Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

lookalike-domain

Sterne4.445

Forks878

Aktualisiert8. Juni 2026 um 07:58

Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

PurpleAILAB

PurpleAILAB/Decepticon

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

Verwandte BerufeSOC

Basierend auf der SOC-Berufsklassifikation

InformationssicherheitsanalystenInformatik- und Mathematikberufe·SOC 15-1212

SKILL.md

readonly

name	lookalike-domain
description	Register and provision a lookalike / Punycode phishing domain with DNS and TLS so GoPhish and evilginx2 lures resolve and pass modern mail + browser checks.
metadata	{"subdomain":"phishing","when_to_use":"lookalike domain, punycode, typosquat domain, idn homograph, phishing infrastructure, dns spf dkim dmarc, tls acme for lure","mitre_attack":["T1583.001","T1566","T1656"],"tags":["phishing","infrastructure","domain","dns"]}

Lookalike Domain

The lure link's domain must look plausible and pass SPF/DKIM/DMARC or modern inboxes drop the mail and browsers flag the page. This skill stands up the domain that gophish-campaign and evilginx2-proxy sit behind.

Choose the name

Combosquat / lookalike: acme-portal.example, login-acme.example, acme-sso.example (a real word the victim associates with the brand). Prefer this over raw typos.
IDN homograph (Punycode): visually-similar Unicode characters (аcme.example with a Cyrillic а → xn--cme-8cd.example). Use only when the RoE allows and the mail path won't strip it.

python3 - <<'PY'
import idna
print(idna.encode("аcme.example").decode())   # punycode (xn--...)
PY

NEVER pick a name confusable with a DIFFERENT customer's brand (plan/roe.json scope only).

DNS

A     @            <sandbox-ip>
A     login        <sandbox-ip>
MX    @            10 mail.<lookalike>.
TXT   @            "v=spf1 a mx ip4:<sandbox-ip> -all"
TXT   default._domainkey  "v=DKIM1; k=rsa; p=<pubkey>"
TXT   _dmarc       "v=DMARC1; p=none; rua=mailto:dmarc@<lookalike>"

For evilginx2, delegate NS to the sandbox so it can answer ACME challenges itself.

TLS

acme.sh --issue --standalone -d login.acme-portal.example
# or let evilginx2 manage Let's Encrypt automatically

Verify before sending

dig +short login.acme-portal.example
# check SPF/DKIM/DMARC alignment with a test send to a controlled box
swaks --to test@controlled.example --from it@acme-portal.example --server localhost

Evidence

Record the domain, registration date, and DNS records in plan/phisher/infrastructure.md; this feeds the mandatory lure-deconfliction handshake payload (the blue team needs the lure domain + registration date). Create an Infrastructure node in the knowledge graph.

Failsafe

On stop, dns_failover_to_safe: repoint the domain to a static "authorized security test — contact your security team" page within 5 minutes.

Mehr aus diesem Repository

gleiches Repository

decepticon

PurpleAILAB/Decepticon

Drive Decepticon — an autonomous multi-agent red-team framework — over MCP to run authorized penetration tests and bug-bounty engagements end to end, then watch and steer them live from chat. Launch an engagement against a target, poll its transcript to narrate progress, send messages to refocus it, and pull findings as SARIF. Use when the user asks to run a pentest/red-team engagement, hunt a bug bounty, do recon, exploit/scan a host, web app, API, network, cloud, Active Directory, mobile app, or smart contract WITH Decepticon — or to check/resume a running engagement or report what Decepticon found. Triggers: run a decepticon engagement, pentest this with decepticon, bug bounty, recon this target, red team this, scan this host, resume the engagement, what did decepticon find, decepticon status. Do NOT use for ad-hoc local tool runs (running nmap/sqlmap/ffuf directly) when no Decepticon server is involved — this drives the Decepticon orchestrator, not raw tools.

2026-06-164.4k

iot-security

PurpleAILAB/Decepticon

IoT device security reconnaissance — firmware extraction, embedded analysis, protocol identification, default credential checking, vulnerability scanning, device fingerprinting.

2026-06-154.4k

mobile-security

PurpleAILAB/Decepticon

Mobile application security reconnaissance — APK/IPA analysis, permission enumeration, certificate validation, hardcoded secret detection, insecure storage identification, network security analysis.

2026-06-154.4k

wireless-security

PurpleAILAB/Decepticon

Wireless network security reconnaissance — WiFi analysis, Bluetooth assessment, RFID/NFC evaluation, signal capture, protocol analysis, encryption testing, rogue device detection.

2026-06-154.4k

finding-protocol

PurpleAILAB/Decepticon

Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.

2026-06-124.4k

engagement-lifecycle

PurpleAILAB/Decepticon

Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.

2026-06-124.4k

Lookalike Domain

Choose the name

Combosquat / lookalike: acme-portal.example, login-acme.example, acme-sso.example (a real word the victim associates with the brand). Prefer this over raw typos.

IDN homograph (Punycode): visually-similar Unicode characters (аcme.example with a Cyrillic а → xn--cme-8cd.example). Use only when the RoE allows and the mail path won't strip it.

python3 - <<'PY' import idna print(idna.encode("аcme.example").decode()) # punycode (xn--...) PY

NEVER pick a name confusable with a DIFFERENT customer's brand (plan/roe.json scope only).

DNS

A @ <sandbox-ip> A login <sandbox-ip> MX @ 10 mail.<lookalike>. TXT @ "v=spf1 a mx ip4:<sandbox-ip> -all" TXT default._domainkey "v=DKIM1; k=rsa; p=<pubkey>" TXT _dmarc "v=DMARC1; p=none; rua=mailto:dmarc@<lookalike>"

For evilginx2, delegate NS to the sandbox so it can answer ACME challenges itself.

TLS

acme.sh --issue --standalone -d login.acme-portal.example # or let evilginx2 manage Let's Encrypt automatically

Verify before sending

dig +short login.acme-portal.example # check SPF/DKIM/DMARC alignment with a test send to a controlled box swaks --to test@controlled.example --from it@acme-portal.example --server localhost

Evidence

Failsafe

On stop, dns_failover_to_safe: repoint the domain to a static "authorized security test — contact your security team" page within 5 minutes.