The final tool in the DNS Section is called fierce. It is a perl script written by rsnake. Fierce tries multiple techniques to find all the IP addresses and hostnames used by a target. These include – trying to dump the SOA records, do a zone transfer, searching for commonly used domain names with a dictionary attack, adjacency scan and a few more. Fierce is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains using several tactics.
Lets look at the help output to see what our options are:
- root@666:/pentest/enumeration/fierce# ./fierce.pl -h
- fierce.pl (C) Copywrite 2006-2008 - By RSnake at http://ha.ckers.org/fierce/
- Usage: perl fierce.pl [-dns example.com] [OPTIONS]
- Overview:
- Fierce is a semi-lightweight scanner that helps locate non-contiguous
- IP space and hostnames against specified domains. It's really meant
- as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
- of those require that you already know what IP space you are looking
- for. This does not perform exploitation and does not scan the whole
- internet indiscriminately. It is meant specifically to locate likely
- targets both inside and outside a corporate network. Because it uses
- DNS primarily you will often find mis-configured networks that leak
- internal address space. That's especially useful in targeted malware.
- Options:
- -connect Attempt to make http connections to any non RFC1918
- (public) addresses. This will output the return headers but
- be warned, this could take a long time against a company with
- many targets, depending on network/machine lag. I wouldn't
- recommend doing this unless it's a small company or you have a
- lot of free time on your hands (could take hours-days).
- Inside the file specified the text "Host:\n" will be replaced
- by the host specified. Usage:
- perl fierce.pl -dns example.com -connect headers.txt
- -delay The number of seconds to wait between lookups.
- -dns The domain you would like scanned.
- -dnsfile Use DNS servers provided by a file (one per line) for
- reverse lookups (brute force).
- -dnsserver Use a particular DNS server for reverse lookups
- (probably should be the DNS server of the target). Fierce
- uses your DNS server for the initial SOA query and then uses
- the target's DNS server for all additional queries by default.
- -file A file you would like to output to be logged to.
- -fulloutput When combined with -connect this will output everything
- the webserver sends back, not just the HTTP headers.
- -help This screen.
- -nopattern Don't use a search pattern when looking for nearby
- hosts. Instead dump everything. This is really noisy but
- is useful for finding other domains that spammers might be
- using. It will also give you lots of false positives,
- especially on large domains.
- -range Scan an internal IP range (must be combined with
- -dnsserver). Note, that this does not support a pattern
- and will simply output anything it finds. Usage:
- perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
- -search Search list. When fierce attempts to traverse up and
- down ipspace it may encounter other servers within other
- domains that may belong to the same company. If you supply a
- comma delimited list to fierce it will report anything found.
- This is especially useful if the corporate servers are named
- different from the public facing website. Usage:
- perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
- Note that using search could also greatly expand the number of
- hosts found, as it will continue to traverse once it locates
- servers that you specified in your search list. The more the
- better.
- -stop Stop scan if Zone Transfer works.
- -suppress Suppress all TTY output (when combined with -file).
- -tcptimeout Specify a different timeout (default 10 seconds). You
- may want to increase this if the DNS server you are querying
- is slow or has a lot of network lag.
- -threads Specify how many threads to use while scanning (default
- is single threaded).
- -traverse Specify a number of IPs above and below whatever IP you
- have found to look for nearby IPs. Default is 5 above and
- below. Traverse will not move into other C blocks.
- -version Output the version number.
- -wide Scan the entire class C after finding any matching
- hostnames in that class C. This generates a lot more traffic
- but can uncover a lot more information.
- -wordlist Use a seperate wordlist (one word per line). Usage:
- perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
As you can see there are lots of options included in fierce.
lets try a regular query with the search flag:
(the search flag is useful if you are pretty sure of a subdomain name)
- root@666:/pentest/enumeration/fierce# ./fierce.pl -dns remote-exploit.org --search mail
- DNS Servers for remote-exploit.org:
- ns2.icehosting.com
- ns1.icehosting.com
- Trying zone transfer first...
