

   MX checking
       Very  often  attackers  set  up  e-mail  honey  pots on phishing domains and wait for mistyped e-mails to
       arrive.  In this scenario, attackers would configure their server to vacuum up all  e-mail  addressed  to
       that  domain,  regardless  of  the user it was sent towards. Another dnstwist feature allows performing a
       simple test on each mail server (advertised through DNS MX record) in order to check  which  one  can  be
       used for such hostile intent.  Suspicious servers will be marked with the SPYING-MX string.

       Please  be  aware  of  possible  false  positives.   Some mail servers only pretend to accept incorrectly
       addressed e-mails but then discard  those  messages.   This  technique  is  used  to  prevent  "directory
       harvesting attack".

   Dictionaries
       If  domain  permutations  generated  by  the fuzzing algorithms are insufficient, please use --dictionary
       option with a file to generate more domain variants.  If you need to check whether domains with different
       TLDs exist, you can use --tld argument.

   Coverage
       Along with the length of the domain, the  number  of  variants  generated  by  the  algorithms  increases
       considerably,  and  therefore  the  number  of  DNS  queries  needed  to verify them. It's mathematically
       impossible to check all domain permutations - especially for longer input domains.

       For this reason, dnstwist generates and checks domains very close to the  original  one.   Theoretically,
       these  are  the  most  attractive  domains from the attacker's point of view.  However, be aware that the
       imagination of the aggressors is unlimited.

                                                   2020-07-05                                        DNSTWIST(1)