• Home »
  • »
  • Backtrack 4: Information Gathering: DNS: Fierce – locate non-contiguous IP space and hostnames against specified domains

Backtrack 4: Information Gathering: DNS: Fierce – locate non-contiguous IP space and hostnames against specified domains

The final tool in the DNS Section is called fierce. It is a perl script written by rsnake. Fierce tries multiple techniques to find all the IP addresses and hostnames used by a target. These include – trying to dump the SOA records, do a zone transfer, searching for commonly used domain names with a dictionary attack, adjacency scan and a few more. Fierce is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains using several tactics.

Lets look at the help output to see what our options are:


  1. root@666:/pentest/enumeration/fierce# ./fierce.pl -h
  2. fierce.pl (C) Copywrite 2006-2008 - By RSnake at http://ha.ckers.org/fierce/
  4.         Usage: perl fierce.pl [-dns example.com] [OPTIONS]
  6. Overview:
  7.         Fierce is a semi-lightweight scanner that helps locate non-contiguous
  8.         IP space and hostnames against specified domains.  It's really meant
  9.        as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
  10.        of those require that you already know what IP space you are looking
  11.        for.  This does not perform exploitation and does not scan the whole
  12.        internet indiscriminately.  It is meant specifically to locate likely
  13.        targets both inside and outside a corporate network.  Because it uses
  14.        DNS primarily you will often find mis-configured networks that leak
  15.        internal address space. That's especially useful in targeted malware.
  17. Options:
  18.         -connect        Attempt to make http connections to any non RFC1918
  19.                 (public) addresses.  This will output the return headers but
  20.                 be warned, this could take a long time against a company with
  21.                 many targets, depending on network/machine lag.  I wouldn't
  22.                recommend doing this unless it's a small company or you have a
  23.                 lot of free time on your hands (could take hours-days).
  24.                 Inside the file specified the text "Host:\n" will be replaced
  25.                 by the host specified. Usage:
  27.         perl fierce.pl -dns example.com -connect headers.txt
  29.         -delay          The number of seconds to wait between lookups.
  30.         -dns            The domain you would like scanned.
  31.         -dnsfile        Use DNS servers provided by a file (one per line) for
  32.                 reverse lookups (brute force).
  33.         -dnsserver      Use a particular DNS server for reverse lookups
  34.                 (probably should be the DNS server of the target).  Fierce
  35.                 uses your DNS server for the initial SOA query and then uses
  36.                 the target's DNS server for all additional queries by default.
  37.        -file           A file you would like to output to be logged to.
  38.        -fulloutput     When combined with -connect this will output everything
  39.                the webserver sends back, not just the HTTP headers.
  40.        -help           This screen.
  41.        -nopattern      Don't use a search pattern when looking for nearby
  42.                 hosts.  Instead dump everything.  This is really noisy but
  43.                 is useful for finding other domains that spammers might be
  44.                 using.  It will also give you lots of false positives,
  45.                 especially on large domains.
  46.         -range          Scan an internal IP range (must be combined with
  47.                 -dnsserver).  Note, that this does not support a pattern
  48.                 and will simply output anything it finds.  Usage:
  50.         perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
  52.         -search         Search list.  When fierce attempts to traverse up and
  53.                 down ipspace it may encounter other servers within other
  54.                 domains that may belong to the same company.  If you supply a
  55.                 comma delimited list to fierce it will report anything found.
  56.                 This is especially useful if the corporate servers are named
  57.                 different from the public facing website.  Usage:
  59.         perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
  61.                 Note that using search could also greatly expand the number of
  62.                 hosts found, as it will continue to traverse once it locates
  63.                 servers that you specified in your search list.  The more the
  64.                 better.
  65.         -stop           Stop scan if Zone Transfer works.
  66.         -suppress       Suppress all TTY output (when combined with -file).
  67.         -tcptimeout     Specify a different timeout (default 10 seconds).  You
  68.                 may want to increase this if the DNS server you are querying
  69.                 is slow or has a lot of network lag.
  70.         -threads  Specify how many threads to use while scanning (default
  71.           is single threaded).
  72.         -traverse       Specify a number of IPs above and below whatever IP you
  73.                 have found to look for nearby IPs.  Default is 5 above and
  74.                 below.  Traverse will not move into other C blocks.
  75.         -version        Output the version number.
  76.         -wide           Scan the entire class C after finding any matching
  77.                 hostnames in that class C.  This generates a lot more traffic
  78.                 but can uncover a lot more information.
  79.         -wordlist       Use a seperate wordlist (one word per line).  Usage:
  81.         perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

