Domain Hunter - Checks Expired Domains For Categorization/Reputation As Well As Archive.Org History To Own Upward One's Heed Skilful Candidates For Phishing As Well As C2 Domain Names


Domain refer choice is an of import seem of training for penetration tests as well as specially Red Team engagements. Commonly, domains that were used previously for benign purposes as well as were properly categorized tin endure purchased for alone a few dollars. Such domains tin allow a squad to bypass reputation based spider web filters as well as network egress restrictions for phishing as well as C2 related tasks.
This Python based tool was written to speedily inquiry the Expireddomains.net search engine for expired/available domains amongst a previous history of use. It as well as then optionally queries for domain reputation against services similar Symantec WebPulse (BlueCoat), IBM X-Force, as well as Cisco Talos. The primary tool output is a timestamped HTML tabular array means report.

Changes
  • 5 Oct 2018
    • Fixed logic for filtering domains amongst desirable categorizations. Previously, or hence fault weather weren't filtered as well as would lawsuit inwards domains without a valid categorization making it into the finally list.
  • 4 Oct 2018
    • Tweaked parsing logic
    • Fixed changes parsed columns indexes
  • 17 September 2018
    • Fixed Symantec WebPulse Site Review parsing errors caused past times service updates
  • 18 May 2018
    • Add --alexa switch to command Alexa ranked site filtering
  • 16 May 2018
    • Update queries to growth probability of speedily finding a domain available for instant purchase. Previously, many reported domains had an "In Auction" or "Make an Offer" status. New criteria: .com|.net|.org + Alexa Ranked + Available for Purchase
    • Improved logic to filter out uncategorized as well as or hence potentially undesirable domain categorizations inwards the finally text tabular array as well as HTML output
    • Removed unnecessary columns from HTML report
  • 6 May 2018
    • Fixed expired domains parsing when performing a keyword search
    • Minor HTML as well as text tabular array output updates
    • Filtered reputation checks to alone execute for .COM, .ORG, as well as .NET domains as well as removed banking concern check for Archive.org records when performing a default or keyword search. Credit to @christruncer for the master PR as well as idea.
  • 11 Apr 2018
    • Added OCR back upwardly for CAPTCHA solving amongst tesseract. Thanks to t94j0 for the thought inwards AIRMASTER
    • Added back upwardly for input file listing of potential domains (-f/--filename)
    • Changed -q/--query switch to -k/--keyword to improve gibe its purpose
    • Added additional fault checking for ExpiredDomains.net parsing
  • 9 Apr 2018
    • Added -t switch for timing control. -t <1-5>
    • Added Google SafeBrowsing as well as PhishTank reputation checks
    • Fixed põrnikas inwards IBMXForce reply parsing
  • 7 Apr 2018
    • Fixed back upwardly for Symantec WebPulse Site Review (formerly Blue Coat WebFilter)
    • Added Cisco Talos Domain Reputation check
    • Added characteristic to perform a reputation banking concern check against a unmarried non-expired domain. This is useful when monitoring reputation for domains used inwards ongoing campaigns as well as engagements.
  • 6 June 2017
    • Added python three support
    • Code cleanup as well as põrnikas fixes
    • Added Status column (Available, Make Offer, Price, Backorder, etc)

Features
  • Retrieve specified number of of late expired as well as deleted domains (.com, .net, .org) from ExpiredDomains.net
  • Retrieve available domains based on keyword search from ExpiredDomains.net
  • Perform reputation checks against the Symantec WebPulse Site Review (BlueCoat), IBM x-Force, Cisco Talos, Google SafeBrowsing, as well as PhishTank services
  • Sort results past times domain historic catamenia (if known) as well as filter for reputation
  • Text-based tabular array as well as HTML study output amongst links to reputation sources as well as Archive.org entry

Installation
Install Python requirements
pip3 install -r requirements.txt
Optional - Install additional OCR back upwardly dependencies
  • Debian/Ubuntu: apt-get install tesseract-ocr python3-imaging
  • MAC OSX: brew install tesseract

