Fierce

From aldeid
Jump to navigation Jump to search

Description

Fierce is a semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN. It's really meant as a pre-cursor to active testing tools via something like: nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Since it uses DNS primarily you will often find mis-configured networks that leak internal address space.

Installation

Install dependencies

$ sudo cpan
cpan[1]> install Net::CIDR
cpan[2]> install Net::Whois::ARIN
cpan[3]> install Object::InsideOut
cpan[4]> install Template
cpan[5]> install Test::Class
cpan[6]> install Test::MockObject
cpan[7]> install Net::DNS
cpan[8]> install Net::hostent
cpan[0]> install WWW::Mechanize

Install Fierce2

$ cd /data/src/
$ svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
$ cd fierce2/
$ perl Makefile.PL
$ make
$ make test
Note
If sudo make test fails, run: sudo installdep.sh
$ sudo make install

Then optionally create a symbolic link to comply with backtrack directory structure:

$ mkdir -p /pentest/enumeration/fierce/
$ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce

Install templates

$ mkdir ~/.fierce2/
$ cp -R tt ~/.fierce2/

Usage

Syntax

$ fierce {target options} [OPTIONS]

Options

Target options

-dns [dns name(s) or file]
The domain(s) you would like scanned. Single domain, Multiple domains (Comma seperated). Also, supports file input (one domain per line)
-range [111.222.333.1-100]
Scan an internal IP range (must be combined with -dnsservers). Note, that this does not support a pattern and will simply output anything it finds. Singe range, Multiple ranges (Comma separated). Also, supports file input (one range per line)

General options

-format [type]
Output format [txt|xml|html|all]
-output [file]
Output file
-template [dir]
Template Directory
-arin ["query"]
ARIN Query (default uses domain, without extension)
-prefix [prefix file|URL]
Prefix file or URL for bruteforce attack
-maxbruteforce [int]
Max number concatted onto prefix (default 5)
-maxlookups [int]
Max number hostname lookups (default 10)
-tld [file|URL]
TLD file or URL for bruteforce
-subdomain [file|URL]
Subdomain file or URL for subdomains bruteforce
-dnsservers [dns server or file]
Use particular DNS server(s) for hostname lookups.
(Single domain, Multiple domains (Comma seperated) or File list(one domain per line) )
-ztstop
Stop scan if Zone Transfer works
-wildcstop
Don't perform bruteforcing if a Wildcard is found
-all
Perform every test.
-only [option(s)]
Only perform (comma seperated)
-no [option(s)]
Do not perform (comma seperated)
  • arin: ARIN lookup
  • zt: Zone Transfer
  • wildc: Check for Wild Card
  • prebf: Prefix Brute Force
  • subbf: Subdomain Brute Force (default off)
  • tldbf: TLD Brute Force (default off)
  • vhost: Vhost Hosts (default off)
  • findmx: Find MX Records
  • whois: Whois Lookup
  • hlookups: Hostname Lookups
  • nearby: Find Nearby Hosts
-threads [int]
Number of threads (default 5 threads)
-port [int]
Port to use for testing
-delay [int]
Number of seconds to delay (default 3 secs)
-tcptimeout [int]
Specify a different TCP timeout (default 10 secs)
-udptimeout [int]
Specify a different UDP timeout (default 5 secs)
-search [comma seperated]
Search list based on the PTR names when performing lookups.
-traverse [int]
Number of IPs to search at once betwen 0 and 255 (default 10)
-wide
Scan the entire class C after finding any matching hostnames in that class C.
-debug
Debug option
-verbose
Verbose option
-h, -help
This help screen.
-v, -version
Output the version number.

Examples

Standard Fierce scan

fierce -dns company.com

Standard Fierce scan and search all class c ranges found for PTR names that match the domain

fierce -dns company.com -wide

Fierce scan that only checks for zone transfer

fierce -dns company.com -only zt

Fierce scan that does not perform bruteforcing if a zone transfer is found

fierce -dns company.com -ztstop

Fierce scan that does not perform bruteforcing if a wildcard is found

fierce -dns company.com -wildcstop

Comments