README
¶
GoCatchPhish
The image above is taken from: ashleymcnamara/gophers and this project is heavily inspired by x0rz/phishing_catcher.
The main purpose of gocatchphish is to try to detect possible phishing domains by looking for suspicious keywords in the Certificate Transparency Log using the CertStream API.
The resulting domains will be considered more suspicious based on:
- suspicious keywords in the domain (eg.
paypal.sec-login.com). Levenshein distance from some keywords is also taken into account (eg.paypa1.sec-login.com) - suspicious TLDs
If the sum of these elements result in a suspiciousness level beyond a certain threshold (default is 50, but can be specified in config file), the domains will be printed in stdout.
Usage
Build the executable with go build gocphish.go. Then:
$ gocphish -c config.json
-c: path to config file (json format)
Config.json
An example of config file is provided in config.json; you can create your own config and specify the path with -c.
The config file allows to specify:
suspiciusthreshold: an integer representing the value of the suspiciousness required to return a domain.toremove: common strings added in many newly registered domains, such ascpanelandwebmail. The strings in this list are going to be removed when analyzing the domains to avoid duplicate cases.keywords: containing a list of pairs of strings and integers, where the string is the suspicious keyword and the integer is the corresponding suspiciousness value.suspicioustldsval: value of suspiciousness to add in case the domain is using one of the suspicious TLDs insuspicioustlds.suspicioustlds: list of the suspicious TLDs, if used, the suspiciousness value of the domain will increase according to the value specified insuspicioustldsval.
Directories