URLCRAZY

Hey guys! Welcome to another tutorial! This tutorial will be on URLCrazy.

Overview
URLCrazy is a tool written by Andrew Horton. Its purpose is to generate and test domain typos, and variations to detect and perform typo squatting, URL Hijacking, phishing, and corporate espionage. What does that mean for us exactly?

There are two vantage points you can take when looking at the data URLCrazy provides:

1. Company’s point of view
URLCrazy will let you see if someone has registered a domain name that closely resembles your domain, and if these domains are in use, you can investigate how they’re being used. Some may be legitimate sites, while others may be scam sites. For example, say your company has an international presence, so one of your competitors in that country registers a domain using a typo for instance, and they use that domain name to maybe try and get email streams from your users. Maybe they target account executives, looking for pricing data that they then use against you during a bid on a project.

2. Attacker’s point of view
As a pentester, you could look at the domains generated, and if one isn’t in use, you could register that domain, and set up a phishing campaign to use against the target. An attacker could also set up a fake site that looks just like yours, and when a user visits the site, they get served some type of malware. Lots of possibilities here.

Now that we have an idea what we can use this tool for, let’s take a look at the options available, and get some hands on with it.

Options/Switches
First, to open URLCrazy in Kali, go to “Applications –> Information Gathering –> DNS Analysis –> urlcrazy”. When the terminal window opens, you’ll be presented with the list of options available to use.

urlc-help1

“-k” is used to change the keyboard layout. Using different layouts could give you a better view of typos that would occur in other countries, and how the bad guys may be generating domains there.

“-p”, or “popularity” option shows how often that particular domain spelling may show up in Google results, or how often someone searches for that specific spelling. You may want to verify this manually through Google.

“-r” causes urlcrazy to not resolve any domain names to IP addresses, therefore, only giving you a list of generated domains.

“-i” will show invalid domain names, such as invalid TLD’s

“-f” lets you specify the output type; there are 2 options here – human readable, and CSV; default is human readable

“-o” lets you create a file containing the results of your scan

Usage
Let’s go ahead, and start running through some scans.

1. Default Scan
Syntax: urlcrazy msn.com

urlc-defaultscan

You see that it uses the “qwerty” keyboard layout as the default, and it generated 51 domain names. It categorizes each type of typo that it checks for, shows the typo it generated, and shows if that domain name resolves to an IP address. If it does, it indicates that domain is in use, and should be investigated further.

2. Change Keyboard Layout
Syntax: urlcrazy -k azerty msn.com

urlc-keyboard1

Why would you use this option? The standard keyboard layout in the U.S. is “qwerty”. The other layouts are used in other countries, so the domain results may be a little different for each one.Looking through some of these results, it’s easy to see how someone might end up at one of these domains. Some of them could be the result of fat fingering the name while they’re typing. One example is here under the “Character Insertion” section – msnm.com. Notice that it resolves to an address in China. Could be a bit sketchy.

3. Don’t Resolve IP’s
Syntax: urlcrazy -r msn.com

urlc-noresolve

Now it doesn’t show any IP’s associated with the domain names. You should have also noticed how fast it returned the results. That’s because it wasn’t trying to resolve all these domain names.

4. Show Invalid Domains
Syntax: urlcrazy -i msn.com

urlc-invalidname

What makes these invalid is the TLD used.

5. Saving Results
Syntax: urlcrazy -o ~/Desktop/urlcrazy-human msn.com

urlc-output-human

Since “human readable” is the default output, we don’t need to specify it with the “-f” switch. We’ve set it to create a file called “urlcrazy-human”, and save it to the Desktop. Opening that file, you see the results saved neatly.

urlc-output-human-txt

Now we’ll specify the CSV format using the “-f” switch.

urlc-output-csv

Viewing that file shows the results in comma separated format.

urlc-output-csv-txt

Conclusion
I showed how each of the switches works individually, but you can use them together, depending on what you’re trying to do.

So, now that we’ve looked at how the tool works, let’s talk about what we can do with the data presented, and how to use it during a pen-test.

Say you’re a pentester, and you’ve been hired to do a test for xyz.com. After you’ve done some other DNS recon, you fire up urlcrazy, and run it using the “-p”, and “-i” switches. You find a domain that doesn’t appear to be in use, but the popularity value is pretty high. You register that domain name, and maybe even buy an SSL certificate to make it look more legit, set up a fake site at your domain that looks almost identical to the original site, then send a phishing email to the users at the target company. Knowing how people are, you’re going to get some responses, so you get some usernames and passwords, and you’re able to log in to the legitimate site as a valid user, then go from there to see if you can elevate privileges, and gain access to confidential data.

That’s just one scenario. That’s why I stress the importance of getting as much information as possible before you ever throw an exploit or some other kind of attack at your target. The more information you have, the better your chances are of exploiting the target.

I hope you enjoyed this tutorial, and found it useful. There’s a video version also available on my YouTube channel at RWBNETSEC.

Have an awesome day!

-Jason