- Testing ns2.icehosting.com
- Whoah, it worked - misconfigured DNS server found:
- remote-exploit.org. 14400 IN SOA ns1.icehosting.com. root.remote-exploit.org. (
- 2010030203 ; Serial
- 14400 ; Refresh
- 3600 ; Retry
- 1209600 ; Expire
- 86400 ) ; Minimum TTL
- remote-exploit.org. 14400 IN MX 10 mail2.remote-exploit.org.
- remote-exploit.org. 14400 IN MX 20 mail.remote-exploit.org.
- remote-exploit.org. 14400 IN A 97.74.188.5
- remote-exploit.org. 14400 IN NS ns1.icehosting.com.
- remote-exploit.org. 14400 IN NS ns2.icehosting.com.
- balkan.remote-exploit.org. 14400 IN A 208.68.234.113
- beta.remote-exploit.org. 14400 IN A 78.159.102.208
- de.remote-exploit.org. 14400 IN A 208.68.234.113
- es.remote-exploit.org. 14400 IN A 208.68.234.113
- foo.remote-exploit.org. 14400 IN A 208.68.234.113
- forum.remote-exploit.org. 14400 IN CNAME forums.remote-exploit.org.
- forums.remote-exploit.org. 14400 IN A 208.68.234.113
- fr.remote-exploit.org. 14400 IN A 208.68.234.113
- ftp.remote-exploit.org. 14400 IN A 78.159.102.208
- it.remote-exploit.org. 14400 IN A 208.68.234.113
- localhost.remote-exploit.org. 14400 IN A 127.0.0.1
- mail.remote-exploit.org. 14400 IN A 147.87.98.225
- mail2.remote-exploit.org. 14400 IN A 147.87.98.225
- new.remote-exploit.org. 14400 IN A 78.159.102.208
- oldwiki.remote-exploit.org. 14400 IN A 78.159.102.208
- pop.remote-exploit.org. 14400 IN A 78.159.102.208
- smtp.remote-exploit.org. 14400 IN A 78.159.102.208
- www.remote-exploit.org. 14400 IN A 97.74.188.5
- Okay, trying the good old fashioned way... brute force
- Checking for wildcard DNS...
- Nope. Good.
- Now performing 1896 test(s)...
- 78.159.102.208 beta.remote-exploit.org
- 208.68.234.113 de.remote-exploit.org
- 208.68.234.113 es.remote-exploit.org
- forum.remote-exploit.org alias forums.remote-exploit.org
- forums.remote-exploit.org address 208.68.234.113
- 208.68.234.113 forum.remote-exploit.org
- 208.68.234.113 forums.remote-exploit.org
- 208.68.234.113 fr.remote-exploit.org
- 78.159.102.208 ftp.remote-exploit.org
- 208.68.234.113 it.remote-exploit.org
- 127.0.0.1 localhost.remote-exploit.org
- 147.87.98.225 mail.remote-exploit.org
- 147.87.98.225 mail2.remote-exploit.org
- 78.159.102.208 new.remote-exploit.org
- 78.159.102.208 pop.remote-exploit.org
- 78.159.102.208 smtp.remote-exploit.org
- 97.74.188.5 www.remote-exploit.org
- Subnets found (may want to probe here using nmap or unicornscan):
- 127.0.0.0-255 : 1 hostnames found.
- 147.87.98.0-255 : 2 hostnames found.
- 208.68.234.0-255 : 6 hostnames found.
- 78.159.102.0-255 : 5 hostnames found.
- 97.74.188.0-255 : 1 hostnames found.
- Done with Fierce scan: http://ha.ckers.org/fierce/
- Found 16 entries.
- Have a nice day.
This is a perfect example of a successful fierce session. We got a zone transfer and found a mis-configured nameserver. We also got a list of subdomains which we can compare against some of our other tools and we also got some subnets which we can do further checks on.
Fierce has many other options you can explore which can narrow down your results to only the relevant ones.
I’ve Found a great DNS scanner that can locate any DNS server at your network (multi-subnet) it can also test if the DNS is answering anyones requests or not. The tool is called DNS Locator.
Hello sysAdmin,
We removed the link from the comment above since the tool you recommended costs money we consider this to be an ad. I did include the name though so if people are interested in paying $40 for such a tool they can search for it.
Thanks.
alex