PunyPwn

# Full attack surface enumeration $ python3 PunyPwn.py -d paypal.com --attack all --count [*] Target: paypal.com [*] Attacks: idn, homoglyph, omission, repetition, swap, insertion, replace, bitsquat, tld, hyphen, subdomain, vowelswap idn 84 homoglyph 8 omission 6 repetition 6 swap 5 insertion 252 replace 18 bitsquat 31 tld 9 hyphen 5 subdomain 5 vowelswap 8 TOTAL 437

# Targeted typo modules for phishing campaign $ python3 PunyPwn.py -d microsoft.com --attack omission,swap,replace -o results.csv # IDN-only, highest fidelity, export JSON $ python3 PunyPwn.py -d paypal.com --attack idn --style very-realistic -o idn.json # Pipe into DNS resolution check $ python3 PunyPwn.py -d example.com --attack omission,tld -q | xargs -I{} dig +short {} # Batch mode: multiple targets $ python3 PunyPwn.py --batch targets.txt --attack all -o campaign.json

# Suricata / Snort - flag IDN Punycode queries alert dns any any -> any 53 (msg:"IDN Punycode domain query"; dns.query; content:"xn--"; nocase; sid:9000001; rev:1;) # Splunk - hunt xn-- resolutions index=dns query="xn--*" | stats count by query, src_ip | sort -count