Aller au contenu
1337skills 1337skills - Aide-mémoires

Fierce

Overview

Section intitulée « Overview »

Fierce is a semi-lightweight DNS reconnaissance tool designed to locate non-contiguous IP space and hostnames against specified domains. Originally written in Perl, it’s now available as a Python-based tool. It’s effective for initial reconnaissance, identifying additional networks connected to your target, and discovering hosts that may be misconfigured or forgotten.

Installation

Section intitulée « Installation »
Section intitulée « Pip (Recommended) »
pip install fierce

Kali Linux

Section intitulée « Kali Linux »
sudo apt update
sudo apt install fierce

From Source

Section intitulée « From Source »
git clone https://github.com/mschwager/fierce.git
cd fierce
pip install -e .

Docker

Section intitulée « Docker »
docker run -it mschwager/fierce:latest fierce --help

Basic Usage

Section intitulée « Basic Usage »

Simple Domain Scan

Section intitulée « Simple Domain Scan »
fierce --domain example.com

Specify Output File

Section intitulée « Specify Output File »
fierce --domain example.com --output results.txt

JSON Output

Section intitulée « JSON Output »
fierce --domain example.com --output results.json --format json

Zone Transfer Attempts

Section intitulée « Zone Transfer Attempts »

Fierce attempts zone transfers by default, which can reveal entire DNS records if misconfigured:

# Zone transfers are included in basic scan
fierce --domain example.com

# Zone transfers are tried against discovered nameservers
# Results show all A records if transfer succeeds

Subdomain Brute Forcing

Section intitulée « Subdomain Brute Forcing »

Default Wordlist Brute Force

Section intitulée « Default Wordlist Brute Force »
# Uses built-in default wordlist (140+ common subdomains)
fierce --domain example.com

Custom Wordlist

Section intitulée « Custom Wordlist »
fierce --domain example.com --wordlist /path/to/wordlist.txt

Large Wordlist (SecLists)

Section intitulée « Large Wordlist (SecLists) »
fierce --domain example.com --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

DNS Wildcard Filtering

Section intitulée « DNS Wildcard Filtering »
# Fierce automatically detects DNS wildcards to reduce false positives
fierce --domain example.com

DNS Server Specification

Section intitulée « DNS Server Specification »

Query Specific Nameserver

Section intitulée « Query Specific Nameserver »
fierce --domain example.com --nameserver 8.8.8.8

Use Multiple Nameservers

Section intitulée « Use Multiple Nameservers »
# Fierce queries all discovered nameservers by default
fierce --domain example.com

Public DNS Servers

Section intitulée « Public DNS Servers »
# Google
fierce --domain example.com --nameserver 8.8.8.8

# Cloudflare
fierce --domain example.com --nameserver 1.1.1.1

# OpenDNS
fierce --domain example.com --nameserver 208.67.222.222

Reverse DNS Lookups

Section intitulée « Reverse DNS Lookups »

Reverse Lookup Range

Section intitulée « Reverse Lookup Range »
# Find hostnames in IP range
fierce --domain example.com --range 192.168.1.0/24

Reverse Lookups After Finding IPs

Section intitulée « Reverse Lookups After Finding IPs »
# Fierce performs reverse lookups on discovered IPs automatically
fierce --domain example.com

Manual Reverse Range Scan

Section intitulée « Manual Reverse Range Scan »
fierce --domain example.com --range 10.0.0.0/8

Wide Scanning

Section intitulée « Wide Scanning »

Find Nearby/Adjacent Networks

Section intitulée « Find Nearby/Adjacent Networks »
# Looks for nearby IP ranges connected to target
fierce --domain example.com

Extended IP Range Scanning

Section intitulée « Extended IP Range Scanning »
# Scan broader range to find non-contiguous space
fierce --domain example.com --range 192.168.0.0/16

Threading & Performance

Section intitulée « Threading & Performance »

Increase Threads (Faster Scanning)

Section intitulée « Increase Threads (Faster Scanning) »
# Default is 1 (slow), increase for faster results
fierce --domain example.com --threads 10

Balanced Performance

Section intitulée « Balanced Performance »
fierce --domain example.com --threads 5

Aggressive Threading (Resource Intensive)

Section intitulée « Aggressive Threading (Resource Intensive) »
fierce --domain example.com --threads 50

