{"id":21584010,"url":"https://github.com/glaubermagal/evilurl","last_synced_at":"2025-07-16T23:30:40.330Z","repository":{"id":216331081,"uuid":"741052584","full_name":"glaubermagal/evilurl","owner":"glaubermagal","description":"EvilURL is a cybersecurity tool designed to safeguard against IDN Homograph Attacks","archived":false,"fork":false,"pushed_at":"2024-11-16T16:13:03.000Z","size":223,"stargazers_count":15,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-16T16:18:40.207Z","etag":null,"topics":["antimalware","information-security","malware","network-security","phishing-protection","security-tools"],"latest_commit_sha":null,"homepage":"https://pypi.org/project/evilurl/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/glaubermagal.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-01-09T15:49:47.000Z","updated_at":"2024-11-16T15:11:22.000Z","dependencies_parsed_at":"2024-11-08T23:20:12.471Z","dependency_job_id":"6bb91710-1f42-469e-b3b6-4be4c04af897","html_url":"https://github.com/glaubermagal/evilurl","commit_stats":null,"previous_names":["glaubermagal/evilurl"],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glaubermagal%2Fevilurl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glaubermagal%2Fevilurl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glaubermagal%2Fevilurl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/glaubermagal%2Fevilurl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/glaubermagal","download_url":"https://codeload.github.com/glaubermagal/evilurl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226178438,"owners_count":17585959,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antimalware","information-security","malware","network-security","phishing-protection","security-tools"],"created_at":"2024-11-24T15:01:00.972Z","updated_at":"2024-11-24T15:01:52.925Z","avatar_url":"https://github.com/glaubermagal.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"# EvilURL\n\n```bash\nevilurl git:(main) ✗ evilurl github.com\n\n ██████████ █████   █████ █████ █████          █████  █████ ███████████   █████\n░░███░░░░░█░░███   ░░███ ░░███ ░░███          ░░███  ░░███ ░░███░░░░░███ ░░███\n ░███  █ ░  ░███    ░███  ░███  ░███           ░███   ░███  ░███    ░███  ░███\n ░██████    ░███    ░███  ░███  ░███           ░███   ░███  ░██████████   ░███\n ░███░░█    ░░███   ███   ░███  ░███           ░███   ░███  ░███░░░░░███  ░███\n ░███ ░   █  ░░░█████░    ░███  ░███      █    ░███   ░███  ░███    ░███  ░███      █\n ██████████    ░░███      █████ ███████████    ░░████████   █████   █████ ███████████\n░░░░░░░░░░      ░░░      ░░░░░ ░░░░░░░░░░░      ░░░░░░░░   ░░░░░   ░░░░░ ░░░░░░░░░░░\n\n[ by @glaubermagal – https://github.com/glaubermagal/evilurl]\n\n[*] Domain: github.com\n[*] Homograph characters used: ['һ', 'ƍ', 'ᴛ', 'ս', 'і', 'ᖯ', 'ɡ']\n+--------------------+-------------------+----------------+---------+---------------------------------+\n| homograph_domain   | punycode          | dns            | mixed   | combinations                    |\n+====================+===================+================+=========+=================================+\n| ɡithub.com         | xn--ithub-qmc.com | 107.189.22.234 | YES     | ɡ → LATIN SMALL LETTER SCRIPT G |\n+--------------------+-------------------+----------------+---------+---------------------------------+\n```\n\n## Overview\n\nEvilURL is a Python tool designed to analyze and identify potential Internationalized Domain Name (IDN) homograph attacks. These attacks exploit the visual similarity of characters from different Unicode scripts to create deceptive domain names for phishing and other malicious purposes. EvilURL helps assess the vulnerability of domains to these attacks.\n\n## Motivation\n\nThis project aims to raise awareness about the security risks of IDN homograph attacks. By identifying visually similar characters, EvilURL helps users and security professionals understand these vulnerabilities and improve protection against phishing and other cyber threats.\n\n## Installation\n\n1. Clone the repository: `git clone https://github.com/glaubermagal/evilurl.git`\n1. Navigate to the project directory: `cd evilurl`\n1. Create a virtual environment: python3 -m venv .venv\n1. Activate the virtual environment: `source .venv/bin/activate` (Linux/macOS) or `.venv\\Scripts\\activate` (Windows)\n1. Install dependencies: `pip install -r requirements.txt`\n1. Install EvilURL: `pip install .` (for local development) or `pip install evilurl` (once published on PyPI)\n\n## Unit Tests\n\nRun unit tests with:\n\n```bash\npython -m unittest tests/tests.py\n```\n\n## Usage\n\n```\nevilurl [OPTIONS] DOMAIN|FILE\n\nOptions:\n  -f, --file FILE       Path to a file containing a list of domains.\n  --domains-only        Output only the generated homograph domains.\n  --log-full           Output all generated domains, including unregistered ones.\n  --json               Output results in JSON format.\n  --mixed-only         Output only mixed-script domains (those using characters from multiple scripts).\n  --help                Show this message and exit.\n```\n\n**Examples:**\n```\nevilurl github.com                # Analyze github.com\nevilurl example.com --domains-only # Show only homograph domains for example.com\nevilurl example.org --log-full      # Show all generated domains for example.org, including unregistered\nevilurl -f domains.txt             # Analyze domains from a file\nevilurl example.net --json          # Output results in JSON format\nevilurl microsoft.com --mixed-only   # Show only mixed-script domains for microsoft.com\nevilurl apple.com                 # Analyze apple.com, showing DNS resolution results and character mapping\n```\n\n## Unicode Combinations\n\nThe tool considers various Unicode combinations for visually similar characters, including Cyrillic, Greek, and Armenian characters. The combinations are defined in the tool to assist in the identification of potential homograph attacks.\n\nIn the output, \"MIXED NO\" indicates that the domain uses a single character family and is typically eligible for registration with most registrars.\n\n## Disclaimer\n\nThis tool is intended for ethical hacking purposes only.\n\n## How It Works\n\n1. Extracting the domain parts.\n2. Generating variations using visually similar Unicode characters (defined in `unicode_combinations.json`).\n3. Constructing potential homograph domains and checking DNS records.\n4. Presenting results with punycode, DNS status, mixed-script indicators, and character mappings.\n\n\n## Identifying and Blocking Malicious Domains\n\nEvilURL helps you proactively identify potentially malicious domains that leverage IDN homograph attacks.  You can generate a list of possible homograph variations for a given domain using the `--domains-only` option:\n\n```bash\nevilurl example.com --domains-only\n```\n\nCarefully examine the output. Research each generated domain (e.g., using WHOIS lookups, DNS analysis) to determine if it's being used for malicious purposes (phishing, malware distribution, etc.).\n\nIf you discover malicious homograph domains, you can compile them into a blocklist file. For example, to create a blocklist for `example.com`, redirect the output of evilurl to a file:\n\n```\nevilurl example.com --domains-only \u003e blocklist/example.com\n```\n\nThis will create (or overwrite) a file named `example.com` within the `blocklist` directory, containing the list of generated homograph domains. You can then use this blocklist with other security tools or systems to prevent access to these potentially harmful domains. (Note: You may need to create the `blocklist` directory if it doesn't already exist).\n\nWhile EvilURL doesn't have built-in blocklist functionality, generating these lists can be a valuable first step in mitigating homograph attack risks. You can share identified malicious domains with other security researchers or contribute to community-maintained blocklists such as:\n\n- https://github.com/mypdns/matrix\n- https://github.com/mitchellkrogza/phishing\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglaubermagal%2Fevilurl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fglaubermagal%2Fevilurl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fglaubermagal%2Fevilurl/lists"}