A comprehensive domain name fuzzing tool written in Rust for generating typosquatting variations used in cybersecurity research and defensive purposes.
DomFuzz generates domain name variations using advanced typosquatting techniques commonly employed in phishing campaigns and cybersquatting transformations. The tool implements transformations from leading domain fuzzing tools like URLCrazy, dnstwist, URLInsane, and DomainFuzz, providing comprehensive coverage of domain manipulation techniques.
- 15+ fuzzing transformations organized into logical groups
- Smart defaults using the
lookalikebundle (15 character-level visual similarity transformations) - Network status checking for domain availability
- Customizable output with variation limits
- Dictionary-based combosquatting with custom wordlists
- Unicode and international character support
- High performance Rust implementation with true streaming
git clone https://github.com/yourusername/domfuzz
cd domfuzz
cargo build --releasecargo run -- [OPTIONS] <DOMAIN>DomFuzz organizes its transformations into logical groups for easier usage:
For convenience, DomFuzz provides pre-configured bundles that group related transformations:
Character-level transformations that create visually similar domains
The lookalike bundle is the default transformation set, specifically designed to generate domains that can fool users through visual deception. This bundle combines the four most effective transformation types that attackers commonly use in phishing campaigns and typosquatting attacks.
The lookalike bundle includes:
Replaces letters with visually similar numbers and symbols using internet culture conventions:
- Core mappings: o→0 (most common), l→1, e→3, a→4, s→5, g→9, b→6, t→7, z→2
- Intelligence applied: Maximum 40% substitution, respects domain length, prioritizes high-impact changes
- Real examples: google.com → g00gle.com, g0ogle.com, goog1e.com, 9oogle.com
Comprehensive typing error simulation modeling natural user mistakes:
- Error types: Character deletion, insertion, transposition, substitution, vowel swapping
- Keyboard awareness: QWERTY-based adjacent key errors, frequency-weighted placement
- Real examples: google.com → googlle.com (insertion), gogle.com (deletion), googel.com (transposition)
Models accidental keypresses from imprecise typing or mobile input:
- Mechanisms: Character doubling, adjacent key insertion, multiple finger errors
- QWERTY modeling: Horizontal, vertical, and diagonal key adjacency
- Real examples: google.com → gooogle.com (doubling), googke.com (adjacent l→k)
Advanced Unicode homoglyph attacks using visually identical characters from different scripts. Enhanced with comprehensive character mappings based on IronGeek's homoglyph generator research:
- Extensive character coverage: 60+ Unicode characters per letter with mappings from Cyrillic, Greek, Latin Extended, Armenian, Cherokee, and other scripts
- Attack vectors: Single, double, and triple character substitutions with intelligent positioning
- Script mixing: Cyrillic (а, е, о, р), Greek (α, β, γ, δ), Fullwidth (a, b, c), Accented Latin (À, É, ü)
- Dangerous examples:
- google.com → gооgle.com (Cyrillic 'о' characters)
- amazon.com → аmazon.com (Cyrillic 'а')
- paypal.com → раypal.com (Cyrillic 'р')
- microsoft.com → microsοft.com (Greek 'ο')
- Technical sophistication: Punycode encoding creates valid IDN domains that appear identical in browsers
- Enhanced detection resistance: Multiple substitution combinations with realistic character distribution
- Real-world impact: Domains appear completely identical but resolve to attacker-controlled IPs
Usage:
# Use the complete lookalike bundle
cargo run -- -t lookalike google.com
# Combine bundle with individual transformations
cargo run -- -t lookalike,tld-variations example.com
# Lookalike bundle in single-transformation mode
cargo run -- -t lookalike -1 paypal.comThis bundle is particularly effective for:
- 🎯 Phishing detection - Identifies domains designed to fool users
- 🛡️ Brand protection - Comprehensive visual similarity coverage
