URLcrazy (BSWR)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
4 minutes
Difficulty
Intermediate
Video Transcription
00:05
Hello and welcome to another episode of breaking stuff with Robert today. We're going over u R l crazy now you are. L crazy is great for helping you. Thio check and see what domains air out there that could be close to your domain in name and things of that nature. It's also very helpful in identifying domains that could be used
00:25
for fish attacks and social engineering
00:29
and things like that. So really easy to use again. It does some things like typo combinations, character omissions, could to repeats, etcetera. And so we're going to show you how this tool works. And it's real quick and really easy
00:42
now, really gearing this tool towards Web site administrators looking to identify potential your l's that could be used for the site that you could purchase for the business, whatever the case may be, and then penetration testers would really like this tool. If you're planning on doing some fishing or social engineering and you want a domain name that's really, really close to the target domain,
01:02
maybe you do some Lincoln research, find some high profile folks and then try to impersonate them during the test. So
01:08
that's about as far as well go with that. So some pre requisites to this, it would be good to have some knowledge on neural hijacking and fishing and a fundamental knowledge of the Cali Lennox command line and how it's utilized. So with that in mind, let's go ahead and jump into our demo environment.
01:23
So we're in our handy dandy SEC machine, and we're getting ready to look over you are l crazy. So with you are all crazy, as we were saying, you conduce, um, like high level manipulation of various U. R L possibilities, and so what you'll do. She'll take your domain, run it through. You're all crazy,
01:42
and it gives you some variants where it switches some vowels. It does some things
01:47
a SZ, faras, the lettering and whether it's a dot you are dot com. Whatever the case may be, it's essentially a great tool that if you're a business trying to make sure you purchase maybe a high variation of the domain names for your particular domain. If you're trying to
02:05
do some fishing and you want to get a domain, that's may be very close to the one that our business is using
02:10
you can definitely do that with this tool. So as you can see here, we've got our command prompt, Open, And we could just real quickly type You are all crazy
02:19
and hit Enter, And that gives us some syntax and some additional information here. Just explained some of the things we were just talking about. So in this case, what we're going to do is we're going to try a separate Eri. So we'll take cyberia dot i t will do Uriel crazy.
02:37
And then we'll do Dash are to not resolve d n s. So we'll do that.
02:44
And it's really, really quick in the output that it gives us.
02:46
But as you can see here we get about
02:51
103 host names that you know is working the process there, and so does some character. A mission where maybe we forget to enter something some repeats swaps and replacement. So some of these if you were trying to do a fish test or something of that nature and you weren't paying attention or, you know, you're really quick to just kind of glance in an email
03:10
and it's,
03:12
uh, you know, it looks like it's from someone internal. Maybe somebody does some linked in research and maybe some research on the site and figures out some legit users of Siberia's far as like instructors or things of that nature. They can use these to potentially send, you know, e mails Impersonating those folks. And if you're not paying attention to the domain,
03:31
it could catch you off guard.
03:34
So just as another example of this will do, you are all crazy.
03:38
And then we'll do that show again and we'll do example dot com.
03:43
You can see here again very quick
03:46
and provides a similar output. Where does seem different tests, but we got 96 year instead of 100 some change, so results may vary depending on the domain.
03:54
So there's some really good use cases for this. Let's go ahead and jump back over to our slides.
04:00
As we said, that was a real quick demo, real easy to use tool again. Take a domain, put it into the tool, get various combinations of domain names and misspellings and types out of that. So really good. If you're trying to find
04:15
a high member of variations for your domain name that you want to use in case someone makes it a mistake when entering it.
04:21
Or if you're trying to do social engineering fishing, it's great to use. And then if you're a Web, a defender and you're trying to figure out a way to maybe guess what domains and attacker might use, this is a really great tool to throw your domain through. And then maybe you can blacklist the from's from those domains that are not
04:41
valid. So
04:42
great tool on. With that in mind, I want to thank you for your time today, and I look forward to seeing you again.
How to Use URLcrazy (BSWR)

This tool generates and tests domain typos and domain variations for the specified domain for detecting and performing typo squatting, URL hijacking and phishing. The tool also checks if the typo generated domain names are in use, valid and can estimate the popularity of a domain variant using Google.

Instructed By