My DokuWiki

User Tools

Site Tools

Trace:
domain_database_search

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
domain_database_search [2022/06/25 22:51]
kaduuwikiadmin 		domain_database_search [2024/03/11 15:06] (current)
kaduuwikiadmin
Line 1: Line 1:
- 
 ====== Domain Database Search ====== ====== Domain Database Search ======
  
-You find the domain database serach in expert mode:+===== What is the threat? ===== 
 +When cyber criminals conduct attacks like phishing or business email compromise (BEC) against employees, they usually spoof (replicate with variation) the domain of the target organization. The idea is to build trust and lure the employees into providing credentials or downloading malware. As the original domain is already taken, the hacker reserves domains with slight variations of the original domain name. As an example, the original domain “industryservices.com” could be turned into “indusrtyservices.com” (letter swap), “industryserv1ces.com” (letter replacement), “industry–services.com” (additional characters), “industry.services” (different TLD), etc.
  
-{{::domain_database_search.png?200|}}+===== How can Kaduu assist in mitigating this threat===== 
 +We monitor all new domain registrations (ccTLDs, gTLDs, uTLD, sTLD). In doing so, we also record typical typo squatting techniques as mentioned above. A newly registered domain that has some similarities to the client’s domain will create an alert in Kaduu. Additionally, we monitor all [[certificate_monitoring|SSL certificate logs]] since many phishing websites are secured with SSL certificates to spoof the legitimate client’s name. By monitoring the certificate transparency logs that are available online, you can detect if your organization’s name gets spoofed on SSL certificates – even in the subdomain part of the domain.
  
-You can search in Kaduu database similar domain names. You can investigate the results with various tools. +You can now search via dashboard or [[api|API]] in Kaduu'database for similar domain names and setup [[creating_alerts_based_on_your_search|alerts]]With the various built-in tools   (Screenshot creation, Portscan, Geolocation etc.) you can investigate the findings in Kaduu. 
-The database is updated daily using domain registration feeds.+ 
 +===== How up to date is the data? ===== 
 +The database is **updated daily** using domain registration feeds. Not all domain types are processed in real time in the feeds, as there is no obligation for the domain providers to report TLD's registration to a central authority. Especially the country top level domains (ccTLD) are only recorded with a time delay (sometimes up to 2 weeks) and it can happen that domains are not included in the alerting in real-time. 
 + 
 +===== How can you access the domain search? ===== 
 + 
 +You find the domain database search in expert mode: 
 + 
 +^ Menu      ^ Screenshot     | 
 +| Domains / Database Search | {{::domain_database_search.png?200|}} 
 + 
 + 
 + 
 +===== What are the search operators? =====
  
 Available main search operators: Available main search operators:
Line 27: Line 41:
 | name:micro~1 AND tld:com  | Search for domains matching micro with Levenshtein distance of 1 (up to 1 typo) in .com domain zone.    | | name:micro~1 AND tld:com  | Search for domains matching micro with Levenshtein distance of 1 (up to 1 typo) in .com domain zone.    |
 | name:micro AND NOT tld:com | Search for domains matching micro in any domain zone, except .com.    | | name:micro AND NOT tld:com | Search for domains matching micro in any domain zone, except .com.    |
-| microsoft~2  | Search for microsoft domain with Levenshtein distance of 2 (up to 2 typos) in any domain zone.   |+| microsoft~2  | Search for microsoft domain with Levenshtein distance of 2 (up to 2 typos) in any domain zone. Please note that the distance of 2 is the the maximum allowed  |
 | *microsoft*  | Search for domains containing microsoft. The following domains will match: update-microsoft.com, buy-microsoft-windows.com, microsoft-update.com, etc.   | | *microsoft*  | Search for domains containing microsoft. The following domains will match: update-microsoft.com, buy-microsoft-windows.com, microsoft-update.com, etc.   |
 | software*update   | Search for domains containing software in the beginning and update in the end, in any domain zone. The following domains will match: softwareupdate.com, software-super-update.com.    | | software*update   | Search for domains containing software in the beginning and update in the end, in any domain zone. The following domains will match: softwareupdate.com, software-super-update.com.    |
Line 34: Line 48:
 | registrationDate:[* TO 2020-01-01]  | Search domains registered til 1st of January 2020.  | | registrationDate:[* TO 2020-01-01]  | Search domains registered til 1st of January 2020.  |
 | name:superbank AND (tld:net OR tld:org) AND registrationDate:[* TO 2020-08-08]   | Search domains in net or org domain zones, that are equal to superbank and that were registered before August 8th 2020  | | name:superbank AND (tld:net OR tld:org) AND registrationDate:[* TO 2020-08-08]   | Search domains in net or org domain zones, that are equal to superbank and that were registered before August 8th 2020  |
 +
 +===== Example search results =====
 +
 +^ Search      ^ Screenshot     |
 +| Domain is "kaduu.ch": Creates only 1 result | {{::search_exact_domain.png?400|}} |
 +| Similar domains to "kaduu": Creates +5000 results | {{::searc_only_name.png?400|}} |
 +| Domain contains "kaduu": Creates +40 results | {{::search_that_contains_domain.png?400|}} |
 +| Domain is similar to "kaduu.ch": Creates only 7 results | {{::search_with_distance2.png?400|}} |
 +| Domain contains "kad" and "uu" in this order: Creates 202 results | {{::domain_n.png?400|}} |
 +| Domain contains "kad" and "uu" and must be .com: Creates 87 results | {{::domain_n2.png?400|}} |
 +
 +
 +
 +Kaduu allows you also to search for multiple words in the main domain. If both words are mandatory, the search would be *word1*word2*. But you can also search for *word2*word1*. Please note that the order of the word matters!
 +
 +
 +^ Search      ^ Screenshot     |
 +| *best*service* | {{::domain-s-1.png?800|}} |
 +| *service*best* |  {{::domain-s-2.png?800|}}|
 +
 +===== Domain Alerts =====
 +
 +  * Track new results for the search: Use your exact search type to find new DB entries
 +  * Track changes: Tracks changes in the WHOIS, Ports & DNS Changes for the specific domain
 +  * Track similar domains: Uses ~1 domains with a Levenshtein distance of 1 (up to 1 typo) to your domain
 +
 +===== How can you analyze the results? =====
 +
 +You can select one or multiple search results and then analyze the different data sources like ports, WHOIS etc.
 +
 +{{::domain_getdata1.png?900|}}
 +
 +The analysis can take severeal minutes for a few domains. If you select more than 10 domains at ones, you might get a timeout. The results can then be exported or reviewed on the dashboard. Here an example how the analysis can be reviewed on the dashboard by clicking on the according domain name:
 +
 +{{::domain_analyisis_results.png?900|}}
 +
 +If you create an export, you will have the same information in the format you selected under the navigation item "my  exports":
 +
 +{{::exports.png?900|}}
 +
 +Here an example of a word file export:
 +
 +{{::export_word.png?900|}}
 +
 +===== Special Search: Typo-squatted domains =====
 +
 +Typo-squatting is a kind of hack that targets  users who incorrectly type an adress into their web browsers instead of using a search engine. Typically, users are tricked into visiting rogue websites with URLs that are common misspellings of legitimate websites. Users may be tricked into entering sensitive data on these spoofed websites.
 +
 +You can search for a spoofed domain when you click on a domain in the search and then select "get new data" in the "typos" menu. Please not that this search takes a while since we are doing a live query. 
 +
 +
 +{{::typocheck.png?900|}}
 +
 +
 +
 +
 +
  
  
  
domain_database_search.1656190268.txt.gz · Last modified: 2023/05/22 20:40 (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki