make;
make install;

some notes to myself

Blog

About

Leveraging dnstwist to identify suspicious ENS names

Written on December 26, 2021

Following up on my previous post which had the example of homoglyphic attacks on ENS (Ethereum Name Service) names, I wanted to see if this sort of attack scenario existed in the wild. To generate lots of homoglyphs for a given name, I turned to dnstwist.

dnstwist is a freely available permutation engine focused on detecting homograph attacks, typo squatting, brand impersonation, and has been integrated with offerings from large companies like PaloAlto and Splunk. A simple example of an attack is registering a domain name similar to google.com (ie goögle.com), hosting malicious content there, and getting a user to carelessly make a request to the site. dnstwist can also tell you if each domain name permutation is registered, and what the A, AAAA, MX records point to.

I have forked dnstwist as enstwist and added the ability to - with the -e/--ens argument - lookup the address and owner of each ENS name permutation, the ability to use a larger set of glyphs, the ability to perform a reverse lookup (does a PTR lookup for regular dnstwist usage), and the ability to toggle IDNA encoding. enstwist is backwards compatible - all the normal dnstwist usage is the same.

Let’s take a look at some examples…

Here we can see the homoglyph name that was created in November and is NOT registered to the same owner or address as sassal.eth. I had to add a different set of homoglyphs (based off of https://www.irongeek.com/homoglyph-attack-generator.php) for this to work - the default set targets ranges “of Unicode characters to ensure that generated domains can be registered in practice.” Unlike domain name registrars, ENS has view (if any) restrictions on mixing character sets.

$ ./dnstwist.py --registered --reverse-lookup --ens sassal.eth
                 _            _     _
  ___  _ __  ___| |___      _(_)___| |_
 / _ \| '_ \/ __| __\ \ /\ / / / __| __|
| /__/| | | \__ \ |_ \ V  V /| \__ \ |_
 \___||_| |_|___/\__| \_/\_/ |_|___/\__| {20211226-dev}

Permutations: 100.00% of 799, Found: 4, ETA: 00:00 [ 30 qps]

*original     sassal.eth  0x648aA14e4424e0825A5cE739C8C68610e143FB79 ENS-OWNER:0x648aA14e4424e0825A5cE739C8C68610e143FB79 REVERSE-LOOKUP:sassal.eth
bitsquatting  sassan.eth  0x7f57A212ad9972A5A0A34338d6cA61BCd5E5b085 ENS-OWNER:0x7f57A212ad9972A5A0A34338d6cA61BCd5E5b085
homoglyph     sasѕal.eth  0x24dAf7547d8D7893BA54611A29fb37E0cB93C2f0 ENS-OWNER:0x24dAf7547d8D7893BA54611A29fb37E0cB93C2f0
omission      assal.eth   0x3D1d8D71D48094a0A2804A29237DA7eef2c6B80b ENS-OWNER:0x3D1d8D71D48094a0A2804A29237DA7eef2c6B80b REVERSE-LOOKUP:assal.eth

Here we can see that there are several permutations of coinbase.eth that have the same owner (0x81b287c0992B110ADEB5903Bf7E2d9350C80581a). This is good. More interestingly, by passing in the --toggle-idna argument we can see that xn--coinbas-ehg.eth, which renders as coinbasе.eth (uses a small Cyrillic ie) does NOT point to coinbase.eth.

$ ./dnstwist.py --registered --reverse-lookup --toggle-idna --ens coinbase.eth
                 _            _     _
  ___  _ __  ___| |___      _(_)___| |_
 / _ \| '_ \/ __| __\ \ /\ / / / __| __|
| /__/| | | \__ \ |_ \ V  V /| \__ \ |_
 \___||_| |_|___/\__| \_/\_/ |_|___/\__| {20211226-dev}

Permutations: 100.00% of 777, Found: 31, ETA: 00:00 [ 28 qps]

