JSON export
The following contains explanations of each field in the JSON output generated by the Lookup and NXDOMAIN tools, as well as some examples of how this output can be used in practice.
Schema
Section titled “Schema”The output contains detailed information on analyzed domains, including typosquatted permutations, IP data, classifications, and more.
domain
Section titled “domain”type: string Required
The typosquatted or analyzed domain
Example
Section titled “Example”exaample.com
permutation
Section titled “permutation”type: string Required
Describes the method used to generate the domain permutation.
| Permutation | Description | Example |
|---|---|---|
Addition | Adds an extra character to the end of a domain name | examplez.com |
Bitsquatting | Exploits binary similarities between characters | examp1e.com |
DoubleVowelInsertion | Adds characters between vowel pairs | exaample.com |
Homoglyph | Substitutes visually similar characters | еxample.com (Cyrillic е) |
Hyphenation | Inserts hyphens into the domain | exam-ple.com |
Insertion | Adds a character at the start of the domain | zexample.com |
Keyword | Adds commonly associated keywords | secureexample.com |
Mapped | Maps certain letters to predefined substitutions | exannple.com |
Omission | Removes a character from the domain | examle.com |
Repetition | Duplicates characters in the domain | exampplle.com |
Replacement | Substitutes characters in the domain | exemple.com |
Subdomain | Uses subdomains to mimic legitimate domains | login.example.com |
Tld | Replaces the top-level domain (TLD) | example.org |
Transposition | Swaps character positions | eaxmple.com |
VowelSwap | Swaps vowels in the domain name | ixample.com |
VowelShuffle | Shuffles vowels in the domain name | axample.com |
distance
Section titled “distance”type: integer Required
The Levenshtein distance between the original domain and the typosquatted domain, measuring the number of edits needed to transform one string into the other.
Example
Section titled “Example”7
type: object Optional
An object containing a map of IP addresses to associated IP address data.
ips.<ip>.ip
Section titled “ips.<ip>.ip”type: string Optional
The IP address associated with the domain.
Example
Section titled “Example”3.33.130.190
ips.<ip>.asn
Section titled “ips.<ip>.asn”type: object Optional
An object containing the following properties.
number
Section titled “number”type: integer
The ASN (Autonomous System Number) for the IP.
Example: 10732
organization
Section titled “organization”type: string
The organization associated with the ASN.
Example: AMAZON-02
ips.<ip>.country
Section titled “ips.<ip>.country”type: object Optional
An object containing the following properties.
continent
Section titled “continent”type: string
The continent code of the IP’s location (ISO 3166-1 alpha-2).
Example: NA (North America)
iso_code
Section titled “iso_code”type: string
The country code of the IP’s location (ISO 3166-1 alpha-2).
Example: US (United States)
passiveDns
Section titled “passiveDns”type: array<object> Optional
Historical DNS observations collected from passive sources. Each object represents a single observation.
Properties:
rrtype(string): Record type, e.g.,A,AAAA,NS,MX,TXT,CNAMErrname(string): Observed value (for A/AAAA this is the IP; for NS/MX/TXT/CNAME the record value)rdata(string): Queried domaintime_first(integer): First seen epoch secondstime_last(integer): Last seen epoch secondscount(integer): Number of observations
Example
Section titled “Example”[ { "rrtype": "A", "rrname": "142.250.186.110", "rdata": "google.com", "time_first": 1710538717, "time_last": 1758559359, "count": 3390 }, { "rrtype": "AAAA", "rrname": "2a00:1450:4001:810::200e", "rdata": "google.com", "time_first": 1697028644, "time_last": 1755038173, "count": 2067 }, { "rrtype": "CNAME", "rrname": "www.forwhenidle.com", "rdata": "google.com", "time_first": 1717877150, "time_last": 1746799577, "count": 5 }]passiveTls
Section titled “passiveTls”type: object Optional
Passive TLS subjects and certificate hashes observed, keyed by IP address.
Properties per IP:
certificates(string[]): Certificate SHA-1/SHA-256 hashessubjects(string[]): Certificate subjects (usually hostnames)
Example
Section titled “Example”{ "172.217.17.110": { "certificates": [ "ef3d5b04f51d97a3cded293584af6221d5d0c262", "d99417c4d7aa394595afbe90ee515f4cd0106590" ], "subjects": ["google.com"] }}httpBanner
Section titled “httpBanner”type: string Optional
The HTTP banner grabbed from the domain, providing details about the web server or service running on it (if available).
