Domain abuse scanner covering domainsquatting and phishing keywords.

Overview

🦷 monodon 🐋

Domain abuse scanner covering domainsquatting and phishing keywords.

Setup

Monodon is a Python 3.7+ programm. To setup on a Linux machine with Python 3.7 or later, take the following steps.

git clone https://github.com/c1ko/monodon.git
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Before usage

Monodon uses the SOA record of domains to check if is registered. The presence of this record definitly means it is registered. If the SOA flag is missing, the domain can still be registered!

Monodon will generate a DNS query for every domain to check. Public nameservers like 8.8.8.8, 8.8.4.4, and 9.9.9.9 can sustain 20 queries and more per second without throtteling. Set a nameserver using the --nameserver setting. Otherwise monodon will use your systems nameserver. You can control the rate of queries using the --rate argument. By default, --rate is set to 10 queries per second.

If you want to create more than 10 queries per second and thread, use the --unsafe keyword. This safeguard protects from unwanted DOS attacks on public DNS servers. To not generate any actual DNS queries, use the --simulate argument.

Usage

You can configure most settings using the command line and the config.ini file. Some options can only be set as an argument. To make use of monodon, you need to supply at least one scan mode and the scanword. The scanword usually is the name of your brand, or the host portion of the domain you want to find squats of.

(venv) $ ./monodon.py --tlds monodon
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...
Found: monodon.cn on dns19.hichina.com.
Found: monodon.cz on mbox.netro.cz.
Found: monodon.co on ns53.domaincontrol.com.
Found: monodon.de on root-dns.netcup.net.
Found: monodon.com on ns1.namefind.com.
 
Running since 0.0h, about 0.06h left
Scanned 74 of 1495 (4.95%), found 5 domains
Current scanrate is 9 scans/sec, scan-delay is 0.45s

Result format

Monodon documents all results in an sqlite database called $SCANWORD.db in the monodon directory. You can dump the contents of the database using the dump_db.py script from the project folder.

Scan modes

Monodon supports various scan modes.

  --all                      Execute all scanning techniques
  --tlds                     Scan all TLDs
  --slds                     Scan all TLDs and known SLDs
  --homo                     Scan homoglyphs
  --chars                    Scan character replacements and additions
  --numbers                  Iterate numbers in the domain name
  --phishing                 Scan phishing wordlist
  --ccodes                   Scan two-letter country codes
  --wiki WIKI [WIKI ...]     Scan words from wikipedia lemmas (e.g. 'en:whale')
  --wordlist [WORDLIST]      Scan an additional wordlist file

--all Use all scanning techniques mentioned below. This can be a lengthy endeavor, depending on how many wikipedia terms will be scannend, which tlds are scanned, and how long the scanword ist. Monodon can easily generate 1 million or more domains to scan.

--tlds Scan all registered top-level domains. Monodon downloads a fresh list of tlds from https://publicsuffix.org/list every time the command is run. If you do not want to download a fresh list, you can supply the --tldfile flag to supply a custom tld file to use.

--slds Scan all registered top-level domains and all second level domains known to publicsuffix.org. Like for --tld you can override the list with the --tldfile option. Monodon will automatically check if the tld accepts any hostname, like many of the AWS domains do, and document the result in the database.

--homo Generate homoglyphic variants of the supplied scanword. Scanned hosts for "monodon" would be "m0nodon" or "monoton".

--chars Insert and remove chars from within the scanword. Scanned hosts for "monodon" would for example be "mondon" or "monodono".

--numbers Count numbers up and down in the domain name. Scanned hosts for "monodon24" would be "monodon42" or "monodon02".

--phishing Use the list of common phishing suffixes and prefixes to scan. Scanned hosts for "monodon" would be "monodon-online" or "wwwmonodon".

--ccodes Add ISO-3166 country codes to the host. Scanned hosts for "monodon" would be "monodon-us" or "usmonodon".

--wiki Use wikipedia to generate term-related wordlists to scan. Monodon downloads the wikipedia article for a the given term(s) and generates a list of the most common words. You can supply lemmas in the config file or via the command line. Include the wikipedia language shorthand (e.g. "en" or "de"), seperated by a colon. To configure the number of used terms, use the --wiki_count option.

(venv) $ ./monodon.py --wiki en:whale de:narwal monodon 
Loaded 9211 domains from publicsuffix.org
Scanning generated wikipedia wordlist
Scanning 15000 domains..

If you only want to check which words were generated (and what rating they have), use the --wiki_test flag. No wikipedia queries will be executed in this case.

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_test --wiki_count 15  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
('the', 462), ('and', 240), ('whales', 114), ('are', 112), ('der', 107), ('die', 98), ('they', 91), ('und', 87), ('whale', 79), ('for', 67), ('their', 65), ('have', 59), ('which', 55), ('von', 51), ('that', 45)

--wordlist Scan an additional wordlist file, supplied as an argument or config.ini option.

For most scan modes the scanned tlds can be set in the config.ini file. These defaults can be overriden using the _tld option for each mode. You can either supply direct tlds like "de" or "com", or prefiltered lists: "top5", "top15", "abused", "all_tlds". You can also use --forcetlds to execute all scans on a specific set of tlds, no matter what the config says.

General settings

--rate Scans executed per second. This rate can be exceeded for short periods of time, but will auto-adjust.

--threads Number of scan threads to use. Especially with slow nameservers, a higher number of threads is adviced. The standard 5 threads is usually a good choice.