- 🔍 Threat intelligence - Character-level domain mutations
- 📱 Mobile security - Targets small-screen typos and rendering issues
Hardware and system error transformations
The system-fault bundle includes transformations that simulate errors caused by hardware failures, memory corruption, or transmission errors:
Hardware/System Errors:
bitsquatting- Single bit-flip transformations
Usage:
# Use the system-fault bundle
cargo run -- -t system-fault google.com
# Combine with other bundles
cargo run -- -t lookalike,system-fault example.comThis bundle is particularly effective for:
- 🔧 Infrastructure testing - Identifies domains that could result from hardware errors
- 🛡️ DNS security - Tests resilience against bit-flip attacks
- 🔍 Attack simulation - Models sophisticated bitsquatting campaigns
- 📡 Network security - Simulates transmission corruption scenarios
Beyond the lookalike bundle, additional character-level techniques:
Simulates single bit-flip errors from hardware failures, memory corruption, or cosmic ray strikes:
- Mechanism: Flips individual bits in ASCII characters (8-bit representation)
- Examples: 'o' (0x6F) → 'g' (0x67), 'e' (0x65) → 'a' (0x61)
- Attack scenarios: Memory corruption, hardware failures, electromagnetic interference
- Real examples: google.com → gmogle.com, foogle.com (various bit-flips)
cargo run -- -t bitsquatting example.comSound and meaning-based transformations that exploit language patterns:
Replaces words with sound-alike alternatives having different spellings:
- Categories: Direct homophones (to/two), phonetic spelling (phone→fone), silent letters (know→no)
- Examples: paypal.com → paypall.com, security.com → sekurity.com
- Effectiveness: Targets non-native speakers, voice-to-text systems
Exploits semantic associations and business terminology confusion:
- Substitution types: Synonyms (secure→safe), industry terms (login→signin), concept overlap (mail→email)
- Psychology: Leverages mental associations, "close enough" feeling
- Examples: paypal.com → payfriend.com, microsoft.com → microsoftware.com
Converts between grammatical forms exploiting naming convention uncertainty:
- Patterns: Regular plurals (file→files), irregular (child→children), compound words
- Business impact: Many legitimate sites exist in both forms
- Examples: amazon.com → amazone-products.com, microsoft.com → microsoftservices.com
cargo run -- -t homophones,cognitive,singular-plural facebook.comExploits variations in numeric representation:
Converts between digits and written numbers:
- Bidirectional: 1↔one, 2↔two, 4↔four (including homophone 'for')
- Special contexts: Versioning (v1→vone), ranking (top5→topfive), quantities (buy2→buytwo)
- Examples: 1password.com → onepassword.com, 4chan.org → fourchan.org
Converts between numeric and written ordinal forms:
- Patterns: 1st↔first, 2nd↔second, 3rd↔third
- Business use: Priority services (1stchoice→firstchoice), sequences (2ndround→secondround)
- Examples: 21stcentury.com → twentyfirstcentury.com, 3rdpartysoftware.com → thirdpartysoftware.com
cargo run -- -t cardinal-substitution,ordinal-substitution first1.comDomain structure and format modifications:
Reorders components in compound domain names while maintaining brand elements:
- Patterns: Two-word reversal (mybank→bankmy), multi-word rotation, action-object swaps
- Psychology: Users focus on familiar words, not exact order
- Examples: paypalcredit.com → creditpaypal.com, microsoftoffice.com → officemicrosoft.com
Manipulates hyphen usage through insertion, removal, and substitution:
- Techniques: Hyphen insertion (google→goo-gle), removal (my-bank→mybank), character substitution (_→-)
- Effectiveness: Many legitimate sites exist with/without hyphens
- Examples: paypal.com → pay-pal.com, facebook.com → face-book.com
Strategic subdomain manipulation and dot placement:
- Dot insertion: g.oogle.com, goo.gle.com
- Dot omission: mail.google.com → mailgoogle.com
- Dot-hyphen substitution: sub.domain.com → sub-domain.com