As you can see there are lots of options included in fierce.

lets try a regular query with the search flag:
(the search flag is useful if you are pretty sure of a subdomain name)


  1. root@666:/pentest/enumeration/fierce# ./fierce.pl -dns remote-exploit.org --search mail
  2. DNS Servers for remote-exploit.org:
  3.         ns2.icehosting.com
  4.         ns1.icehosting.com
  6. Trying zone transfer first...
  7.         Testing ns2.icehosting.com
  9. Whoah, it worked - misconfigured DNS server found:
  10. remote-exploit.org.     14400   IN      SOA     ns1.icehosting.com. root.remote-exploit.org. (
  11.                                         2010030203      ; Serial
  12.                                         14400   ; Refresh
  13.                                         3600    ; Retry
  14.                                         1209600 ; Expire
  15.                                         86400 ) ; Minimum TTL
  16. remote-exploit.org.     14400   IN      MX      10 mail2.remote-exploit.org.
  17. remote-exploit.org.     14400   IN      MX      20 mail.remote-exploit.org.
  18. remote-exploit.org.     14400   IN      A
  19. remote-exploit.org.     14400   IN      NS      ns1.icehosting.com.
  20. remote-exploit.org.     14400   IN      NS      ns2.icehosting.com.
  21. balkan.remote-exploit.org.      14400   IN      A
  22. beta.remote-exploit.org.        14400   IN      A
  23. de.remote-exploit.org.  14400   IN      A
  24. es.remote-exploit.org.  14400   IN      A
  25. foo.remote-exploit.org. 14400   IN      A
  26. forum.remote-exploit.org.       14400   IN      CNAME   forums.remote-exploit.org.
  27. forums.remote-exploit.org.      14400   IN      A
  28. fr.remote-exploit.org.  14400   IN      A
  29. ftp.remote-exploit.org. 14400   IN      A
  30. it.remote-exploit.org.  14400   IN      A
  31. localhost.remote-exploit.org.   14400   IN      A
  32. mail.remote-exploit.org.        14400   IN      A
  33. mail2.remote-exploit.org.       14400   IN      A
  34. new.remote-exploit.org. 14400   IN      A
  35. oldwiki.remote-exploit.org.     14400   IN      A
  36. pop.remote-exploit.org. 14400   IN      A
  37. smtp.remote-exploit.org.        14400   IN      A
  38. www.remote-exploit.org. 14400   IN      A
  39. Okay, trying the good old fashioned way... brute force
  41. Checking for wildcard DNS...
  42. Nope. Good.
  43. Now performing 1896 test(s)...
  44.  beta.remote-exploit.org
  45.  de.remote-exploit.org
  46.  es.remote-exploit.org
  47. forum.remote-exploit.org                alias           forums.remote-exploit.org
  48. forums.remote-exploit.org       address
  49.  forum.remote-exploit.org
  50.  forums.remote-exploit.org
  51.  fr.remote-exploit.org
  52.  ftp.remote-exploit.org
  53.  it.remote-exploit.org
  54.       localhost.remote-exploit.org
  55.   mail.remote-exploit.org
  56.   mail2.remote-exploit.org
  57.  new.remote-exploit.org
  58.  pop.remote-exploit.org
  59.  smtp.remote-exploit.org
  60.     www.remote-exploit.org
  62. Subnets found (may want to probe here using nmap or unicornscan):
  63. : 1 hostnames found.
  64. : 2 hostnames found.
  65. : 6 hostnames found.
  66. : 5 hostnames found.
  67. : 1 hostnames found.
  69. Done with Fierce scan: http://ha.ckers.org/fierce/
  70. Found 16 entries.
  72. Have a nice day.

This is a perfect example of a successful fierce session. We got a zone transfer and found a mis-configured nameserver. We also got a list of subdomains which we can compare against some of our other tools and we also got some subnets which we can do further checks on.

Fierce has many other options you can explore which can narrow down your results to only the relevant ones.

Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback)

List Price: $61.95
New From: $14.50 USD In Stock
Used from: $0.01 USD In Stock