Usage
usage: domainhunter.py [-h] [-a] [-k KEYWORD] [-c] [-f FILENAME] [--ocr]                     [-r MAXRESULTS] [-s SINGLE] [-t {0,1,2,3,4,5}]                     [-w MAXWIDTH] [-V]  Finds expired domains, domain categorization, as well as Archive.org history to produce upwardly one's heed skillful candidates for C2 as well as phishing domains  optional arguments: -h, --help            exhibit this assistance message as well as larn out -a, --alexa           Filter results to Alexa listings -k KEYWORD, --keyword KEYWORD                         Keyword used to refine search results -c, --check           Perform domain reputation checks -f FILENAME, --filename FILENAME                         Specify input file of business delimited domain names to                         banking concern check --ocr                 Perform OCR on CAPTCHAs when challenged -r MAXRESULTS, --maxresults MAXRESULTS                         Number of results to provide when querying latest                         expired/deleted domains -s SINGLE, --single SINGLE                         Performs detailed reputation checks against a unmarried                         domain name/IP. -t {0,1,2,3,4,5}, --timing {0,1,2,3,4,5}                         Modifies asking timing to avoid CAPTCHAs. Slowest(0)                         = 90-120 seconds, Default(3) = 10-20 seconds,                         Fastest(5) = no delay -w MAXWIDTH, --maxwidth MAXWIDTH                         Width of text tabular array -V, --version         exhibit program's version number as well as larn out  Examples: ./domainhunter.py -k apples -c --ocr -t5 ./domainhunter.py --check --ocr -t3 ./domainhunter.py --single mydomain.com ./domainhunter.py --keyword tech --check --ocr --timing five --alexa ./domaihunter.py --filename inputlist.txt --ocr --timing 5
Use defaults to banking concern check for around recent 100 domains as well as banking concern check reputation
python3 ./domainhunter.py
Search for thou around of late expired/deleted domains, but don't banking concern check reputation
python3 ./domainhunter.py -r 1000
Perform all reputation checks for a unmarried domain
python3 ./domainhunter.py -s mydomain.com  [*] Downloading malware domain listing from http://mirror1.malwaredomains.com/files/justdomains  [*] Fetching domain reputation for: mydomain.com [*] Google SafeBrowsing as well as PhishTank: mydomain.com [+] mydomain.com: No issues constitute [*] BlueCoat: mydomain.com [+] mydomain.com: Technology/Internet [*] IBM xForce: mydomain.com [+] mydomain.com: Communication Services, Software every bit a Service, Cloud, (Score: 1) [*] Cisco Talos: mydomain.com [+] mydomain.com: Web Hosting (Score: Neutral)
Perform all reputation checks for a listing of domains at max speed amongst OCR of CAPTCHAs
python3 ./domainhunter.py -f  -t five --ocr
Search for available domains amongst keyword term of "dog", max results of 25, as well as banking concern check reputation
python3 ./domainhunter.py -k domestic dog -r 25 -c   ____   ___  __  __    _    ___ _   _   _   _ _   _ _   _ _____ _____ ____ |  _ \ / _ \|  \/  |  / \  |_ _| \ | | | | | | | | | \ | |_   _| ____|  _ \ | | | | | | | |\/| | / _ \  | ||  \| | | |_| | | | |  \| | | | |  _| | |_) | | |_| | |_| | |  | |/ ___ \ | || |\  | |  _  | |_| | |\  | | | | |___|  _ < |____/ \___/|_|  |_/_/   \_\___|_| \_| |_| |_|\___/|_| \_| |_| |_____|_| \_\  Expired Domains Reputation Checker Authors: @joevest as well as @andrewchiles  DISCLAIMER: This is for educational purposes only! It is designed to promote pedagogy as well as the improvement of computer/cyber security. The authors or employers are non liable for whatsoever illegal human activeness or misuse performed past times whatsoever user of this tool. If you lot programme to occupation this content for illegal purpose, don't.  Have a overnice 24-hour interval :)  [*] Downloading malware domain listing from http://mirror1.malwaredomains.com/files/justdomains  [*] Fetching expired or deleted domains containing "dog" [*]  https://www.expireddomains.net/domain-name-search/?q=dog  [*] Performing domain reputation checks for 8 domains. [*] BlueCoat: doginmysuitcase.com [+] doginmysuitcase.com: Travel [*] IBM xForce: doginmysuitcase.com [+] doginmysuitcase.com: Not found. [*] Cisco Talos: doginmysuitcase.com [+] doginmysuitcase.com: Uncategorized