Skip to content

nccgroup/typofinder

Repository files navigation

Domain typo finder

Typofinder for domain typo discovery

Released as open source by NCC Group Plc - http://www.nccgroup.com/

Developed by:

  • Ollie Whitehouse, ollie dot whitehouse at nccgroup dot com
  • Stephen Tomkinson, @neonbunny9 on twitter
  • Matt Summers, matt dot summers at nccgroup dot com

https://github.com/nccgroup/typofinder

Released under AGPL see LICENSE for more information

Development Wiki

Some rough notes around the v2 architecture:

Features

  • Domain to IP
  • MX records
  • A and AAAA
  • www address records
  • webmail address records
  • m address records
  • A keyboard map template system (currently UK supplied)
  • Geographic IP to flag
  • Google safe browsing integration
  • Bit flipping / squatting - http://dinaburg.org/bitsquatting.html
  • Homoglyph attack identification
  • Whois

Dependencies - server

  • Python (3.3)
  • dnspython3 (1.11.1)
  • pygeoip (0.3.1)
  • publicsuffix (1.0.5)

Dependencies - client

  • Python (3.3)
  • simplejson
  • requests
  • BeautifulSoup (4)
  • html5lib

What it does

  • remove characters from the supplied domain
  • duplicate characters in the supplied domain
  • replace characters with adjacent keyboard characters depending on keyboard map supplied
  • swap the global TLD for each of the current valid TLDs list at - http://data.iana.org/TLD/tlds-alpha-by-domain.txt
  • flip bits in the legit domain to detect the bitsquatting attacks
  • swaps characters with similar looking characters to find homoglyph attacks
  • checks web sites against Google's Safe Browsing API1

Usage

Updating Data Sources

The included updatedatasources.py script can be used to ensure that the program is using the latest 3rd party data. Please be considerate of the data providers and use this script sparingly.

Google Safe Browsing API Key

To use the Google Safe Browsing API you must register for an API key. Obtain your API key here: https://developers.google.com/safe-browsing/key_signup

You can find further information on Google Safe Browsing API here: https://developers.google.com/safe-browsing/

If you have a Google Safe Browsing API you can enter this at the command line e.g. python TypoMagic.py -k

Alternately you can place you API in the KEY parameter in TypoMagic.py.

1 Google works to provide the most accurate and up-to-date phishing and malware information. However, it cannot guarantee that its information is comprehensive and error-free: some risky sites may not be identified, and some safe sites may be identified in error.