JSON export
The following contains explanations of each field in the JSON output generated by the Lookup and NXDOMAIN tools, as well as some examples of how this output can be used in practice.
Schema
The output contains detailed information on analyzed domains, including typosquatted permutations, IP data, classifications, and more.
domain
type: string Required
The typosquatted or analyzed domain
Example
exaample.com
permutation
type: string Required
Describes the method used to generate the domain permutation.
| Permutation | Description | Example |
|---|---|---|
Addition | Adds an extra character to the end of a domain name | examplez.com |
Bitsquatting | Exploits binary similarities between characters | examp1e.com |
DoubleVowelInsertion | Adds characters between vowel pairs | exaample.com |
Homoglyph | Substitutes visually similar characters | еxample.com (Cyrillic е) |
Hyphenation | Inserts hyphens into the domain | exam-ple.com |
Insertion | Adds a character at the start of the domain | zexample.com |
Keyword | Adds commonly associated keywords | secureexample.com |
Mapped | Maps certain letters to predefined substitutions | exannple.com |
Omission | Removes a character from the domain | examle.com |
Repetition | Duplicates characters in the domain | exampplle.com |
Replacement | Substitutes characters in the domain | exemple.com |
Subdomain | Uses subdomains to mimic legitimate domains | login.example.com |
Tld | Replaces the top-level domain (TLD) | example.org |
Transposition | Swaps character positions | eaxmple.com |
VowelSwap | Swaps vowels in the domain name | ixample.com |
distance
type: integer Required
The Levenshtein distance between the original domain and the typosquatted domain, measuring the number of edits needed to transform one string into the other.
Example
7
ips
type: object Optional
An object containing a map of IP addresses to associated IP address data.
ips.<ip>.ip
type: string Optional
The IP address associated with the domain.
Example
3.33.130.190
ips.<ip>.asn
type: object Optional
An object containing the following properties.
number
type: integer
The ASN (Autonomous System Number) for the IP.
Example: 10732
organization
type: string
The organization associated with the ASN.
Example: AMAZON-02
ips.<ip>.country
type: object Optional
An object containing the following properties.
continent
type: string
The continent code of the IP’s location (ISO 3166-1 alpha-2).
Example: NA (North America)
iso_code
type: string
The country code of the IP’s location (ISO 3166-1 alpha-2).
Example: US (United States)
httpBanner
type: string Optional
The HTTP banner grabbed from the domain, providing details about the web server or service running on it (if available).
Example
Apache/2.4.46 (Unix)
classification
type: object Optional
An object containing the following properties.
legitimate
type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is legitimate.
Example
0.9 (95% likely to be legitimate)
parked
type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is parked.
Example
0.05 (5% likely to be parked)
phishing
type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is used for phishing.
Example
0.05 (5% likely to be a phishing domain)
whois
type: string|object Optional
Contains RDAP JSON data (of type object) or WHOIS data (of type string) retrieved for the domain. This may include details such as registration status, expiration dates, and ownership information.
