Domain abuse scanner covering domainsquatting and phishing keywords.

Related tags

Security related resources dns phishing scanning defense domainsquatting
Overview

🦷 monodon 🐋

Domain abuse scanner covering domainsquatting and phishing keywords.

Setup

Monodon is a Python 3.7+ programm. To setup on a Linux machine with Python 3.7 or later, take the following steps.

git clone https://github.com/c1ko/monodon.git
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Before usage

Monodon uses the SOA record of domains to check if is registered. The presence of this record definitly means it is registered. If the SOA flag is missing, the domain can still be registered!

Monodon will generate a DNS query for every domain to check. Public nameservers like 8.8.8.8, 8.8.4.4, and 9.9.9.9 can sustain 20 queries and more per second without throtteling. Set a nameserver using the --nameserver setting. Otherwise monodon will use your systems nameserver. You can control the rate of queries using the --rate argument. By default, --rate is set to 10 queries per second.

If you want to create more than 10 queries per second and thread, use the --unsafe keyword. This safeguard protects from unwanted DOS attacks on public DNS servers. To not generate any actual DNS queries, use the --simulate argument.

Usage

You can configure most settings using the command line and the config.ini file. Some options can only be set as an argument. To make use of monodon, you need to supply at least one scan mode and the scanword. The scanword usually is the name of your brand, or the host portion of the domain you want to find squats of.

(venv) $ ./monodon.py --tlds monodon
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...
Found: monodon.cn on dns19.hichina.com.
Found: monodon.cz on mbox.netro.cz.
Found: monodon.co on ns53.domaincontrol.com.
Found: monodon.de on root-dns.netcup.net.
Found: monodon.com on ns1.namefind.com.
 
Running since 0.0h, about 0.06h left
Scanned 74 of 1495 (4.95%), found 5 domains
Current scanrate is 9 scans/sec, scan-delay is 0.45s

Result format

Monodon documents all results in an sqlite database called $SCANWORD.db in the monodon directory. You can dump the contents of the database using the dump_db.py script from the project folder.

Scan modes

Monodon supports various scan modes.

  --all                      Execute all scanning techniques
  --tlds                     Scan all TLDs
  --slds                     Scan all TLDs and known SLDs
  --homo                     Scan homoglyphs
  --chars                    Scan character replacements and additions
  --numbers                  Iterate numbers in the domain name
  --phishing                 Scan phishing wordlist
  --ccodes                   Scan two-letter country codes
  --wiki WIKI [WIKI ...]     Scan words from wikipedia lemmas (e.g. 'en:whale')
  --wordlist [WORDLIST]      Scan an additional wordlist file

--all Use all scanning techniques mentioned below. This can be a lengthy endeavor, depending on how many wikipedia terms will be scannend, which tlds are scanned, and how long the scanword ist. Monodon can easily generate 1 million or more domains to scan.

--tlds Scan all registered top-level domains. Monodon downloads a fresh list of tlds from https://publicsuffix.org/list every time the command is run. If you do not want to download a fresh list, you can supply the --tldfile flag to supply a custom tld file to use.

--slds Scan all registered top-level domains and all second level domains known to publicsuffix.org. Like for --tld you can override the list with the --tldfile option. Monodon will automatically check if the tld accepts any hostname, like many of the AWS domains do, and document the result in the database.

--homo Generate homoglyphic variants of the supplied scanword. Scanned hosts for "monodon" would be "m0nodon" or "monoton".

--chars Insert and remove chars from within the scanword. Scanned hosts for "monodon" would for example be "mondon" or "monodono".

--numbers Count numbers up and down in the domain name. Scanned hosts for "monodon24" would be "monodon42" or "monodon02".

--phishing Use the list of common phishing suffixes and prefixes to scan. Scanned hosts for "monodon" would be "monodon-online" or "wwwmonodon".

--ccodes Add ISO-3166 country codes to the host. Scanned hosts for "monodon" would be "monodon-us" or "usmonodon".

--wiki Use wikipedia to generate term-related wordlists to scan. Monodon downloads the wikipedia article for a the given term(s) and generates a list of the most common words. You can supply lemmas in the config file or via the command line. Include the wikipedia language shorthand (e.g. "en" or "de"), seperated by a colon. To configure the number of used terms, use the --wiki_count option.

(venv) $ ./monodon.py --wiki en:whale de:narwal monodon 
Loaded 9211 domains from publicsuffix.org
Scanning generated wikipedia wordlist
Scanning 15000 domains..

If you only want to check which words were generated (and what rating they have), use the --wiki_test flag. No wikipedia queries will be executed in this case.

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_test --wiki_count 15  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
('the', 462), ('and', 240), ('whales', 114), ('are', 112), ('der', 107), ('die', 98), ('they', 91), ('und', 87), ('whale', 79), ('for', 67), ('their', 65), ('have', 59), ('which', 55), ('von', 51), ('that', 45)

--wordlist Scan an additional wordlist file, supplied as an argument or config.ini option.

For most scan modes the scanned tlds can be set in the config.ini file. These defaults can be overriden using the _tld option for each mode. You can either supply direct tlds like "de" or "com", or prefiltered lists: "top5", "top15", "abused", "all_tlds". You can also use --forcetlds to execute all scans on a specific set of tlds, no matter what the config says.

