Fierce
Overview
Abschnitt betitelt „Overview“Fierce is a semi-lightweight DNS reconnaissance tool designed to locate non-contiguous IP space and hostnames against specified domains. Originally written in Perl, it’s now available as a Python-based tool. It’s effective for initial reconnaissance, identifying additional networks connected to your target, and discovering hosts that may be misconfigured or forgotten.
Installation
Abschnitt betitelt „Installation“Pip (Recommended)
Abschnitt betitelt „Pip (Recommended)“pip install fierceKali Linux
Abschnitt betitelt „Kali Linux“sudo apt update
sudo apt install fierceFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/mschwager/fierce.git
cd fierce
pip install -e .docker run -it mschwager/fierce:latest fierce --helpBasic Usage
Abschnitt betitelt „Basic Usage“Simple Domain Scan
Abschnitt betitelt „Simple Domain Scan“fierce --domain example.comSpecify Output File
Abschnitt betitelt „Specify Output File“fierce --domain example.com --output results.txtJSON Output
Abschnitt betitelt „JSON Output“fierce --domain example.com --output results.json --format jsonZone Transfer Attempts
Abschnitt betitelt „Zone Transfer Attempts“Fierce attempts zone transfers by default, which can reveal entire DNS records if misconfigured:
# Zone transfers are included in basic scan
fierce --domain example.com
# Zone transfers are tried against discovered nameservers
# Results show all A records if transfer succeedsSubdomain Brute Forcing
Abschnitt betitelt „Subdomain Brute Forcing“Default Wordlist Brute Force
Abschnitt betitelt „Default Wordlist Brute Force“# Uses built-in default wordlist (140+ common subdomains)
fierce --domain example.comCustom Wordlist
Abschnitt betitelt „Custom Wordlist“fierce --domain example.com --wordlist /path/to/wordlist.txtLarge Wordlist (SecLists)
Abschnitt betitelt „Large Wordlist (SecLists)“fierce --domain example.com --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txtDNS Wildcard Filtering
Abschnitt betitelt „DNS Wildcard Filtering“# Fierce automatically detects DNS wildcards to reduce false positives
fierce --domain example.comDNS Server Specification
Abschnitt betitelt „DNS Server Specification“Query Specific Nameserver
Abschnitt betitelt „Query Specific Nameserver“fierce --domain example.com --nameserver 8.8.8.8Use Multiple Nameservers
Abschnitt betitelt „Use Multiple Nameservers“# Fierce queries all discovered nameservers by default
fierce --domain example.comPublic DNS Servers
Abschnitt betitelt „Public DNS Servers“# Google
fierce --domain example.com --nameserver 8.8.8.8
# Cloudflare
fierce --domain example.com --nameserver 1.1.1.1
# OpenDNS
fierce --domain example.com --nameserver 208.67.222.222Reverse DNS Lookups
Abschnitt betitelt „Reverse DNS Lookups“Reverse Lookup Range
Abschnitt betitelt „Reverse Lookup Range“# Find hostnames in IP range
fierce --domain example.com --range 192.168.1.0/24Reverse Lookups After Finding IPs
Abschnitt betitelt „Reverse Lookups After Finding IPs“# Fierce performs reverse lookups on discovered IPs automatically
fierce --domain example.comManual Reverse Range Scan
Abschnitt betitelt „Manual Reverse Range Scan“fierce --domain example.com --range 10.0.0.0/8Wide Scanning
Abschnitt betitelt „Wide Scanning“Find Nearby/Adjacent Networks
Abschnitt betitelt „Find Nearby/Adjacent Networks“# Looks for nearby IP ranges connected to target
fierce --domain example.comExtended IP Range Scanning
Abschnitt betitelt „Extended IP Range Scanning“# Scan broader range to find non-contiguous space
fierce --domain example.com --range 192.168.0.0/16Threading & Performance
Abschnitt betitelt „Threading & Performance“Increase Threads (Faster Scanning)
Abschnitt betitelt „Increase Threads (Faster Scanning)“# Default is 1 (slow), increase for faster results
fierce --domain example.com --threads 10Balanced Performance
Abschnitt betitelt „Balanced Performance“fierce --domain example.com --threads 5Aggressive Threading (Resource Intensive)
Abschnitt betitelt „Aggressive Threading (Resource Intensive)“fierce --domain example.com --threads 50Output Options
Abschnitt betitelt „Output Options“Text Output (Default)
Abschnitt betitelt „Text Output (Default)“fierce --domain example.com --output results.txtJSON Format
Abschnitt betitelt „JSON Format“fierce --domain example.com --format json --output results.jsonCSV Format
Abschnitt betitelt „CSV Format“fierce --domain example.com --format csv --output results.csvStandard Output (No File)