Example
Section titled “Example”Apache/2.4.46 (Unix)
classification
Section titled “classification”type: object Optional
An object containing the following properties.
legitimate
Section titled “legitimate”type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is legitimate.
Example
Section titled “Example”0.9 (95% likely to be legitimate)
parked
Section titled “parked”type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is parked.
Example
Section titled “Example”0.05 (5% likely to be parked)
phishing
Section titled “phishing”type: number Optional
A value between 0.0 and 1.0 representing the likelihood the domain is used for phishing.
Example
Section titled “Example”0.05 (5% likely to be a phishing domain)
type: string|object Optional
Contains RDAP JSON data (of type object) or WHOIS data (of type string) retrieved for the domain. This may include details such as registration status, expiration dates, and ownership information.
Example
Section titled “Example”{ "objectClassName": "domain", "handle": "2336799_DOMAIN_COM-VRSN", "ldhName": "EXAMPLE.COM", "links": [ { "value": "https://rdap.verisign.com/com/v1/domain/EXAMPLE.COM", "rel": "self", "href": "https://rdap.verisign.com/com/v1/domain/EXAMPLE.COM", "type": "application/rdap+json" } ], "status": [ "client delete prohibited", "client transfer prohibited", "client update prohibited" ], "entities": [ { "objectClassName": "entity", "handle": "376", "roles": [ "registrar" ], "publicIds": [ { "type": "IANA Registrar ID", "identifier": "376" } ], "vcardArray": [ "vcard", [ [ "version", {}, "text", "4.0" ], [ "fn", {}, "text", "RESERVED-Internet Assigned Numbers Authority" ] ] ], "entities": [ { "objectClassName": "entity", "roles": [ "abuse" ], "vcardArray": [ "vcard", [ [ "version", {}, "text", "4.0" ], [ "fn", {}, "text", "" ], [ "tel", { "type": "voice" }, "uri", "" ], [ "email", {}, "text", "" ] ] ] } ] } ], "events": [ { "eventAction": "registration", "eventDate": "1995-08-14T04:00:00Z" }, { "eventAction": "expiration", "eventDate": "2025-08-13T04:00:00Z" }, { "eventAction": "last changed", "eventDate": "2024-08-14T07:01:34Z" }, { "eventAction": "last update of RDAP database", "eventDate": "2024-11-25T21:05:46Z" } ], "secureDNS": { "delegationSigned": true, "dsData": [ { "keyTag": 370, "algorithm": 13, "digestType": 2, "digest": "BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247C" } ] }, "nameservers": [ { "objectClassName": "nameserver", "ldhName": "A.IANA-SERVERS.NET" }, { "objectClassName": "nameserver", "ldhName": "B.IANA-SERVERS.NET" } ], "rdapConformance": [ "rdap_level_0", "icann_rdap_technical_implementation_guide_0", "icann_rdap_response_profile_0" ], "notices": [ { "title": "Terms of Use", "description": [ "Service subject to Terms of Use." ], "links": [ { "href": "https://www.verisign.com/domain-names/registration-data-access-protocol/terms-service/index.xhtml", "type": "text/html" } ] }, { "title": "Status Codes", "description": [ "For more information on domain status codes, please visit https://icann.org/epp" ], "links": [ { "href": "https://icann.org/epp", "type": "text/html" } ] }, { "title": "RDDS Inaccuracy Complaint Form", "description": [ "URL of the ICANN RDDS Inaccuracy Complaint Form: https://icann.org/wicf" ], "links": [ { "href": "https://icann.org/wicf", "type": "text/html" } ] } ]}Domain Name: EXAMPLE.COMRegistry Domain ID: 2336799_DOMAIN_COM-VRSNRegistrar WHOIS Server: whois.iana.orgRegistrar URL: http://res-dom.iana.orgUpdated Date: 2024-08-14T07:01:34ZCreation Date: 1995-08-14T04:00:00ZRegistry Expiry Date: 2025-08-13T04:00:00ZRegistrar: RESERVED-Internet Assigned Numbers AuthorityRegistrar IANA ID: 376Registrar Abuse Contact Email:Registrar Abuse Contact Phone:Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibitedDomain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibitedDomain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibitedName Server: A.IANA-SERVERS.NETName Server: B.IANA-SERVERS.NETDNSSEC: signedDelegationDNSSEC DS Data: 370 13 2 BE74359954660069D5C63D200C39F5603827D7DD02B56F120EE9F3A86764247CURL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/passiveDns
Section titled “passiveDns”type: array<object> Optional
Historical DNS observations collected from passive sources. Each object represents a single observation.
