
CATPHISH is a tool to generate similar-looking domains for phishing attacks. The program will check expired domains and if they are categorized by office gateway and proxy which may allow penetration tester to evade proxy categorization. Normally attacker will register and use whitelisted domains for C2 servers.
Supported algorithms with this tool are:
- SingularOrPluralise
- prependOrAppend
- doubleExtensions
- mirrorization
- homoglyphs
- dashOmission
- Punycode
This tool will be useful during a redteam engagement to automate online search for expired domains using expireddomains.net and BlueCoat. penetration tester may add more features and sources according to his need and requirements.
This can be one tool in the penetration testing toolkit together with DomainHunter which Perform reputation checks against the Symantec WebPulse Site Review (BlueCoat), IBM x-Force, Cisco Talos, Google SafeBrowsing, and PhishTank services. Running several tools and programs will allow to get different information that will automate detecting gaps and security vulnerabilities.
Usage
Running the tool:
catphish.rb [global options] COMMAND [command options]
Options:
COMMANDS
generate Generate domains
expired Find available expired domains
(experimental)
Additional help
catphish.rb COMMAND -h
Global Options
-l, --logo, --no-logo ASCII art banner
(default: true)
-c, --column-header, --no-column-header Header for each column
of the output (default:
true)
-D, --Domain=<s> Target domain to analyze
-V, --Verbose Show all domains,
including non-available
ones
-h, --help Show this message
Generate all type:
catphish.rb -D DOMAIN generate -A
Check available expired domains:
catphish.rb -D DOMAIN expired
Check against a specific domain for categorization status:
catphish.rb -D DOMAIN expired -c
Check all available expired domains against a specific vendor
catphish.rb -D DOMAIN expired -p PROXY_TYPE
Docker
You can also run the tool with Docker! This lets you try it out without any of the required dependencies (ruby), except Docker itself. This presumes that you have the docker daemon installed. If not, see Docker’s documentation.
First, build the container
$ cd path/to/repository
# Generate a tag so we know how to find the container later to run it. You can use anything (latest is common);
# here the git hash is used.
$ TAG=$(git rev-parse --short HEAD)
# Run the build
$ docker build --tag "catphish:${TAG}" .
# Eventually docker will print something like:
#
# Successfully built 8f0b8bfe0c41
# Successfully tagged catphish:f947517
Perfect! Now, you can execute catphish via Docker:
$ docker run \
--rm=true \
"catphish:${TAG}" \
--Domain ring0labs.com \
--All
Hidden Eye – Modern Phishing Tool With Advanced Functionality
In Action
You can read more and download this tool over here: https://github.com/ring0lab/catphish