From aldeid
Jump to: navigation, search


Fierce is a semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domains using things like DNS, Whois and ARIN. It's really meant as a pre-cursor to active testing tools via something like: nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Since it uses DNS primarily you will often find mis-configured networks that leak internal address space.


Install dependencies

$ sudo cpan
cpan[1]> install Net::CIDR
cpan[2]> install Net::Whois::ARIN
cpan[3]> install Object::InsideOut
cpan[4]> install Template
cpan[5]> install Test::Class
cpan[6]> install Test::MockObject
cpan[7]> install Net::DNS
cpan[8]> install Net::hostent
cpan[0]> install WWW::Mechanize

Install Fierce2

$ cd /data/src/
$ svn co fierce2/
$ cd fierce2/
$ perl Makefile.PL
$ make
$ make test
If sudo make test fails, run: sudo
$ sudo make install

Then optionally create a symbolic link to comply with backtrack directory structure:

$ mkdir -p /pentest/enumeration/fierce/
$ ln -s /usr/local/bin/fierce /pentest/enumeration/fierce/fierce

Install templates

$ mkdir ~/.fierce2/
$ cp -R tt ~/.fierce2/



$ fierce {target options} [OPTIONS]


Target options

-dns [dns name(s) or file]
The domain(s) you would like scanned. Single domain, Multiple domains (Comma seperated). Also, supports file input (one domain per line)
-range [111.222.333.1-100]
Scan an internal IP range (must be combined with -dnsservers). Note, that this does not support a pattern and will simply output anything it finds. Singe range, Multiple ranges (Comma separated). Also, supports file input (one range per line)

General options

-format [type]
Output format [txt|xml|html|all]
-output [file]
Output file
-template [dir]
Template Directory
-arin ["query"]
ARIN Query (default uses domain, without extension)
-prefix [prefix file|URL]
Prefix file or URL for bruteforce attack
-maxbruteforce [int]
Max number concatted onto prefix (default 5)
-maxlookups [int]
Max number hostname lookups (default 10)
-tld [file|URL]
TLD file or URL for bruteforce
-subdomain [file|URL]
Subdomain file or URL for subdomains bruteforce
-dnsservers [dns server or file]
Use particular DNS server(s) for hostname lookups.
(Single domain, Multiple domains (Comma seperated) or File list(one domain per line) )
Stop scan if Zone Transfer works
Don't perform bruteforcing if a Wildcard is found
Perform every test.
-only [option(s)]
Only perform (comma seperated)
-no [option(s)]
Do not perform (comma seperated)
  • arin: ARIN lookup
  • zt: Zone Transfer
  • wildc: Check for Wild Card
  • prebf: Prefix Brute Force
  • subbf: Subdomain Brute Force (default off)
  • tldbf: TLD Brute Force (default off)
  • vhost: Vhost Hosts (default off)
  • findmx: Find MX Records
  • whois: Whois Lookup
  • hlookups: Hostname Lookups
  • nearby: Find Nearby Hosts
-threads [int]
Number of threads (default 5 threads)
-port [int]
Port to use for testing
-delay [int]
Number of seconds to delay (default 3 secs)
-tcptimeout [int]
Specify a different TCP timeout (default 10 secs)
-udptimeout [int]
Specify a different UDP timeout (default 5 secs)
-search [comma seperated]
Search list based on the PTR names when performing lookups.
-traverse [int]
Number of IPs to search at once betwen 0 and 255 (default 10)
Scan the entire class C after finding any matching hostnames in that class C.
Debug option
Verbose option
-h, -help
This help screen.
-v, -version
Output the version number.


Standard Fierce scan

fierce -dns

Standard Fierce scan and search all class c ranges found for PTR names that match the domain

fierce -dns -wide

Fierce scan that only checks for zone transfer

fierce -dns -only zt

Fierce scan that does not perform bruteforcing if a zone transfer is found

fierce -dns -ztstop

Fierce scan that does not perform bruteforcing if a wildcard is found

fierce -dns -wildcstop


blog comments powered by Disqus