Matthew McCorkle

Day 19 - URLcrazy - 100 tools in 100 days!

1 . Introduction
2 . My Setup
3 . What is URLcrazy?
4 . Why use URLcrazy?
5 . How to use URLcrazy?
6 . Summary


This post is designed to introduce you to the tool URLcrazy.

Disclaimer: Please only use URLcrazy for professional and educational reasons. Do not use this tool for nefarious or malicious reasons.


1. Introduction

Welcome to the nineteenth blog post of 100 tools in 100 days.

Find URLcrazy here.


2. My Setup

For running the URLcrazy tool, I used Kali Linux in a VMware Workstation 16 Player virtualized environment.


3. What is URLcrazy?

Have you ever mistyped a URL and ended up at a totally different address? or perhaps, the mistype redirected you to the correct URL? Mistyped URLs are a common vector of attack that malicious actors use to target innocent users.

URLcrazy is a tool that allows the generation of typos on a set domain to test for typo squatting (what I described above), URL hijacking, phishing, and espionage.


4. Why use URLcrazy?

A penetration tester may use URLcrazy to create a domain that closely resembles the correct URL to attempt phishing attacks against the target.

An organization may purchase mistyped domains to ensure hijackers and malicious actors do not buy that URL for future attacks.


5. How to use URLcrazy?

Step 1:
To access the URLcrazy help menu type:

urlcrazy --help


Step 2:
Using URLcrazy is easy, I used example.com to find closely typed websites. I used the following command:

urlcrazy example.com


The results found show that many of the closely related examples are already registered and owned.


6. Summary

URLcrazy allows a user to search for mistyped URLs and determines if they are registered or not.

This is effective for many reasons such as protecting corporate domains from domain hijackers by registering the mistyped options before attackers do.

Additionally, a penetration tester may use URLcrazy to attempt phishing attacks against targets.

I hope you enjoyed learning about URLcrazy and can use it to find some mistyped domains that are important to you. Next time you type googl.com be thankful Google also owns that domain and not some malicious actors!

Thanks for reading!

If you have suggestions for what tool to cover next, contact me!