• Stars
    star
    119
  • Rank 297,930 (Top 6 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 9 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A dnstwist wrapper for monitoring for possible typo sqatting/spear phishing domains

DomainAware

Remain aware with DomainAware

A dnstwist and/or URLCrazy wrapper for emailing security staff when possible typo sqatting/spear phishing domains have been registered

How it works

dnstwist and URLCrazy are domain name fuzzers. They generate lookalike and typo domains for a given domain, and then look for A(AAA) and MX records for those domains to see if they are live. DomainAware keeps track of the results of these scripts, so that new domains can be quickly identified.

Dependencies

To install the dependencies on Debian/Ubuntu systems, run:

sudo apt-get install -y python-pip python-dev ruby libgeoip-dev \
 geoip-database python-ssdeep
sudo -H pip2 install requests dnspython GeoIP whois

Use

After installing the above dependencies, edit the settings.cfg file:

  • Set the path to dnstwist and URLCrazy
  • Configure the email settings

If you have a subscription to the DomainTools WHOIS APIs, you can add your credentials to include the registrar name, registrant name, creation date, updated date, and expiration date in the domainaware results. Both the plain WHOIS APIs and the parsed WHOIS APIs provide this same basic information, but you might have access to one and not the other, with different URLs, so specify the flavor using the parsed setting.

Determine the critical domains that you would like to monitor; for example, key brands. Add those domains to mydomains.csv, one per line. Include any and all legitimate TLD variants, even if they are not actually used at all, except typo variations.

Add any other domains you or your organisation may own under the Domain header in knowndomains.csv, including any owned typo domains. Add a reason like Valid for each domain. The Notes field is for the use of humans, and is not used by the script. The file is simply used by the analyst to keep track of all domains that have been reviewed.

Run the script for the first time:

$ ./domainaware --email

Open output.csv. Add all of the domains to knowndomains.csv, then review each domain to see if it's valid, or if it's something you should add alerts and/or blocks for with your security controls. The domains are not automatically added so that that human review is required. If the script detects that that there are domains from its last run that are not in knowndomains.csv, it will send an email notice of this and exit, so that analysts have a chance to review all domains before alerts for new ones are issued.

It is recommended to run the script once a day, either manually, or via cron.

For recording and tracking threat information, check out the CRITs project.

If you need reliable external SMTP service, Elastic Email provides low-cost service.

Check for and download new versions of dnstwist regularly.

Background

DomainAware was inspired is inspired by Mike Saunders' CrazyParser. It started as a fork, but by the time I made all the changes I wanted, I realized that I had almost completely different code, with a similar concept. The main differences are:

  • Python coding standards are followed
  • Configuration in a file, rather than within the code
  • Email notification if knowndomains.csv has not been updated since the last run
  • NS, MX, A, and AAAA DNS records, and country and fuzzer information are included in the results
  • Domain information is stored in memory rather than temporary files
  • Integration with the DomainTools WHOIS APIs

More Repositories

1

phishforall

A USB phishing evaluation platform
Python
41
star
2

graylog-fortigate-syslog

A Graylog Content Pack of dashboards for FortiGate syslog data
31
star
3

yaramail

A Python package and command line utility for scanning emails with YARA rules
Python
18
star
4

Web4Radio

A web-based player for Icecast and SHOUTcast streams
15
star
5

graylog-fortigate-cef

A Graylog content pack containing a stream and dashboards for Fortinet Fortigate CEF logs
14
star
6

easyad

A simple Python module for running common queries on Active Directory
Python
14
star
7

pyldfire

A Python module for Palo Alto Networks' WildFire API
Python
11
star
8

etupdate

Updates the Emerging Threats open ruleset for Suricata
Python
10
star
9

routetor

A socket server for routing specific source addresses through Tor
Python
9
star
10

mailsuite

A Python package to make receiving, parsing, and sending email easier
Python
7
star
11

mastodon-listmanager

Mastodon list management
Python
7
star
12

mastodon-lists

My Mastodon lists
6
star
13

psduck

A PowerShell script for converting other PowerShell scripts to USB rubber ducky payloads
PowerShell
6
star
14

cuckoo-modified-utils

Useful scripts for Brad Spengler's fork of Cuckoo
Python
4
star
15

pd-html5

A proof of concept mobile web interface to a Pure Data patch.
Python
4
star
16

pywhoisxmlapi

An unofficial client for WhoisXMLAPI
Python
3
star
17

simplegeoip2

A Python module and CLI tool that returns IP address ownership and location information based on MaxMind's GeoLite2 databases
Python
3
star
18

mastodon-dmarc-survey

A survey of DMARC deployment across all domains hosting public a Mastodon instance
Python
2
star
19

graylog-fortigate-syslog-pipeline

Converts FortiGate syslog fields to the correct data type and removes unnecessary fields
2
star
20

powertools

PowerShell scripts written by a Linux user. You have been warned.
PowerShell
1
star
21

dcnotify

Sends notifications about Dragon*Con via Twitter and email
Python
1
star
22

randomrestaurant

Returns random open restaurants or other locations from Google Maps
Python
1
star
23

pydol

A pythonic interface to the U.S. Department of Labor API
Python
1
star
24

misp-docker

A Docker Compose project for MISP
Dockerfile
1
star
25

wp2jekyll

A Python script that makes migrating from WordPress to Jekyll as painless as possible
Python
1
star