// the find
evilsocket/ditto
A tool for IDN homograph attacks and detection.
Ditto generates Unicode homograph variants of a domain name — think 'pаypal.com' with a Cyrillic 'а' — and checks which variants are registered or resolving. It's a defensive security tool for brand protection teams and penetration testers who need to audit what squatted lookalike domains already exist against their domain.
Concurrent WHOIS checking with configurable worker count is practical for scanning large variant sets without writing your own threading. The monitor mode with -trigger hooks is the most useful feature here — you can wire it straight into alerting and get notified when a new homograph domain goes live. CSV output with full WHOIS data makes it easy to feed results into a spreadsheet or SIEM without post-processing. The TLD sweep mode is a nice addition that the README buries — checking facebook.io, facebook.co, etc. alongside unicode variants covers the non-unicode squatting case too.
Last commit was February 2021, five years ago — Unicode homograph tables and WHOIS server behavior both drift over time, and there's no sign anyone is maintaining the character substitution dictionary. The WHOIS approach is inherently fragile: rate limiting bans are a documented risk in the README itself, and many registrars have moved to RDAP, which this tool doesn't use. No test coverage visible in the tree — for a security tool where false negatives (missing a registered homograph) matter, that's a problem. The character substitution dictionary in dict.go is a static list; there's no way to extend or customize it without forking, which limits usefulness for non-Latin scripts beyond what the author originally mapped.