Domain abuse scanner covering domainsquatting and phishing keywords.

Overview

🦷 monodon 🐋

Domain abuse scanner covering domainsquatting and phishing keywords.

Setup

Monodon is a Python 3.7+ programm. To setup on a Linux machine with Python 3.7 or later, take the following steps.

git clone https://github.com/c1ko/monodon.git
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Before usage

Monodon uses the SOA record of domains to check if is registered. The presence of this record definitly means it is registered. If the SOA flag is missing, the domain can still be registered!

Monodon will generate a DNS query for every domain to check. Public nameservers like 8.8.8.8, 8.8.4.4, and 9.9.9.9 can sustain 20 queries and more per second without throtteling. Set a nameserver using the --nameserver setting. Otherwise monodon will use your systems nameserver. You can control the rate of queries using the --rate argument. By default, --rate is set to 10 queries per second.

If you want to create more than 10 queries per second and thread, use the --unsafe keyword. This safeguard protects from unwanted DOS attacks on public DNS servers. To not generate any actual DNS queries, use the --simulate argument.

Usage

You can configure most settings using the command line and the config.ini file. Some options can only be set as an argument. To make use of monodon, you need to supply at least one scan mode and the scanword. The scanword usually is the name of your brand, or the host portion of the domain you want to find squats of.

(venv) $ ./monodon.py --tlds monodon
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...
Found: monodon.cn on dns19.hichina.com.
Found: monodon.cz on mbox.netro.cz.
Found: monodon.co on ns53.domaincontrol.com.
Found: monodon.de on root-dns.netcup.net.
Found: monodon.com on ns1.namefind.com.
 
Running since 0.0h, about 0.06h left
Scanned 74 of 1495 (4.95%), found 5 domains
Current scanrate is 9 scans/sec, scan-delay is 0.45s

Result format

Monodon documents all results in an sqlite database called $SCANWORD.db in the monodon directory. You can dump the contents of the database using the dump_db.py script from the project folder.

Scan modes

Monodon supports various scan modes.

  --all                      Execute all scanning techniques
  --tlds                     Scan all TLDs
  --slds                     Scan all TLDs and known SLDs
  --homo                     Scan homoglyphs
  --chars                    Scan character replacements and additions
  --numbers                  Iterate numbers in the domain name
  --phishing                 Scan phishing wordlist
  --ccodes                   Scan two-letter country codes
  --wiki WIKI [WIKI ...]     Scan words from wikipedia lemmas (e.g. 'en:whale')
  --wordlist [WORDLIST]      Scan an additional wordlist file

--all Use all scanning techniques mentioned below. This can be a lengthy endeavor, depending on how many wikipedia terms will be scannend, which tlds are scanned, and how long the scanword ist. Monodon can easily generate 1 million or more domains to scan.

--tlds Scan all registered top-level domains. Monodon downloads a fresh list of tlds from https://publicsuffix.org/list every time the command is run. If you do not want to download a fresh list, you can supply the --tldfile flag to supply a custom tld file to use.

--slds Scan all registered top-level domains and all second level domains known to publicsuffix.org. Like for --tld you can override the list with the --tldfile option. Monodon will automatically check if the tld accepts any hostname, like many of the AWS domains do, and document the result in the database.

--homo Generate homoglyphic variants of the supplied scanword. Scanned hosts for "monodon" would be "m0nodon" or "monoton".

--chars Insert and remove chars from within the scanword. Scanned hosts for "monodon" would for example be "mondon" or "monodono".

--numbers Count numbers up and down in the domain name. Scanned hosts for "monodon24" would be "monodon42" or "monodon02".

--phishing Use the list of common phishing suffixes and prefixes to scan. Scanned hosts for "monodon" would be "monodon-online" or "wwwmonodon".

--ccodes Add ISO-3166 country codes to the host. Scanned hosts for "monodon" would be "monodon-us" or "usmonodon".

--wiki Use wikipedia to generate term-related wordlists to scan. Monodon downloads the wikipedia article for a the given term(s) and generates a list of the most common words. You can supply lemmas in the config file or via the command line. Include the wikipedia language shorthand (e.g. "en" or "de"), seperated by a colon. To configure the number of used terms, use the --wiki_count option.

(venv) $ ./monodon.py --wiki en:whale de:narwal monodon 
Loaded 9211 domains from publicsuffix.org
Scanning generated wikipedia wordlist
Scanning 15000 domains..

If you only want to check which words were generated (and what rating they have), use the --wiki_test flag. No wikipedia queries will be executed in this case.

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_test --wiki_count 15  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
('the', 462), ('and', 240), ('whales', 114), ('are', 112), ('der', 107), ('die', 98), ('they', 91), ('und', 87), ('whale', 79), ('for', 67), ('their', 65), ('have', 59), ('which', 55), ('von', 51), ('that', 45)

--wordlist Scan an additional wordlist file, supplied as an argument or config.ini option.

For most scan modes the scanned tlds can be set in the config.ini file. These defaults can be overriden using the _tld option for each mode. You can either supply direct tlds like "de" or "com", or prefiltered lists: "top5", "top15", "abused", "all_tlds". You can also use --forcetlds to execute all scans on a specific set of tlds, no matter what the config says.

General settings

--rate Scans executed per second. This rate can be exceeded for short periods of time, but will auto-adjust.

