OpenSec Atlas

opensquat: An Open Source Tool for Threat Intelligence | OpenSec Atlas

Threat Intelligence

Tool

opensquat

openSquat is an open-source OSINT tool designed to detect domain look-alikes and cyber squatting threats by monitoring newly registered domains that may impersonate legitimate brands.

Visit Website View on GitHub

About This Tool

The openSquat is an open-source tool for detecting domain look-alikes by searching for newly registered domains that might be impersonating legit domains and brands.

Primary Use Case

This tool is primarily used by security analysts, threat intelligence teams, and brand protection specialists to identify and mitigate phishing campaigns, domain squatting, and other brand/domain impersonation attacks. It helps organizations proactively detect malicious domains that could harm their reputation or deceive their users.

Key Features

Automatic daily updates of newly registered domains
Levenshtein distance calculation for word similarity detection
Detection of phishing domains using Phishing Database integration
IDN homograph attack detection
Integration with VirusTotal and Quad9 DNS service
Configurable confidence thresholds to reduce false positives
Output support in multiple formats: TXT, JSON, CSV
Capability to integrate with other threat intelligence tools and DNS sinkholes

Insights & Recommendations

When updating openSquat, especially for major releases, re-run 'pip install -r requirements.txt' to ensure all dependencies are up to date. The tool requires Python 3.6+ and pip3. Users should customize the keywords.txt file to tailor domain hunting to their specific needs. Lowering confidence thresholds can increase false positives, so adjust carefully based on use case.

Installation

git clone https://github.com/atenreiro/opensquat
pip install -r requirements.txt
Ensure Python 3.6+ and pip3 are installed in your environment

Usage

python opensquat.py

Run openSquat with default options for a quick scan

python opensquat.py -h

Display all available command line options and usage help

python opensquat.py -k generic.txt

Search for generic phishing-related keywords (may increase false positives)

python opensquat.py --dns

Enable DNS validation using Quad9 service

python opensquat.py --subdomains

Search for look-alike subdomains

python opensquat.py --portcheck

Check if detected domains have open ports 80 or 443

python opensquat.py --phishing phish_results.txt

Validate detected domains against known phishing domains

python opensquat.py -o example.json -t json

Save scan output in JSON format

python opensquat.py -o example.csv -t csv

Save scan output in CSV format

python opensquat.py --ct

Conduct a certificate transparency log search

python opensquat.py -p month

Search domains registered in the last month instead of the default day

python opensquat.py -c 2

Set confidence threshold to medium (lower values increase false positives)

Smart Usage Notes

Integrate openSquat with SIEM platforms to automate alerts on suspicious domain registrations.Use openSquat data feeds to enrich phishing detection rules in email security gateways.Leverage openSquat's API for continuous monitoring of brand-related domain threats in threat intelligence platforms.Combine openSquat with DNS sinkholes to proactively block access to malicious look-alike domains.Incorporate openSquat findings into security awareness training to educate users about phishing and domain impersonation risks.