Malware AnalysisSecurityWeb Application Security

openSquat – Phishing and domain squatting watchdog


openSquat is an opensource Intelligence (OSINT) security tool to identify cyber squatting threats to specific companies or domains, such as:

  • Phishing campaigns
  • Domain squatting
  • Typo squatting
  • Bitsquatting
  • IDN homograph attacks
  • Doppenganger domains
  • Other brand/domain related scams

It does support some key features such as:

  • Automatic newly registered domain updating (once a day)
  • Levenshtein distance to calculate word similarity
  • Fetches active and known phishing domains (Phishing Database project)
  • IDN homograph attack detection
  • Integration with VirusTotal
  • Integration with Quad9 DNS service
  • Use different levels of confidence threshold to fine tune
  • Save output into different formats (txt, JSON and CSV)
  • Can be integrated with other threat intelligence tools and DNS sinkholes

This is an opensource project so everyone’s welcomed to contribute.

Web Demo

Please check Phishy Domains for a simple version of the openSquat.

How to Install

    git clone
    pip install -r requirements.txt

Make sure you have Python 3.6+ and pip3 in your environment

How to Update

To update your current version, just type the following commands inside the openSquat directory:

    git pull
    pip install -r requirements.txt

The “pip install” is just to make sure no new libs were added with the new upgrade.

Usage Examples

Demo Video

Edit the “keywords.txt” with your customised keywords to hunt.

    # Lazy run with default options

    # for all the options
    python -h
    # Search for generic terms used in phishing campaigns (can lead to false positives)
    python -k generic.txt

    # With DNS validation (quad9)
    python --dns
    # Subdomain search
    python --subdomains
    # Check for domains with open ports 80/443
    python --portcheck

    # With Phishing validation (Phishing Database)
    python --phishing phish_results.txt

    # Save output as JSON
    python -o example.json -t json

    # Save output as CSV
    python -o example.csv -t csv

    # Conduct a certificate transparency (ct) hunt
    python --ct

    # Period search - registrations from the last month (default: day)
    python -p month

    # Tweak confidence level. The lower values bring more false positives
    # (0: very high, 1: high (default), 2: medium, 3: low, 4: very low
    python -c 2

    # All validations options
    python --phishing phishing_domains.txt --dns --ct --subdomains --portcheck

To Do / Roadmap

  • Integration with VirusTotal (VT) for subdomains validation
  • Integratration with VirusTotal (VT) for malware detection
  • Use certificate transparency
  • Homograph detection done
  • Improve code quality from B to A grade (codacy)
  • PEP8 compliance
  • Add documentation

Feature Request

To request for a new feature, create a “new issue” and describe the feature and potential use cases. If something similar already exists, you can upvote the “issue” and contribute to the discussions.


MalwareSourceCode – Collection Of Malware Source Code For A Variety Of Platforms In An Array Of Different Programming Languages

Previous article

iSH – Linux Shell For iOS

Next article

You may also like


Leave a reply

Your email address will not be published. Required fields are marked *