Properties:
rrtype(string): Record type, e.g.,A,AAAA,NS,MX,TXT,CNAMErrname(string): Observed value (for A/AAAA this is the IP; for NS/MX/TXT/CNAME the record value)rdata(string): Queried domaintime_first(integer): First seen epoch secondstime_last(integer): Last seen epoch secondscount(integer): Number of observations
Example
Section titled “Example”[ { "rrtype": "A", "rrname": "142.250.186.110", "rdata": "google.com", "time_first": 1710538717, "time_last": 1758559359, "count": 3390 }, { "rrtype": "AAAA", "rrname": "2a00:1450:4001:810::200e", "rdata": "google.com", "time_first": 1697028644, "time_last": 1755038173, "count": 2067 }, { "rrtype": "CNAME", "rrname": "www.forwhenidle.com", "rdata": "google.com", "time_first": 1717877150, "time_last": 1746799577, "count": 5 }]passiveTls
Section titled “passiveTls”type: object Optional
Passive TLS subjects and certificate hashes observed, keyed by IP address.
Properties per IP:
certificates(string[]): Certificate SHA-1/SHA-256 hashessubjects(string[]): Certificate subjects (usually hostnames)
Example
Section titled “Example”{ "172.217.17.110": { "certificates": [ "ef3d5b04f51d97a3cded293584af6221d5d0c262", "d99417c4d7aa394595afbe90ee515f4cd0106590" ], "subjects": ["google.com"] }}JSON Schema
Section titled “JSON Schema”The following is a JSON schema representation of the JSON export produced by Have I Benn Squatted.
{ "$schema": "https://json-schema.org/draft/2020-12/schema", "type": "array", "items": { "type": "object", "properties": { "domain": { "type": "string" }, "permutation": { "type": "string", "enum": [ "Addition", "Bitsquatting", "DoubleVowelInsertion", "Homoglyph", "Hyphenation", "Insertion", "Keyword", "Mapped", "Omission", "Repetition", "Replacement", "Subdomain", "Tld", "Transposition", "VowelSwap" ] }, "distance": { "type": "integer" }, "ips": { "type": "object", "properties": { "ip": { "type": "string" }, "asn": { "type": "object", "properties": { "number": { "type": "integer" }, "organization": { "type": "string" } } }, "country": { "type": "object", "properties": { "continent": { "type": "string", "minLength": 2, "maxLength": 2, "pattern": "^[A-Z]{2}$" }, "iso_code": { "type": "string", "minLength": 2, "maxLength": 2, "pattern": "^[A-Z]{2}$" } } } } }, "whois": { "oneOf": [ { "type": "string" }, { "type": "object" } ] }, "classification": { "type": "object", "properties": { "legitimate": { "type": "number" }, "parked": { "type": "number" }, "phishing": { "type": "number" } }, "required": ["legitimate", "parked", "phishing"] }, "httpBanner": { "type": "string" }, "screenshot": { "type": "string" }, "simhashDistance": { "type": "integer" } }, "required": ["domain", "permutation"] }}jq examples
Section titled “jq examples”The following are a few examples of how you can use the Have I Been Squatted
JSON output data with jq.
