Giters

JDogHerman / CrazyParser

Parse URLCrazy output and compare against previous runs to identify potentially new typosquatted domains.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CrazyParser

CrazyParser is a python utility to automate the generation of potential typosquatted domain names using URLCrazy and/or dnstwist. CrazyParser takes an input file of domain names, a list of domains previously identified by URLCrazy and/or dnstwist, and generates an email notification indicating whether new typosquatted domains have been identified.

This was originally created to notify security analysts of potential new typosquatted domains that may be used in a phishing attack. Security analysts can use this information to enhance monitoring or place blocking in web proxies to prevent access to the phishing domain.

CrazyParser files

  • crazyParser.py - Python utility for automating URLCrazy queries
  • mydomains.csv - contains all domains you wish to query for typosquatting
  • knowndomains.csv - contains domains previously identified valid or typosquatted domains

mydomains.csv format

mydomains.csv contains a list of one or more domains to monitor for, one per line.

knowndomains.csv

knowndomains.csv contains domains previously identified as either typosquatters or valid domains. The format of this file is one entry per line in the form of: domain.tld,reason. knowndomains.csv must have a header row containing the text "Domain,Reason". The reason is not used by crazyParser. This field should be populated with your description of the domain.

To populate knowndomains.csv, clear the example entries from knowndomains.csv and use crazyParser to generate a list of domains to review. Review each domain to determine if it is a valid domain or a typosquatter. Record the domain name and whether the domain is valid or a typosquatter in this file.

Usage

python crazyParser.py.

crazyParser takes each domain listed in mydomains.csv and uses URLCrazy and/or dnstwist to generate a list of typosquatted domains. Each registered domain is compared against knowndomains.csv. If there are no new domains discovered, crazyParser will generate an email containing an all clear message. If any new domains are discovered, the output will be placed in a csv file and attached to an email stating a review is necessary. This output should be reviewed and the knowndomains.csv file should be updated with the new entry.

To Do

  • sendMail() will break if too many recipients are specified
  • Make parser arguments global
  • Due to changes in dnstwist, using an older version of dnstwist will cause the first two lines of dnstwist output to be truncated.
  • If crazyParser is run as a scheduled job and the scheduling frequency is more frequent than the amount of time it takes for crazyParser to finish executing, the temporary files will be clobbered and crazyParser will hang. This becomes an issue when a large number of domains are entered in mydomains.csv and the interval between scheduled iterations is sufficiently small to prevent crazyParser from terminating before the next scheduled iteration.

About

Parse URLCrazy output and compare against previous runs to identify potentially new typosquatted domains.

License:MIT License

Languages

Language:Python 100.0%