--simulate Simulate the DNS queries instead of actually executing them. Good for testing purposes.

--verbose Log each DNS query, giving greater detail on what is going on.

--nameserver Use another than the system's nameserver to scan.

--config Load a different config file than the standard config.ini.

--unsafe Allow more than 10 queries per scanning thread.

--unregistered Experimental feature: Search for unregistered domains instead of registered domains.

Examples

Scan all tlds for the exact hostname:

(venv) $ ./monodon.py --tlds monodon 
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...

Scan for char replacements and homoglyphic replacements on the top 5 TLDs:

(venv) $ ./monodon.py --chars --chars_tlds top5 --homo_tlds top5 --homo monodon
Loaded 9211 domains from publicsuffix.org
Scanning simple char replacements
Scanning homoglyphs
Scanning 2890 domains...
Found: moodon.com on ns23.domaincontrol.com.
Found: mondon.com on ns1.cornut.fr.
...

Scan for number and phishing variants only on the ".de" domain, using a custom nameserver and a higher rate:

(venv) $ ./monodon.py --numbers --phishing --forcetlds de --rate 15 --nameserver 9.9.9.9 monodon24

Scan for the top 20 words from Wikipedia articles:

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_count 20  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
Automatic SQL injection and database takeover tool

sqlmap sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of

sqlmapproject 25.7k Jan 08, 2023
Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Axel Souchet 220 Dec 14, 2022
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the conte

hashlookup 96 Dec 20, 2022
Um script simples de Port Scan + DNS by Hostname

🖥 PortScan-DNS Esta é uma ferramenta simples de Port Scan + DNS by Hostname... 💻 | DNS Resolver / by Hostname: HOST IP EXTERNO IP INTERNO 💻 | Port

AlbâniaSecurity-RT 7 Dec 08, 2022
Spring-0day/CVE-2022-22965

CVE-2022-22965 Spring Framework/CVE-2022-22965 Vulnerability ID: CVE-2022-22965/CNVD-2022-23942/QVD-2022-1691 Reproduce the vulnerability docker pull

iak 4 Apr 05, 2022
Lite version of my Gatekeeper backdoor for public use.

MayorSec Backdoor Fully functioning bind-type backdoor This backdoor is a fully functioning bind shell and lite version of my full functioning Gatekee

Joe Helle 56 Mar 25, 2022
A windows post exploitation tool that contains a lot of features for information gathering and more.

Crowbar - A windows post exploitation tool Status - ✔️ This project is now considered finished. Any updates from now on will most likely be new script

29 Nov 20, 2022
A brute force tool for password-protected zip file

Bzip A brute force tool for password-protected zip file/folder(s). Note that this tool can only crack .zip files. Please DO not misuse. Installation g

3 Nov 13, 2021
Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

Statistical Random Number Generator Attack Against The Kirchhoff-law-johnson-noise (Kljn) Secure Key Exchange Protocol

zeze 1 Jan 13, 2022
Log4j exploit catcher, detect Log4Shell exploits and try to get payloads.

log4j_catcher Log4j exploit catcher, detect Log4Shell exploits and try to get payloads. This is a basic python server that listen on a port and logs i

EntropyQueen 17 Dec 20, 2021
PKUAutoElective for 2021 spring semester

PKUAutoElective 2021 Spring Version Update at Mar 7 15:28 (UTC+8): 修改了 get_supplement 的 API 参数,已经可以实现课程列表页面的正常跳转,请更新至最新 commit 版本 本项目基于 PKUAutoElectiv

Zihan Mao 84 Sep 09, 2022
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix-Framework Phoenix Framework is an environment for writing, testing and using exploit code. 🖼 Screenshots 🎪 Community PwnWiki Forums 🔑 Licen

Felix 42 Aug 09, 2022
WpDisect is a wordpress hacking tool that finds vulnerabilities in wordpress.

wpdisect WpDisect is a wordpress hacking tool that finds misconfigurations in wordpress. Prerequisites You need to download wordpress in the wpdisect

3 Feb 20, 2022
Linus-png.github.io - Versionsverwaltung & Open Source Hausaufgabe

Let's Git - Versionsverwaltung & Open Source Hausaufgabe Herzlich Willkommen zu

1 Jan 24, 2022
Übersicht remote command execution 0day exploit

Übersicht RCE 0day Unauthenticated remote command execution 0day exploit for Übersicht. Description Übersicht is a desktop widget application for m

BoofGang 10 Dec 21, 2021
Automatic ProxyShell Exploit

proxyshell-auto usage: proxyshell.py [-h] -t T Automatic Exploit ProxyShell optional arguments: -h, --help show this help message and exit -t T

lulz 93 Jan 05, 2023
Visius Heimdall is a tool that checks for risks on your cloud infrastructure

Heimdall Cloud Checker 🇧🇷 About Visius is a Brazilian cybersecurity startup that follows the signs of the crimson thunder ;) 🎸 ! As we value open s

visius 48 Jun 20, 2022
Script Crack Facebook Yang Kaya Akan Teh Hijau 🚶‍♂

r-mbf Script Crack Facebook 🚶‍♂ Bukti Recode [•] Install Script $ pkg update && pkg upgrade $ pkg install python $ pkg install git $ pip install requ

O'Hayo Smrn 3 Apr 02, 2022
List of S3 Hacks

s3-leaks List of AWS S3 Leaks Feel free to send in a PR if you know of other leaks Date Description Notes Aug2020 S3 bucket mess up exposed 182GB of s

Nag 291 Dec 28, 2022