Example
{ "objectClassName": "domain", "handle": "2336799_DOMAIN_COM-VRSN", "ldhName": "EXAMPLE.COM", "links": [ { "value": "https://rdap.verisign.com/com/v1/domain/EXAMPLE.COM", "rel": "self", "href": "https://rdap.verisign.com/com/v1/domain/EXAMPLE.COM", "type": "application/rdap+json" } ], "status": [ "client delete prohibited", "client transfer prohibited", "client update prohibited" ], "entities": [ { "objectClassName": "entity", "handle": "376", "roles": [ "registrar" ], "publicIds": [ { "type": "IANA Registrar ID", "identifier": "376" } ], "vcardArray": [ "vcard", [ [ "version", {}, "text", "4.0" ], [ "fn", {}, "text", "RESERVED-Internet Assigned Numbers Authority" ] ] ], "entities": [ { "objectClassName": "entity", "roles": [ "abuse" ], "vcardArray": [ "vcard", [ [ "version", {}, "text", "4.0" ], [ "fn", {}, "text", "" ], [ "tel", { "type": "voice" }, "uri", "" ], [ "email", {}, "text", "" ] ] ] } ] } ], "events": [ { "eventAction": "registration", "eventDate": "1995-08-14T04:00:00Z" }, { "eventAction": "expiration", "eventDate": "2025-08-13T04:00:00Z" }, { "eventAction": "last changed", "eventDate": "2024-08-14T07:01:34Z" }, { "eventAction": "last update of RDAP database", "eventDate": "2024-11-25T21:05:46Z" } ], "secureDNS": { "delegationSigned": true, "dsData": [ { "keyTag": 370, "algorithm": 13, "digestType": 2, "digest": "BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247C" } ] }, "nameservers": [ { "objectClassName": "nameserver", "ldhName": "A.IANA-SERVERS.NET" }, { "objectClassName": "nameserver", "ldhName": "B.IANA-SERVERS.NET" } ], "rdapConformance": [ "rdap_level_0", "icann_rdap_technical_implementation_guide_0", "icann_rdap_response_profile_0" ], "notices": [ { "title": "Terms of Use", "description": [ "Service subject to Terms of Use." ], "links": [ { "href": "https://www.verisign.com/domain-names/registration-data-access-protocol/terms-service/index.xhtml", "type": "text/html" } ] }, { "title": "Status Codes", "description": [ "For more information on domain status codes, please visit https://icann.org/epp" ], "links": [ { "href": "https://icann.org/epp", "type": "text/html" } ] }, { "title": "RDDS Inaccuracy Complaint Form", "description": [ "URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf" ], "links": [ { "href": "https://icann.org/wicf", "type": "text/html" } ] } ]}Domain Name: EXAMPLE.COMRegistry Domain ID: 2336799_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.iana.orgRegistrar URL: http://res-dom.iana.orgUpdated Date: 2024-08-14T07:01:34ZCreation Date: 1995-08-14T04:00:00ZRegistry Expiry Date: 2025-08-13T04:00:00ZRegistrar: RESERVED-Internet Assigned Numbers AuthorityRegistrar IANA ID: 376Registrar Abuse Contact Email:Registrar Abuse Contact Phone:Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedName Server: A.IANA-SERVERS.NETName Server: B.IANA-SERVERS.NETDNSSEC: signedDelegationDNSSEC DS Data: 370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247CURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/JSON Schema
The following is a JSON schema representation of the JSON export produced by Have I Benn Squatted.
{ "$schema": "https://json-schema.org/draft/2020-12/schema", "type": "array", "items": { "type": "object", "properties": { "domain": { "type": "string" }, "permutation": { "type": "string", "enum": [ "Addition", "Bitsquatting", "DoubleVowelInsertion", "Homoglyph", "Hyphenation", "Insertion", "Keyword", "Mapped", "Omission", "Repetition", "Replacement", "Subdomain", "Tld", "Transposition", "VowelSwap" ] }, "distance": { "type": "integer" }, "ips": { "type": "object", "properties": { "ip": { "type": "string" }, "asn": { "type": "object", "properties": { "number": { "type": "integer" }, "organization": { "type": "string" } } }, "country": { "type": "object", "properties": { "continent": { "type": "string", "minLength": 2, "maxLength": 2, "pattern": "^[A-Z]{2}$" }, "iso_code": { "type": "string", "minLength": 2, "maxLength": 2, "pattern": "^[A-Z]{2}$" } } } } }, "whois": { "oneOf": [ { "type": "string" }, { "type": "object" } ] }, "classification": { "type": "object", "properties": { "legitimate": { "type": "number" }, "parked": { "type": "number" }, "phishing": { "type": "number" } }, "required": ["legitimate", "parked", "phishing"] }, "httpBanner": { "type": "string" }, "screenshot": { "type": "string" }, "simhashDistance": { "type": "integer" } }, "required": ["domain", "permutation"] }}jq examples
The following are a few examples of how you can use the Have I Been Squatted
JSON output data with jq.
