Backtrack 4: Information Gathering: DNS: Fierce – locate non-contiguous IP space and hostnames against specified domains

The final tool in the DNS Section is called fierce. It is a perl script written by rsnake. Fierce tries multiple techniques to find all the IP addresses and hostnames used by a target. These include – trying to dump the SOA records, do a zone transfer, searching for commonly used domain names with a dictionary attack, adjacency scan and a few more. Fierce is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed (unless the -nopattern switch is used). No exploitation is performed (unless you do something intentionally malicious with the -connect switch). Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains using several tactics.

Lets look at the help output to see what our options are:

As you can see there are lots of options included in fierce.

lets try a regular query with the search flag:
(the search flag is useful if you are pretty sure of a subdomain name)

This is a perfect example of a successful fierce session. We got a zone transfer and found a mis-configured nameserver. We also got a list of subdomains which we can compare against some of our other tools and we also got some subnets which we can do further checks on.

Fierce has many other options you can explore which can narrow down your results to only the relevant ones.

See larger image Linux System Administration Black Book: The Definitive Guide to Deploying and Configuring the Leading Open Source Operating System (Paperback) List Price: $49.99 New From: $39.98 USD In Stock Used from: $5.60 USD In Stock

See larger image Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback) List Price: $61.95 USD New From: $14.50 USD In Stock Used from: $3.00 USD In Stock