*original      coinbase.eth         0x81b287c0992B110ADEB5903Bf7E2d9350C80581a ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a REVERSE-LOOKUP:coinbase.eth
addition       coinbase1.eth        0xE214aEB9d49326Ae8efD9F39FDcdeC47Cf5e7200 ENS-OWNER:0xE214aEB9d49326Ae8efD9F39FDcdeC47Cf5e7200 REVERSE-LOOKUP:determination.eth
addition       coinbased.eth        0xE74d5B2758a415Bb425ebC692afd3bda69f8226a ENS-OWNER:0xE74d5B2758a415Bb425ebC692afd3bda69f8226a
addition       coinbaseo.eth        ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
addition       coinbases.eth        ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
addition       coinbasex.eth        ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
bitsquatting   coinbace.eth         0x53DEF510314eb9Bd32f6062397cd555D61822612 ENS-OWNER:0x53DEF510314eb9Bd32f6062397cd555D61822612
bitsquatting   coinbese.eth         0x8b07180f8915376A97b4225DCa0DB925435793eC ENS-OWNER:0x8b07180f8915376A97b4225DCa0DB925435793eC REVERSE-LOOKUP:coinbese.eth
bitsquatting   coincase.eth         0x9BD1b25b40d6268A36eeB1B2ad93E770f6ff0FD0 ENS-OWNER:0x9BD1b25b40d6268A36eeB1B2ad93E770f6ff0FD0
bitsquatting   comnbase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
bitsquatting   coynbase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
bitsquatting   koinbase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
homoglyph      colnbase.eth         0xE13880E7F42603f7387C59A02D12DC9a152f7bf7 ENS-OWNER:0xE13880E7F42603f7387C59A02D12DC9a152f7bf7
homoglyph      xn--cinbase-9ig.eth  0x06e8779d7BE5dD323389AD8fB84eb53326AA9E13 ENS-OWNER:0x06e8779d7BE5dD323389AD8fB84eb53326AA9E13 REVERSE-LOOKUP:coina.eth
homoglyph      xn--coinbas-ehg.eth  0xF3f0df2C7533ECad900F2A733eAB8A3Fe033250D ENS-OWNER:0xF3f0df2C7533ECad900F2A733eAB8A3Fe033250D REVERSE-LOOKUP:xn--coinbas-ehg.eth
homoglyph      xn--coinbse-6fg.eth  0x2A050072C686724e73dACA2A0F7358b5199C16EB ENS-OWNER:0x2A050072C686724e73dACA2A0F7358b5199C16EB REVERSE-LOOKUP:xmachina.eth
homoglyph      xn--conbase-sog.eth  ENS-OWNER:0x1f9aA698b3781EA29878036773a0dF87f5325D98
hyphenation    coin-base.eth        0x3CdD3b386EFFae149587cEF14e863b6130b38e10 ENS-OWNER:0x3CdD3b386EFFae149587cEF14e863b6130b38e10 REVERSE-LOOKUP:0xniko.eth
hyphenation    coinbas-e.eth        0x84eEcF976760484810daE22c8e68A8cc5627EFc9 ENS-OWNER:0xeA32BF2135888c46157320f9fE3539211945cbAE REVERSE-LOOKUP:sucashop.eth
insertion      cooinbase.eth        ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
omission       coinbae.eth          0xC4ED92Ab80C3ada4a77649B8Cc1359911875D1F8 ENS-OWNER:0xC4ED92Ab80C3ada4a77649B8Cc1359911875D1F8
omission       coinbas.eth          0x7ceb03dC8b72f2Ee7f4fd6Ca18Ea4d065E03B343 ENS-OWNER:0x7ceb03dC8b72f2Ee7f4fd6Ca18Ea4d065E03B343 REVERSE-LOOKUP:coinbas.eth
omission       conbase.eth          0x83f7cC3e94E1D0C92EeF85336826F4C0a758Bb37 ENS-OWNER:0x83f7cC3e94E1D0C92EeF85336826F4C0a758Bb37
omission       oinbase.eth          ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
replacement    c0inbase.eth         0xA8C194cC43E7B0930b3fc182001661Af6Be1407F ENS-OWNER:0xA8C194cC43E7B0930b3fc182001661Af6Be1407F
replacement    coimbase.eth         0xa9412edfb91C598C30f5df52670DBc368d2fc237 ENS-OWNER:0xa9412edfb91C598C30f5df52670DBc368d2fc237
replacement    coinbass.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
replacement    coinvase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
replacement    coonbase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
transposition  conibase.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a
vowel-swap     coinbaso.eth         ENS-OWNER:0x81b287c0992B110ADEB5903Bf7E2d9350C80581a

Here we can see homoglyph name xn--bnance-pvf.eth, which renders as bіnance.eth, has a reverse lookup to lendcapital.eth.