Extract all domains
Extract a list of all domains.
jq '.[].domain' example.com-lookup.jsonExtract IP addresses with ASN Numbers
Extract each IP address and its corresponding ASN number.
jq '.[] | .ips[] | {ip: .ip, asn: .asn.number}' example.com-lookup.jsonFind domains classified as likely phishing
Filter domains with a phishing score above 0.6.
jq '.[] | select(.classification.phishing > 0.6) | .domain' example.com-lookup.jsonExtract classification for each domain
Retrieve the classification scores for each domain, filtering out any results without classification information.
jq '.[] | select(.classification != null) | {domain: .domain, classification: .classification}' example.com-lookup.jsonCode examples
These code examples parse the Have I Been Squatted JSON output data describing typosquatted domain analysis results, converts the JSON string into structured data and prints the resulting data structure.
from dataclasses import dataclass, fieldfrom typing import Dict, Optional, List, Unionimport json
@dataclassclass ASN: number: int organization: str
@dataclassclass Country: continent: str iso_code: str
@dataclassclass IP: ip: str asn: ASN country: Country
@dataclassclass Classification: legitimate: float parked: float phishing: float
@dataclassclass Record: domain: str permutation: str distance: Optional[int] = None ips: Optional[Dict[str, IP]] = field(default_factory=dict) whois: Optional[Union[str, dict]] = None classification: Optional[Classification] = None httpBanner: Optional[str] = None screenshot: Optional[str] = None simhashDistance: Optional[int] = None
def main(): output = """ [ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": [ "rdap_level_0" ] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 } ] """
data = json.loads(output) records = [ Record( domain=item["domain"], permutation=item["permutation"], distance=item.get("distance"), ips=( { key: IP( ip=value["ip"], asn=ASN(**value["asn"]), country=Country(**value["country"]), ) for key, value in item.get("ips", {}).items() } if "ips" in item else {} ), whois=item.get("whois"), classification=( Classification(**item["classification"]) if "classification" in item else None ), httpBanner=item.get("httpBanner"), screenshot=item.get("screenshot"), simhashDistance=item.get("simhashDistance") ) for item in data ]
for record in records: print(record)// Record class representing a domain analysis resultclass Record { constructor(data) { this.domain = data.domain; this.permutation = data.permutation; this.distance = data.distance; this.ips = data.ips; this.whois = data.whois; this.classification = data.classification; this.httpBanner = data.httpBanner; this.screenshot = data.screenshot; this.simhashDistance = data.simhashDistance; }}
// Example usageconst output = `[ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": ["rdap_level_0"] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 }]`;
const data = JSON.parse(output);const records = data.map(item => new Record(item));console.log(records);package main
import ( "encoding/json" "fmt" "log")
type ASN struct { Number int `json:"number"` Organization string `json:"organization"`}
type Country struct { Continent string `json:"continent"` IsoCode string `json:"iso_code"`}
type IP struct { IP string `json:"ip"` ASN ASN `json:"asn"` Country Country `json:"country"`}
type Classification struct { Legitimate float64 `json:"legitimate"` Parked float64 `json:"parked"` Phishing float64 `json:"phishing"`}
type Record struct { Domain string `json:"domain"` Permutation string `json:"permutation"` Distance int `json:"distance,omitempty"` IPs map[string]IP `json:"ips"` Whois map[string]interface{} `json:"whois,omitempty"` Classification Classification `json:"classification"` HTTPBanner string `json:"httpBanner,omitempty"` Screenshot string `json:"screenshot,omitempty"` SimhashDistance int `json:"simhashDistance,omitempty"`}
func main() { data := ` [ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": ["rdap_level_0"] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 } ]`
var records []Record err := json.Unmarshal([]byte(data), &records) if err != nil { log.Fatalf("Error parsing JSON: %v", err) }
fmt.Println(records)}