Abschnitt betitelt „Standard Output (No File)“fierce --domain example.comAdvanced Options
Abschnitt betitelt „Advanced Options“Full Domain List With Records
Abschnitt betitelt „Full Domain List With Records“fierce --domain example.com --fullDelay Between Requests
Abschnitt betitelt „Delay Between Requests“# Add delay to avoid detection/blocking (milliseconds)
fierce --domain example.com --delay 500Timeout for Requests
Abschnitt betitelt „Timeout for Requests“fierce --domain example.com --timeout 5Verbosity/Debug Mode
Abschnitt betitelt „Verbosity/Debug Mode“fierce --domain example.com --verboseCommon Recon Workflows
Abschnitt betitelt „Common Recon Workflows“Initial Corporate Network Mapping
Abschnitt betitelt „Initial Corporate Network Mapping“# Basic scan to identify primary infrastructure
fierce --domain example.com --output initial_recon.txt
# Then expand to adjacent ranges
fierce --domain example.com --range 10.0.0.0/8 --threads 5Complete Subdomain Enumeration
Abschnitt betitelt „Complete Subdomain Enumeration“# With custom wordlist for better coverage
fierce --domain example.com \
--wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
--threads 10 \
--format json \
--output subdomains.jsonNetwork Boundary Discovery
Abschnitt betitelt „Network Boundary Discovery“# Find non-contiguous spaces
fierce --domain example.com \
--range 192.168.0.0/16 \
--threads 5 \
--delay 200Integration With Other Tools
Abschnitt betitelt „Integration With Other Tools“# Output to feed into other reconnaissance tools
fierce --domain example.com --format csv --output hosts.csv
# Extract IPs for further scanning
fierce --domain example.com | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort -u > ips.txtComparison With Similar Tools
Abschnitt betitelt „Comparison With Similar Tools“| Tool | Strengths | Use Case |
|---|---|---|
| Fierce | Fast, simple, zone transfers, adjacent IP finding | Quick recon, non-contiguous space discovery |
| DNSRecon | More options, DNSSEC checks, Google dorking | Comprehensive DNS analysis |
| DNSenum | Zone transfer, reverse lookups, subdomain enum | Detailed DNS mapping |
| Subfinder | Fast, passive sources, multiple APIs | Passive subdomain collection |
| Amass | Advanced, data aggregation, API integration | Enterprise-grade discovery |
DNS Zone Transfer Exploitation
Abschnitt betitelt „DNS Zone Transfer Exploitation“Understand Zone Transfer Security
Abschnitt betitelt „Understand Zone Transfer Security“# If fierce returns full zone data, the target has misconfigured AXFR
# This reveals the entire DNS structure
fierce --domain example.com
# Check if nameservers allow transfers
nslookup -type=NS example.com
fierce --domain example.com --nameserver [nameserver-from-above]Common Issues & Troubleshooting
Abschnitt betitelt „Common Issues & Troubleshooting“Excessive False Positives (Wildcard DNS)
Abschnitt betitelt „Excessive False Positives (Wildcard DNS)“# Fierce detects wildcards, but verify manually
nslookup doesnotexist.example.com
# If it resolves, the domain uses wildcard DNS
# Fierce will filter these out automaticallySlow Scanning
Abschnitt betitelt „Slow Scanning“# Increase threads if network allows
fierce --domain example.com --threads 20
# Reduce timeout if network is fast
fierce --domain example.com --timeout 3Blocked by Rate Limiting
Abschnitt betitelt „Blocked by Rate Limiting“# Add delays between requests
fierce --domain example.com --delay 1000
# Use different DNS servers
fierce --domain example.com --nameserver 8.8.8.8No Results For Subdomains
Abschnitt betitelt „No Results For Subdomains“# Try with a larger wordlist
fierce --domain example.com --wordlist /path/to/larger-list.txt
# Some subdomains may require custom wordlistsLegal & Ethical Considerations
Abschnitt betitelt „Legal & Ethical Considerations“- Only use Fierce on systems you own or have explicit written permission to test
- Unauthorized network reconnaissance is illegal
- Use in authorized penetration testing engagements only
- Respect rate limits and don’t cause DoS conditions
- Document all findings and handle data responsibly
Getting Help
Abschnitt betitelt „Getting Help“fierce --help # Show all options
fierce --help | grep -i wordlist # Find specific option
man fierce # Manual page (if installed)See Also
Abschnitt betitelt „See Also“- dnsrecon — Advanced DNS reconnaissance
- dnsenum — DNS enumeration tool
- subfinder — Passive subdomain discovery
- amass — OWASP comprehensive asset discovery
- dig — Manual DNS queries
- nmap — Network scanning and host discovery