./dnstwist.py --registered --reverse-lookup --toggle-idna --ens binance.eth
                 _            _     _
  ___  _ __  ___| |___      _(_)___| |_
 / _ \| '_ \/ __| __\ \ /\ / / / __| __|
| /__/| | | \__ \ |_ \ V  V /| \__ \ |_
 \___||_| |_|___/\__| \_/\_/ |_|___/\__| {20211226-dev}

Permutations: 100.00% of 678, Found: 23, ETA: 00:00 [ 24 qps]

*original     binance.eth         ENS-OWNER:0xcAdD48a7639e9aDd851450330fAeCD8848b7a752
addition      binance1.eth        0x104252d77c7B3C4E2e8BA18F4997D9B6399fAD82 ENS-OWNER:0x104252d77c7B3C4E2e8BA18F4997D9B6399fAD82
addition      binance2.eth        0x7C4f22B5B6C3b540C4A323Cb4BA2939d375967A1 ENS-OWNER:0x7C4f22B5B6C3b540C4A323Cb4BA2939d375967A1
addition      binance3.eth        0x9C45456d0Eb7A755Eff9960035f3d0B0945f82B0 ENS-OWNER:0x9C45456d0Eb7A755Eff9960035f3d0B0945f82B0 REVERSE-LOOKUP:binance3.eth
addition      binance4.eth        ENS-OWNER:0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE
addition      binance5.eth        0x5eF520c33f27ED75c4a91Ffa582618891a021801 ENS-OWNER:0x5eF520c33f27ED75c4a91Ffa582618891a021801 REVERSE-LOOKUP:binance5.eth
addition      binance6.eth        0x32b2f69b2D2C27973FC28CAbd153314f77AD8CdD ENS-OWNER:0x32b2f69b2D2C27973FC28CAbd153314f77AD8CdD REVERSE-LOOKUP:underpressure.eth
addition      binance7.eth        0xF06654188cDf5b6a41cE623367e38699ED41ddd0 ENS-OWNER:0xF06654188cDf5b6a41cE623367e38699ED41ddd0 REVERSE-LOOKUP:binance7.eth
addition      binance8.eth        ENS-OWNER:0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE
addition      binance9.eth        ENS-OWNER:0x3f5CE5FBFe3E9af3971dD833D26bA9b5C936f0bE
addition      binancer.eth        0x46ab52fe8e884fD3684d0d05F67B7569FD54B432 ENS-OWNER:0x46ab52fe8e884fD3684d0d05F67B7569FD54B432 REVERSE-LOOKUP:binancer.eth
addition      binances.eth        0xE4301fB7545daE866E3E65166269CB7Cdfcee626 ENS-OWNER:0xE4301fB7545daE866E3E65166269CB7Cdfcee626 REVERSE-LOOKUP:wish.eth
addition      binancex.eth        ENS-OWNER:0xB4837C3507C5C19125ec14FE2FF9Bf7b16eeb806
bitsquatting  binanca.eth         0xCCBF7444c7fa31d08EEa8Df53275902ef812CA09 ENS-OWNER:0xCCBF7444c7fa31d08EEa8Df53275902ef812CA09
bitsquatting  finance.eth         ENS-OWNER:0x14E318c09Eb7cF77826B359BD8695D040F72eC10
bitsquatting  jinance.eth         0xAaa5D4fb03ed4B6d68f3BB614F23DF13094E3f92 ENS-OWNER:0xAaa5D4fb03ed4B6d68f3BB614F23DF13094E3f92 REVERSE-LOOKUP:jinance.eth
homoglyph     blnance.eth         0xAd5b1dC1F4fb668F476b22E8525c4583bc499F3E ENS-OWNER:0xAd5b1dC1F4fb668F476b22E8525c4583bc499F3E
homoglyph     xn--binanc-8of.eth  ENS-OWNER:0x49653F12f66B2c391a3F87445CDf09f135D8797c
homoglyph     xn--bnance-pvf.eth  0x000000FE532a821196A4664208Ae7B61513B243E ENS-OWNER:0x000000FE532a821196A4664208Ae7B61513B243E REVERSE-LOOKUP:lendcapital.eth
hyphenation   binanc-e.eth        0x84eEcF976760484810daE22c8e68A8cc5627EFc9 ENS-OWNER:0xeA32BF2135888c46157320f9fE3539211945cbAE REVERSE-LOOKUP:sucashop.eth
omission      biance.eth          0xCf1EB0DabD59BAcB75b21956e7fe30472BeFB9A2 ENS-OWNER:0xCf1EB0DabD59BAcB75b21956e7fe30472BeFB9A2 REVERSE-LOOKUP:biance.eth
omission      binanc.eth          0x6e96C1614511866af235D391E7a55b2acce0445C ENS-OWNER:0xb48E03398AD718AfD16152686Dd9818deac28EbC
omission      bnance.eth          ENS-OWNER:0x42237Be48a9F4B16343dfE64221C67f94fF9Ada6
various       binanceeth.eth      0x3F4Be1B1c3403d19388E31634AC1029254D6a000 ENS-OWNER:0x3F4Be1B1c3403d19388E31634AC1029254D6a000 REVERSE-LOOKUP:binanceeth.eth