Extract all domains
Section titled “Extract all domains”Extract a list of all domains.
jq '.[].domain' example.com-lookup.jsonExtract IP addresses with ASN Numbers
Section titled “Extract IP addresses with ASN Numbers”Extract each IP address and its corresponding ASN number.
jq '.[] | .ips[] | {ip: .ip, asn: .asn.number}' example.com-lookup.jsonFind domains classified as likely phishing
Section titled “Find domains classified as likely phishing”Filter domains with a phishing score above 0.6.
jq '.[] | select(.classification.phishing > 0.6) | .domain' example.com-lookup.jsonExtract classification for each domain
Section titled “Extract classification for each domain”Retrieve the classification scores for each domain, filtering out any results without classification information.
jq '.[] | select(.classification != null) | {domain: .domain, classification: .classification}' example.com-lookup.jsonCode examples
Section titled “Code examples”These code examples parse the Have I Been Squatted JSON output data describing typosquatted domain analysis results, converts the JSON string into structured data and prints the resulting data structure.
from dataclasses import dataclass, fieldfrom typing import Dict, Optional, List, Unionimport json
@dataclassclass ASN: number: int organization: str
@dataclassclass Country: continent: str iso_code: str
@dataclassclass IP: ip: str asn: ASN country: Country
@dataclassclass Classification: legitimate: float parked: float phishing: float
@dataclassclass Record: domain: str permutation: str distance: Optional[int] = None ips: Optional[Dict[str, IP]] = field(default_factory=dict) whois: Optional[Union[str, dict]] = None classification: Optional[Classification] = None httpBanner: Optional[str] = None screenshot: Optional[str] = None simhashDistance: Optional[int] = None
def main(): output = """ [ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": [ "rdap_level_0" ] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 } ] """
data = json.loads(output) records = [ Record( domain=item["domain"], permutation=item["permutation"], distance=item.get("distance"), ips=( { key: IP( ip=value["ip"], asn=ASN(**value["asn"]), country=Country(**value["country"]), ) for key, value in item.get("ips", {}).items() } if "ips" in item else {} ), whois=item.get("whois"), classification=( Classification(**item["classification"]) if "classification" in item else None ), httpBanner=item.get("httpBanner"), screenshot=item.get("screenshot"), simhashDistance=item.get("simhashDistance") ) for item in data ]
for record in records: print(record)// Record class representing a domain analysis resultclass Record { constructor(data) { this.domain = data.domain; this.permutation = data.permutation; this.distance = data.distance; this.ips = data.ips; this.whois = data.whois; this.classification = data.classification; this.httpBanner = data.httpBanner; this.screenshot = data.screenshot; this.simhashDistance = data.simhashDistance; }}
// Example usageconst output = `[ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": ["rdap_level_0"] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 }]`;
const data = JSON.parse(output);const records = data.map((item) => new Record(item));console.log(records);package main
import ( "encoding/json" "fmt" "log")
type ASN struct { Number int `json:"number"` Organization string `json:"organization"`}
type Country struct { Continent string `json:"continent"` IsoCode string `json:"iso_code"`}
type IP struct { IP string `json:"ip"` ASN ASN `json:"asn"` Country Country `json:"country"`}
type Classification struct { Legitimate float64 `json:"legitimate"` Parked float64 `json:"parked"` Phishing float64 `json:"phishing"`}
type Record struct { Domain string `json:"domain"` Permutation string `json:"permutation"` Distance int `json:"distance,omitempty"` IPs map[string]IP `json:"ips"` Whois map[string]interface{} `json:"whois,omitempty"` Classification Classification `json:"classification"` HTTPBanner string `json:"httpBanner,omitempty"` Screenshot string `json:"screenshot,omitempty"` SimhashDistance int `json:"simhashDistance,omitempty"`}
func main() { data := ` [ { "domain": "example.com", "permutation": "Homoglyph", "distance": 1, "ips": { "192.0.2.1": { "ip": "192.0.2.1", "asn": { "number": 64500, "organization": "EXAMPLE-ORG" }, "country": { "continent": "NA", "iso_code": "US" } } }, "whois": { "rdapConformance": ["rdap_level_0"] }, "classification": { "legitimate": 0.95, "parked": 0.05, "phishing": 0.0 }, "httpBanner": "Apache/2.4.41 (Unix)", "screenshot": "https://screenshots.haveibeensquatted.com/1234567890", "simhashDistance": 42 } ]`
var records []Record err := json.Unmarshal([]byte(data), &records) if err != nil { log.Fatalf("Error parsing JSON: %v", err) }
fmt.Println(records)}