CATPHISH – Phishing and Corporate Espionage

CATPHISH is a tool to generate similar-looking domains for phishing attacks. The program will check expired domains and if they are categorized by office gateway and proxy which may allow penetration tester to evade proxy categorization. Normally attacker will register and use whitelisted domains for C2 servers.

Supported algorithms with this tool are:

  • SingularOrPluralise
  • prependOrAppend
  • doubleExtensions
  • mirrorization
  • homoglyphs
  • dashOmission
  • Punycode

This tool will be useful during a redteam engagement to automate online search for expired domains using and BlueCoat. penetration tester may add more features and sources according to his need and requirements.

This can be one tool in the penetration testing toolkit together with DomainHunter which Perform reputation checks against the Symantec WebPulse Site Review (BlueCoat), IBM x-Force, Cisco Talos, Google SafeBrowsing, and PhishTank services. Running several tools and programs will allow to get different information that will automate detecting gaps and security vulnerabilities.


Running the tool:

catphish.rb [global options] COMMAND [command options]


  generate                    Generate domains
  expired                     Find available expired domains

Additional help
  catphish.rb COMMAND -h

Global Options
  -l, --logo, --no-logo                      ASCII art banner
                                             (default: true)
  -c, --column-header, --no-column-header    Header for each column
                                             of the output (default:
  -D, --Domain=<s>                           Target domain to analyze
  -V, --Verbose                              Show all domains,
                                             including non-available
  -h, --help                                 Show this message

Generate all type:

catphish.rb -D DOMAIN generate -A

Check available expired domains:

catphish.rb -D DOMAIN expired

Check against a specific domain for categorization status:

catphish.rb -D DOMAIN expired -c

Check all available expired domains against a specific vendor

catphish.rb -D DOMAIN expired -p PROXY_TYPE


You can also run the tool with Docker! This lets you try it out without any of the required dependencies (ruby), except Docker itself. This presumes that you have the docker daemon installed. If not, see Docker’s documentation.

First, build the container

$ cd path/to/repository

# Generate a tag so we know how to find the container later to run it. You can use anything (latest is common);
# here the git hash is used.
$ TAG=$(git rev-parse --short HEAD)

# Run the build
$ docker build --tag "catphish:${TAG}" .

# Eventually docker will print something like:
#   Successfully built 8f0b8bfe0c41
#   Successfully tagged catphish:f947517

Perfect! Now, you can execute catphish via Docker:

$ docker run 
Hidden Eye – Modern Phishing Tool With Advanced Functionality 

In Action

You can read more and download this tool over here:

You may also like...