Output Options

Section intitulée « Output Options »

Text Output (Default)

Section intitulée « Text Output (Default) »
fierce --domain example.com --output results.txt

JSON Format

Section intitulée « JSON Format »
fierce --domain example.com --format json --output results.json

CSV Format

Section intitulée « CSV Format »
fierce --domain example.com --format csv --output results.csv

Standard Output (No File)

Section intitulée « Standard Output (No File) »
fierce --domain example.com

Advanced Options

Section intitulée « Advanced Options »

Full Domain List With Records

Section intitulée « Full Domain List With Records »
fierce --domain example.com --full

Delay Between Requests

Section intitulée « Delay Between Requests »
# Add delay to avoid detection/blocking (milliseconds)
fierce --domain example.com --delay 500

Timeout for Requests

Section intitulée « Timeout for Requests »
fierce --domain example.com --timeout 5

Verbosity/Debug Mode

Section intitulée « Verbosity/Debug Mode »
fierce --domain example.com --verbose

Common Recon Workflows

Section intitulée « Common Recon Workflows »

Initial Corporate Network Mapping

Section intitulée « Initial Corporate Network Mapping »
# Basic scan to identify primary infrastructure
fierce --domain example.com --output initial_recon.txt

# Then expand to adjacent ranges
fierce --domain example.com --range 10.0.0.0/8 --threads 5

Complete Subdomain Enumeration

Section intitulée « Complete Subdomain Enumeration »
# With custom wordlist for better coverage
fierce --domain example.com \
  --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
  --threads 10 \
  --format json \
  --output subdomains.json

Network Boundary Discovery

Section intitulée « Network Boundary Discovery »
# Find non-contiguous spaces
fierce --domain example.com \
  --range 192.168.0.0/16 \
  --threads 5 \
  --delay 200

Integration With Other Tools

Section intitulée « Integration With Other Tools »
# Output to feed into other reconnaissance tools
fierce --domain example.com --format csv --output hosts.csv

# Extract IPs for further scanning
fierce --domain example.com | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort -u > ips.txt

Comparison With Similar Tools

Section intitulée « Comparison With Similar Tools »
ToolStrengthsUse Case
FierceFast, simple, zone transfers, adjacent IP findingQuick recon, non-contiguous space discovery
DNSReconMore options, DNSSEC checks, Google dorkingComprehensive DNS analysis
DNSenumZone transfer, reverse lookups, subdomain enumDetailed DNS mapping
SubfinderFast, passive sources, multiple APIsPassive subdomain collection
AmassAdvanced, data aggregation, API integrationEnterprise-grade discovery

DNS Zone Transfer Exploitation

Section intitulée « DNS Zone Transfer Exploitation »

Understand Zone Transfer Security

Section intitulée « Understand Zone Transfer Security »
# If fierce returns full zone data, the target has misconfigured AXFR
# This reveals the entire DNS structure
fierce --domain example.com

# Check if nameservers allow transfers
nslookup -type=NS example.com
fierce --domain example.com --nameserver [nameserver-from-above]

Common Issues & Troubleshooting

Section intitulée « Common Issues & Troubleshooting »

Excessive False Positives (Wildcard DNS)

Section intitulée « Excessive False Positives (Wildcard DNS) »
# Fierce detects wildcards, but verify manually
nslookup doesnotexist.example.com
# If it resolves, the domain uses wildcard DNS
# Fierce will filter these out automatically

Slow Scanning

Section intitulée « Slow Scanning »
# Increase threads if network allows
fierce --domain example.com --threads 20

# Reduce timeout if network is fast
fierce --domain example.com --timeout 3

Blocked by Rate Limiting

Section intitulée « Blocked by Rate Limiting »
# Add delays between requests
fierce --domain example.com --delay 1000

# Use different DNS servers
fierce --domain example.com --nameserver 8.8.8.8

No Results For Subdomains

Section intitulée « No Results For Subdomains »
# Try with a larger wordlist
fierce --domain example.com --wordlist /path/to/larger-list.txt

# Some subdomains may require custom wordlists

Legal & Ethical Considerations

Section intitulée « Legal & Ethical Considerations »
  • Only use Fierce on systems you own or have explicit written permission to test
  • Unauthorized network reconnaissance is illegal
  • