Exposing IDN vulnerabilities, one domain at a time.
Generate homograph domain names with Cyrillic lookalikes and PunyCode for security research and phishing analysis.
Click to collapse/expand
PunyPwn: Exposing IDN Homograph Vulnerabilities, One Domain at a Time.
PunyPwn is a lightweight Python tool designed to generate IDN homograph attacks (Punycode) against domain names.
This project was originally built for my own needs, both for personal research and professional assessments related to domain name spoofing and phishing risks.
Over time, I decided to share this small piece of code openly, thinking it might save time for others or serve as a starting point for more advanced projects.
⚙️ PunyPwn is intentionally minimalistic and makes no claims of being a complete solution — but if it can help or inspire, feel free to use, adapt, or improve it!
- ✅ Automatic generation of homograph domains using Cyrillic characters visually similar to Latin letters (e.g., 'a', 'e', 'o', 'c', 'p', 'x'...).
- ✅ Punycode conversion of generated domains, ready for phishing risk analysis or security testing.
- ✅ Smart substitution system to avoid unrealistic or ugly substitutions — focusing only on credible and visually deceptive homographs.
- ✅ Full word and combinatorial substitutions: automatically explores all possible combinations based on available Cyrillic equivalents (no guesswork).
- ✅ Support for multiple TLDs (default: .com, .fr, .net, .org — easily extendable by user).
Before getting started, make sure you meet the following prerequisites.
-
Python 3: Ensure Python 3 is installed on your system.
-
Dependencies: PunyPwn requires only one external library:
idna(used for Punycode conversion). Install required dependencies usingpip install idnaorpip install -r requirements.txt.
⚠️ Note: PunyPwn has been tested on Python 3.11.10 under Linux. While it might work on other versions or operating systems, compatibility is officially guaranteed only for this specific setup.
- Clone the repository via Git:
git clone https://github.com/franckferman/PunyPwn.git- Direct download of the script (without Git): If you only need the script without cloning the entire repository:
curl -O https://raw.githubusercontent.com/franckferman/PunyPwn/stable/src/PunyPwn.pyMake sure to adjust the commands based on your local installation of PunyPwn.
To display the full help menu and explore available options:
python3 PunyPwn.py --help| Task | Command |
|---|---|
| Generate all possible homographs with default settings (TLDs: .com, .fr, .net, .org) | python3 PunyPwn.py --domain example |
| Generate homographs with up to 2 substitutions | python3 PunyPwn.py --domain example --level 2 |
| Generate homographs using only highly realistic substitutions | python3 PunyPwn.py --domain example --style very-realistic |
| Task | Command |
|---|---|
| Generate homographs only for .com and .fr domains | python3 PunyPwn.py --domain example --tlds .com .fr |
| Add additional TLDs such as .io and .xyz | python3 PunyPwn.py --domain example --tlds .com .io .xyz |
| Task | Command |
|---|---|
| Generate realistic homographs with a maximum of 3 substitutions for .com and .net only | python3 PunyPwn.py --domain example --style realistic --level 3 --tlds .com .net |
| Aggressive homograph generation without substitution limit, using all available homoglyphs | python3 PunyPwn.py --domain example --style any |
We truly appreciate and welcome community involvement. Your contributions, feedback, and suggestions play a crucial role in improving the project for everyone. If you're interested in contributing or have ideas for enhancements, please feel free to open an issue or submit a pull request on our GitHub repository. Every contribution, no matter how big or small, is highly valued and greatly appreciated!
PunyPwn is a security research and educational tool, created to demonstrate IDN (Internationalized Domain Name) homograph vulnerabilities and raise awareness about potential phishing risks associated with lookalike domains.
⚠️ Warning: This tool is provided for ethical, academic, and research purposes only. Do not use PunyPwn to impersonate, phish, harass, or defraud individuals, organizations, or entities. Misuse of this tool could violate local, national, or international laws. You are solely responsible for how you use this tool.
If you are unsure about the legality of your intended use of this tool, consult a qualified legal professional or competent authority before proceeding.
🔹 By using PunyPwn, you acknowledge that you have read, understood, and agreed to this disclaimer.
Explore the star history of this project and see how it has evolved over time:
Your support is greatly appreciated. We're grateful for every star! Your backing fuels our passion. ✨
This project is licensed under the GNU Affero General Public License, Version 3.0. For more details, please refer to the LICENSE file in the repository: Read the license on GitHub
