• Stars
    star
    1,418
  • Rank 33,186 (Top 0.7 %)
  • Language
    Python
  • License
    BSD 3-Clause "New...
  • Created over 7 years ago
  • Updated 12 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names

Domain Hunter

Authors Joe Vest (@joevest) & Andrew Chiles (@andrewchiles)

Domain name selection is an important aspect of preparation for penetration tests and especially Red Team engagements. Commonly, domains that were used previously for benign purposes and were properly categorized can be purchased for only a few dollars. Such domains can allow a team to bypass reputation based web filters and network egress restrictions for phishing and C2 related tasks.

This Python based tool was written to quickly query the Expireddomains.net search engine for expired/available domains with a previous history of use. It then optionally queries for domain reputation against services like Symantec Site Review (BlueCoat), IBM X-Force, and Cisco Talos. The primary tool output is a timestamped HTML table style report.

See CHANGELOG for history of updates and release notes!

Features

  • Retrieve specified number of recently expired and deleted domains (.com, .net, .org) from ExpiredDomains.net
    • Note: You will need credentials from expireddomains.net for full functionality
  • Retrieve available domains based on keyword search from ExpiredDomains.net
  • Perform reputation checks against the Symantec WebPulse Site Review (BlueCoat), IBM x-Force, and Cisco Talos
  • Sort results by domain age (if known) and filter for reputation
  • Text-based table and HTML report output with links to reputation sources and Archive.org entry

Installation

Direct Installation

Install Python requirements

pip3 install -r requirements.txt

Optional - Install additional OCR support dependencies

  • Debian/Ubuntu: apt-get install tesseract-ocr python3-pil

  • MAC OSX: brew install tesseract

pipenv installation

pipenv --python 3.7
pipenv install

Optional - Install additional OCR support dependencies

  • Debian/Ubuntu: apt-get install tesseract-ocr python3-pil

Docker

  1. Build the image docker build -t domainhunter .

  2. Run it with your arguments docker run -it domainhunter [args]

Usage

usage: domainhunter.py [-h] [-a] [-k KEYWORD] [-c] [-f FILENAME] [--ocr]
                    [-r MAXRESULTS] [-s SINGLE] [-t {0,1,2,3,4,5}]
                    [-w MAXWIDTH] [-V]

Finds expired domains, domain categorization, and Archive.org history to determine good candidates for C2 and phishing domains

optional arguments:
-h, --help            show this help message and exit
-a, --alexa           Filter results to Alexa listings
-k KEYWORD, --keyword KEYWORD
                        Keyword used to refine search results
-c, --check           Perform domain reputation checks
-f FILENAME, --filename FILENAME
                        Specify input file of line delimited domain names to
                        check
--ocr                 Perform OCR on CAPTCHAs when challenged
-r MAXRESULTS, --maxresults MAXRESULTS
                        Number of results to return when querying latest
                        expired/deleted domains
-s SINGLE, --single SINGLE
                        Performs detailed reputation checks against a single
                        domain name/IP.
-t {0,1,2,3,4,5}, --timing {0,1,2,3,4,5}
                        Modifies request timing to avoid CAPTCHAs. Slowest(0)
                        = 90-120 seconds, Default(3) = 10-20 seconds,
                        Fastest(5) = no delay
-w MAXWIDTH, --maxwidth MAXWIDTH
                        Width of text table
-V, --version         show program's version number and exit

Examples:
./domainhunter.py -k apples -c --ocr -t5
./domainhunter.py --check --ocr -t3
./domainhunter.py --single mydomain.com
./domainhunter.py --keyword tech --check --ocr --timing 5 --alexa
./domaihunter.py --filename inputlist.txt --ocr --timing 5

Use defaults to check for most recent 100 domains and check reputation

python3 ./domainhunter.py

Search for 1000 most recently expired/deleted domains, but don't check reputation

python3 ./domainhunter.py -r 1000

Perform all reputation checks for a single domain

python3 ./domainhunter.py -s mydomain.com

[*] Downloading malware domain list from http://mirror1.malwaredomains.com/files/justdomains

