Fierce
Description
Fierce is a semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN. It's really meant as a pre-cursor to active testing tools via something like: nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Since it uses DNS primarily you will often find mis-configured networks that leak internal address space.
Installation
Install dependencies
$ sudo cpan cpan[1]> install Net::CIDR cpan[2]> install Net::Whois::ARIN cpan[3]> install Object::InsideOut cpan[4]> install Template cpan[5]> install Test::Class cpan[6]> install Test::MockObject cpan[7]> install Net::DNS cpan[8]> install Net::hostent cpan[0]> install WWW::Mechanize
Install Fierce2
$ cd /data/src/ $ svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/ $ cd fierce2/ $ perl Makefile.PL $ make $ make test
$ sudo make install
Then optionally create a symbolic link to comply with backtrack directory structure:
$ mkdir -p /pentest/enumeration/fierce/ $ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce
Install templates
$ mkdir ~/.fierce2/ $ cp -R tt ~/.fierce2/
Usage
Syntax
$ fierce {target options} [OPTIONS]
Options
Target options
- -dns [dns name(s) or file]
- The domain(s) you would like scanned. Single domain, Multiple domains (Comma seperated). Also, supports file input (one domain per line)
- -range [111.222.333.1-100]
- Scan an internal IP range (must be combined with -dnsservers). Note, that this does not support a pattern and will simply output anything it finds. Singe range, Multiple ranges (Comma separated). Also, supports file input (one range per line)
General options
- -format [type]
- Output format [txt|xml|html|all]
- -output [file]
- Output file
- -template [dir]
- Template Directory
- -arin ["query"]
- ARIN Query (default uses domain, without extension)
- -prefix [prefix file|URL]
- Prefix file or URL for bruteforce attack
- -maxbruteforce [int]
- Max number concatted onto prefix (default 5)
- -maxlookups [int]
- Max number hostname lookups (default 10)
- -tld [file|URL]
- TLD file or URL for bruteforce
- -subdomain [file|URL]
- Subdomain file or URL for subdomains bruteforce
- -dnsservers [dns server or file]
- Use particular DNS server(s) for hostname lookups.
- (Single domain, Multiple domains (Comma seperated) or File list(one domain per line) )
- -ztstop
- Stop scan if Zone Transfer works
- -wildcstop
- Don't perform bruteforcing if a Wildcard is found
- -all
- Perform every test.
- -only [option(s)]
- Only perform (comma seperated)
- -no [option(s)]
- Do not perform (comma seperated)
- arin: ARIN lookup
- zt: Zone Transfer
- wildc: Check for Wild Card
- prebf: Prefix Brute Force
- subbf: Subdomain Brute Force (default off)
- tldbf: TLD Brute Force (default off)
- vhost: Vhost Hosts (default off)
- findmx: Find MX Records
- whois: Whois Lookup
- hlookups: Hostname Lookups
- nearby: Find Nearby Hosts
- -threads [int]
- Number of threads (default 5 threads)
- -port [int]
- Port to use for testing
- -delay [int]
- Number of seconds to delay (default 3 secs)
- -tcptimeout [int]
- Specify a different TCP timeout (default 10 secs)
- -udptimeout [int]
- Specify a different UDP timeout (default 5 secs)
- -search [comma seperated]
- Search list based on the PTR names when performing lookups.
- -traverse [int]
- Number of IPs to search at once betwen 0 and 255 (default 10)
- -wide
- Scan the entire class C after finding any matching hostnames in that class C.
- -debug
- Debug option
- -verbose
- Verbose option
- -h, -help
- This help screen.
- -v, -version
- Output the version number.
Examples
Standard Fierce scan
fierce -dns company.com
Standard Fierce scan and search all class c ranges found for PTR names that match the domain
fierce -dns company.com -wide
Fierce scan that only checks for zone transfer
fierce -dns company.com -only zt
Fierce scan that does not perform bruteforcing if a zone transfer is found
fierce -dns company.com -ztstop
Fierce scan that does not perform bruteforcing if a wildcard is found
fierce -dns company.com -wildcstop