--threads Number of scan threads to use. Especially with slow nameservers, a higher number of threads is adviced. The standard 5 threads is usually a good choice.

--simulate Simulate the DNS queries instead of actually executing them. Good for testing purposes.

--verbose Log each DNS query, giving greater detail on what is going on.

--nameserver Use another than the system's nameserver to scan.

--config Load a different config file than the standard config.ini.

--unsafe Allow more than 10 queries per scanning thread.

--unregistered Experimental feature: Search for unregistered domains instead of registered domains.

Examples

Scan all tlds for the exact hostname:

(venv) $ ./monodon.py --tlds monodon 
Loaded 9211 domains from publicsuffix.org
Scanning tlds
Scanning 1495 domains...

Scan for char replacements and homoglyphic replacements on the top 5 TLDs:

(venv) $ ./monodon.py --chars --chars_tlds top5 --homo_tlds top5 --homo monodon
Loaded 9211 domains from publicsuffix.org
Scanning simple char replacements
Scanning homoglyphs
Scanning 2890 domains...
Found: moodon.com on ns23.domaincontrol.com.
Found: mondon.com on ns1.cornut.fr.
...

Scan for number and phishing variants only on the ".de" domain, using a custom nameserver and a higher rate:

(venv) $ ./monodon.py --numbers --phishing --forcetlds de --rate 15 --nameserver 9.9.9.9 monodon24

Scan for the top 20 words from Wikipedia articles:

(venv) $ ./monodon.py --wiki en:whale de:narwal --wiki_count 20  monodon
Loaded 9211 domains from publicsuffix.org
Generating wikipedia wordlist from lemmas en:whale, de:narwal
AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not

AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not. The program requests the hash of the file and outputs information (if any). This version will

Kirk 1 Jan 03, 2022
Python directory buster, multiple threads, gobuster-like CLI, web server brute-forcer, URL replace pattern feature.

pybuster v1.1 pybuster is a tool that is used to brute-force URLs of web servers. Features Directory busting (URI) URL replace patterns (put PYBUSTER

Glaukio 1 Jan 05, 2022
PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github

CVE-2021-26855 PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github Why does github remove this exploit because

The Hacker's Choice 58 Nov 15, 2022
This tool ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information that allows them to know in advance if this library complies with processes.

This tool gives developers, researchers and companies the ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information

Telefónica 66 Nov 08, 2022
Brute smb share - Brute force a SMB share

brute_smb_share I wrote this small PoC after bumping into SMB servers where Hydr

devloop 3 Feb 21, 2022
A python module for retrieving and parsing WHOIS data

pythonwhois A WHOIS retrieval and parsing library for Python. Dependencies None! All you need is the Python standard library. Instructions The manual

Sven Slootweg 384 Dec 23, 2022
Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

js-on 17 Dec 11, 2022
A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF.

TProxer A Burp Suite extension made to automate the process of finding reverse proxy path based SSRF. How • Install • Todo • Join Discord How it works

Krypt0mux 162 Nov 25, 2022
LaxrFar Python Obfuscator

LaxrFar Python Obfuscator Usage First do the things from "Upload to Webserver" o

LaxrFar 5 Jul 19, 2022
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
Consolidating and extending hosts files from several well-curated sources. You can optionally pick extensions to block pornography, social media, and other categories.

Take Note! With the exception of issues and PRs regarding changes to hosts/data/StevenBlack/hosts, all other issues regarding the content of the produ

Steven Black 22.1k Jan 02, 2023
Mr.Holmes is a information gathering tool (OSINT)

🔍 Mr.Holmes Mr.Holmes is a information gathering tool (OSINT). Is main purpose is to gain information about domains,username and phone numbers with t

534 Jan 08, 2023
Patching - Interactive Binary Patching for IDA Pro

Patching - Interactive Binary Patching for IDA Pro Overview Patching assembly code to change the behavior of an existing program is not uncommon in ma

589 Dec 30, 2022
PySharpSphere - Inspired by SharpSphere, just another python version

PySharpSphere Inspired by SharpSphere, just another python version. Installation python3 setup.py install Features Support control both Linux and Wind

Ricter Zheng 191 Dec 22, 2022
PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests.

PyPasser is a Python library for bypassing reCaptchaV3 only by sending 2 requests. In 1st request, gets token of captcha and in 2nd request,

253 Jan 05, 2023
Website OSINT untuk mencari informasi dari email dan nomor telepon. Dibuat dengan React dan Flask.

Inspektur Cari informasi mengenai email dan nomor telepon dengan mudah. Inspektur adalah aplikasi OSINT yang berguna untuk mencari informasi berdasark

Bagas Wastu 36 Dec 04, 2022
A hashtag check python module

A hashtag check python module

Fayas Noushad 3 Aug 10, 2022
Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses 🕵️

Profil3r is an OSINT tool that allows you to find potential profiles of a person on social networks, as well as their email addresses. This program also alerts you to the presence of a data leak for

1.1k Aug 24, 2021
This tool help you to check if your Windows machine has hidden miner.

Hidden Miner Detector This tool help you to check if your Windows machine has hidden miner. Miners track when you open antivirus software or task mana

Николай Борщёв 2 Oct 05, 2022
A deobfuscator for multiple python obfuscators

PY4COC A deobfuscator for multiple python obfuscators, supports exe's packed with pyinstaller too. How to use python3 py4coc.py exe file or py file o

svenskithesource 16 Dec 03, 2022