General settings

--rate Scans executed per second. This rate can be exceeded for short periods of time, but will auto-adjust.

--threads Number of scan threads to use. Especially with slow nameservers, a higher number of threads is adviced. The standard 5 threads is usually a good choice.

--simulate Simulate the DNS queries instead of actually executing them. Good for testing purposes.

--verbose Log each DNS query, giving greater detail on what is going on.

--nameserver Use another than the system's nameserver to scan.

--config Load a different config file than the standard config.ini.

--unsafe Allow more than 10 queries per scanning thread.

--unregistered Experimental feature: Search for unregistered domains instead of registered domains.

Examples

Scan all tlds for the exact hostname:

(venv) $ ./monodon.py --tlds monodon 
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...

Scan for char replacements and homoglyphic replacements on the top 5 TLDs:

(venv) $ ./monodon.py --chars --chars_tlds top5 --homo_tlds top5 --homo monodon
Loaded 9211 domains from publicsuffix.org
Scanning simple char replacements
Scanning homoglyphs
Scanning 2890 domains...
Found: moodon.com on ns23.domaincontrol.com.
Found: mondon.com on ns1.cornut.fr.
...

Scan for number and phishing variants only on the ".de" domain, using a custom nameserver and a higher rate:

(venv) $ ./monodon.py --numbers --phishing --forcetlds de --rate 15 --nameserver 9.9.9.9 monodon24

Scan for the top 20 words from Wikipedia articles:

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_count 20  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
You might also like...
WhPhisher: a Phishing tool With Python

WhPhisher Herramienta para hacer phishing con muchos métodos de túneling -----Como Instalarlo------- pkg install python3 pkg install git git clone htt

WhBeatZ 80 Jan 2, 2023
Client script for the fisherman phishing tool

Client script for the fisherman phishing tool

Pushkar Raj 1 Feb 23, 2022
Static Token And Credential Scanner
Static Token And Credential Scanner

Static Token And Credential Scanner What is it? STACS is a YARA powered static credential scanner which suports binary file formats, analysis of neste

STACS 81 Dec 27, 2022
a cool, easily usable and customisable subdomains scanner
a cool, easily usable and customisable subdomains scanner

Subdah 🔎 another subdomains scanner. Installation ⚠️ Python 3.10 required ⚠️ $ git clone https://github.com/traumatism/subdah $ cd subdah $ pip3 inst

toast 14 Oct 18, 2022
Complet and easy to run Port Scanner with Python

Port_Scanner Complet and easy to run Port Scanner with Python Installation 1- git clone https://github.com/s120000/Port_Scanner 2- cd Port_Scanner 3-

null 1 May 19, 2022
Fast subdomain scanner, Takes arguments from a Json file (
Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains.

Fast subdomain scanner, Takes arguments from a Json file ("args.json") and outputs the subdomains. File Structure core/ colors.py db/ wordlist.txt REA

whoami security 4 Jul 2, 2022
TCP/UDP port scanner on python, usong scapy and multiprocessin

Port Scanner TCP/UDP port scanner on python, usong scapy and multiprocessing. Usage python3 scanner.py [OPTIONS] IP_ADDRESS [{tcp|udp}[/[PORT|PORT-POR

Egor Krokhin 1 Dec 5, 2021
Log4j-Scanner with Bind-Receipt and custom hostnames
Log4j-Scanner with Bind-Receipt and custom hostnames

Hrafna - Log4j-Scanner for the masses Features Scanning-system designed to check your own infra for vulnerable log4j-installations start and stop scan

null 18 Jan 23, 2022
A scanner and a proof of sample exploit for log4j RCE CVE-2021-44228

1.Create a Sample Vulnerable Application . 2.Start a netcat listner . 3.Run the exploit . 5.Use jdk1.8.0_20 for better results . Exploit-db - https://

Isuru Umayanga 7 Aug 6, 2022
Owner
null
GitHub
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

null 122 Dec 12, 2022
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
MS-FSRVP coercion abuse PoC

ShadowCoerce MS-FSRVP coercion abuse PoC Credits: Gilles LIONEL (a.k.a. Topotam)

Shutdown 219 Dec 28, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Generates password lists/dictionaries based on keywords written in python3.

dicbyru Introduction Generates password lists/dictionaries based on keywords. It uses the keywords and adds capital letters, numbers and special chara

ru55o 2 Oct 31, 2022
Phishing Campaign Toolkit

King Phisher Phishing Campaign Toolkit Installation For instructions on how to install, please see the INSTALL.md file. After installing, for instruct

RSM US LLP 1.9k Jan 1, 2023
This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform.

MurMurHash This little tool is to calculate a MurmurHash value of a favicon to hunt phishing websites on the Shodan platform. What is MurMurHash? Murm

Viral Maniar 87 Dec 31, 2022
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

null 675 Jan 3, 2023
Phishing-Crack tools to punish friends

Phishing-Crack Phishing Tool Version 1.0.0 Created By temirovazat A Phishing Tool With PHP and Python3 Features Fake Instagram Phishing Page Fake Face

null 3 Oct 4, 2022
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

O365DevicePhish Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script t

Trewis [work] Scotch 4 Sep 23, 2022