Here we can see that opensea.eth has a couple registered homoglyph name permutations. xn–opense-8nf.eth renders as openseа.eth which uses the small Cyrillic A. xn–pensea-vqf.eth renders as оpensea.eth which uses the small Cyrillic O.

$ ./dnstwist.py --registered --reverse-lookup --toggle-idna --ens opensea.eth
                 _            _     _
  ___  _ __  ___| |___      _(_)___| |_
 / _ \| '_ \/ __| __\ \ /\ / / / __| __|
| /__/| | | \__ \ |_ \ V  V /| \__ \ |_
 \___||_| |_|___/\__| \_/\_/ |_|___/\__| {20211226-dev}

Permutations: 100.00% of 905, Found: 11, ETA: 00:00 [ 23 qps]

*original     opensea.eth         ENS-OWNER:0xCDbCf91e870dB5EAaF62bA29c8c7a91Cf27369F6
addition      openseal.eth        0x9A50bE42840871EC4344F69db3FFBf880941F991 ENS-OWNER:0x9A50bE42840871EC4344F69db3FFBf880941F991 REVERSE-LOOKUP:openseal.eth
addition      openseas.eth        0xC11b7a5E8B1f3e4b1842C3b15b552F0fe7Fed31B ENS-OWNER:0xC11b7a5E8B1f3e4b1842C3b15b552F0fe7Fed31B REVERSE-LOOKUP:weirdflower.eth
addition      openseat.eth        0x1B275FeDda915BaA21722afc259fa3F93d9B7134 ENS-OWNER:0x1B275FeDda915BaA21722afc259fa3F93d9B7134 REVERSE-LOOKUP:jobdone.eth
bitsquatting  opensee.eth         0x0c88f0F125c59cad35c704B8044107F2E51D28Fe ENS-OWNER:0x0c88f0F125c59cad35c704B8044107F2E51D28Fe REVERSE-LOOKUP:robix.eth
homoglyph     xn--opense-8nf.eth  0x133706577AF554a74384A8dC35e25AfD8EeEa946 ENS-OWNER:0x133706577AF554a74384A8dC35e25AfD8EeEa946
homoglyph     xn--pensea-vqf.eth  0x0929935653064aEFec9FfbfB5Ca7D8709006D3Bc ENS-OWNER:0x0929935653064aEFec9FfbfB5Ca7D8709006D3Bc
hyphenation   open-sea.eth        0x335ba5d6ac581A17b6C9f7961d7DC5012C188c06 ENS-OWNER:0x335ba5d6ac581A17b6C9f7961d7DC5012C188c06 REVERSE-LOOKUP:pyramus.eth
omission      opense.eth          0x15B9C63f704525C2AfA332979Dd58D67C14b3157 ENS-OWNER:0x15B9C63f704525C2AfA332979Dd58D67C14b3157 REVERSE-LOOKUP:ksquared.eth
omission      opnsea.eth          ENS-OWNER:0xbD6BBE64Bf841b81FC5A6e2b760029e316F2783B
replacement   0pensea.eth         0x28500F456a47F2cc03c9cB4005F140d33562a041 ENS-OWNER:0x28500F456a47F2cc03c9cB4005F140d33562a041