[*] Fetching domain reputation for: mydomain.com
[*] BlueCoat: mydomain.com
[+] mydomain.com: Technology/Internet
[*] IBM xForce: mydomain.com
[+] mydomain.com: Communication Services, Software as a Service, Cloud, (Score: 1)
[*] Cisco Talos: mydomain.com
[+] mydomain.com: Web Hosting (Score: Neutral)

Perform all reputation checks for a list of domains at max speed with OCR of CAPTCHAs

python3 ./domainhunter.py -f <domainslist.txt> -t 5 --ocr

Search for available domains with keyword term of "dog", max results of 25, and check reputation

python3 ./domainhunter.py -k dog -r 25 -c

 ____   ___  __  __    _    ___ _   _   _   _ _   _ _   _ _____ _____ ____
|  _ \ / _ \|  \/  |  / \  |_ _| \ | | | | | | | | | \ | |_   _| ____|  _ \
| | | | | | | |\/| | / _ \  | ||  \| | | |_| | | | |  \| | | | |  _| | |_) |
| |_| | |_| | |  | |/ ___ \ | || |\  | |  _  | |_| | |\  | | | | |___|  _ <
|____/ \___/|_|  |_/_/   \_\___|_| \_| |_| |_|\___/|_| \_| |_| |_____|_| \_\

Expired Domains Reputation Checker
Authors: @joevest and @andrewchiles

DISCLAIMER: This is for educational purposes only!
It is designed to promote education and the improvement of computer/cyber security.
The authors or employers are not liable for any illegal act or misuse performed by any user of this tool.
If you plan to use this content for illegal purpose, don't.  Have a nice day :)

[*] Downloading malware domain list from http://mirror1.malwaredomains.com/files/justdomains

[*] Fetching expired or deleted domains containing "dog"
[*]  https://www.expireddomains.net/domain-name-search/?q=dog

[*] Performing domain reputation checks for 8 domains.
[*] BlueCoat: doginmysuitcase.com
[+] doginmysuitcase.com: Travel
[*] IBM xForce: doginmysuitcase.com
[+] doginmysuitcase.com: Not found.
[*] Cisco Talos: doginmysuitcase.com
[+] doginmysuitcase.com: Uncategorized

More Repositories

1

malleable-c2

Cobalt Strike Malleable C2 Design and Reference Guide
1,434
star
2

red-team-scripts

A collection of Red Team focused tools, scripts, and notes
PowerShell
1,092
star
3

random_c2_profile

Cobalt Strike random C2 Profile generator
Python
583
star
4

cs2modrewrite

Convert Cobalt Strike profiles to modrewrite scripts
Python
565
star
5

metatwin

The project is designed as a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another.
HTML
313
star
6

tinyshell

Python
161
star
7

aggressor-scripts

Cobalt Strike Aggressor Scripts
JavaScript
137
star
8

pasties

A collection of random bits of information common to many individual penetration tests, red teams, and other assessments
Shell
106
star
9

subshell

SubShell is a python command shell used to control and execute commands through HTTP requests to a webshell. SubShell acts as the interface to the remote webshells.
Python
73
star
10

threatbox

ThreatBox is a standard and controlled Linux based attack platform. I've used a version of this for years. It started as a collection of scripts, lived as a rolling virtual machine, existed as code to build a Linux ISO, and has now been converted to a set of ansible playbooks. Why Ansible? Why not? This seemed a natural evolution.
Smarty
69
star
11

invoke-pipeshell

SMB Named Pipe shell
PowerShell
62
star
12

portplow

PortPlow is a distributed port and system scanning & enumeration service. It enables the quick and automated enumeration of ports and services from multiple systems managed by a central console.
JavaScript
53
star
13

edc

Event Data Collector
Python
34
star
14

mythic2modrewrite

Generate Apache mod_rewrite rules for Mythic C2 profiles
Python
25
star
15

threat-mitigation

Threat Mitigation Strategies
22
star
16

procdot_sandbox

ProcDot Malware Sandbox
Python
19
star
17

cobaltstrike_payload_generator

Quickly generate every payload type for each listener and optionally host via HTTP.
13
star
18

threatexpress

HTML
11
star
19

redteamguide

Home of https://redteam.guide
JavaScript
9
star
20

tools

Tools
1
star