cargo run -- -t word-swap,hyphenation,dot-insertion google.comHardware and system error transformations:
- Bitsquatting: Single bit-flip transformations simulating hardware memory errors, cosmic ray hits, or transmission corruption
cargo run -- -t system-fault example.comTLD manipulation and brand-based deception:
Alternative top-level domain substitutions:
- Common swaps: .com→.net/.org/.co/.io, country codes (.co.uk, .de, .fr)
- Examples: google.com → google.net, google.org, google.co
Combines target domains with common dictionary words for enhanced legitimacy:
- Word categories: Security (secure-, safe-), services (-support, -help), authority (official-, real-)
- Psychology: Creates perception of enhanced security or official relationship
- Examples: google.com → securegoogle.com, paypal.com → paypallogin.com
Adds brand-related terms to exploit trust in established names:
- Techniques: Authority prefixes (official-, verified-), service extensions (-support, -center)
- Examples: microsoft.com → officialmicrosoft.com, amazon.com → amazon-support.com
Common prefix and suffix additions:
- Prefixes: my-, the-, secure-, get-
- Suffixes: -app, -online, -secure, -official
- Examples: google.com → mygoogle.com, google-secure.com
cargo run -- -t tld-variations,combosquatting,brand-confusion amazon.com# Generate lookalike variations (default behavior - uses lookalike bundle)
cargo run -- example.com
# Explicitly specify lookalike bundle
cargo run -- -t lookalike example.com
# Use all transformations
cargo run -- -t all example.com
# Use specific transformations
cargo run -- -t char-sub,keyboard example.com
# Limit output and check status
cargo run -- --max-variations 50 --check-status example.com# Custom dictionary for combosquatting
cargo run -- --combosquatting --dictionary /path/to/wordlist.txt target.com
# Focus on international transformations
cargo run -- --cyrillic-comprehensive --idn-homograph --intl-tld example.com
# Phonetic and semantic transformations only
cargo run -- --homophones --cognitive --singular-plural rightmove.comComprehensive Visual Similarity Analysis:
# Use lookalike bundle for complete character-level coverage
cargo run -- -t lookalike --max-variations 100 --check-status google.comBanking/Finance Focus:
cargo run -- --brand-confusion --cognitive --homoglyphs paypal.comSocial Media Focus:
cargo run -- --cognitive --homophones --hyphenation facebook.comTechnology Company Focus:
cargo run -- --cyrillic-comprehensive --brand-confusion microsoft.comDomFuzz outputs generated domain variations in plain text format:
g0ogle.com
googel.com
google.net
secure-google.com
googlle.com
goоgle.com # Cyrillic 'о'
...
With status checking enabled:
g0ogle.com, available
googel.com, registered
google.net, parked
secure-google.com, available
...
o→0,l→1,i→1,e→3,a→@,s→$,g→9,b→6,t→7,z→2
Adjacent key mappings based on standard QWERTY layout for realistic typos.
Extensive Unicode character mappings including:
- Cyrillic:
а(U+0430) vsa(U+0061) - Greek:
α(U+03B1) vsa(U+0061) - Extended: Full Unicode homoglyph database
Common sound-alike word pairs:
right→write,ritesea→see,cwon→one,1to→two,too,2
DomFuzz is optimized for high performance:
- Fast generation: 1000s of variations per second
- Memory efficient: HashSet deduplication
- Concurrent network checks: Async domain status verification
- Scalable: Handles large domain lists efficiently
This tool is intended for:
- ✅ Defensive security research
- ✅ Domain monitoring and protection
- ✅ Threat intelligence analysis
- ✅ Educational purposes
Do not use for malicious activities. Users are responsible for compliance with applicable laws and ethical guidelines.
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License - see the LICENSE file for details.
- URLCrazy - Original Ruby implementation
- dnstwist - Python domain fuzzing tool
- URLInsane - Go domain fuzzing tool
- DomainFuzz - Python domain fuzzing tool
- IronGeek Homoglyph Attack Generator - Comprehensive homoglyph research and generator
- Unicode Homoglyph Research
See CHANGELOG.md for detailed version history and release notes.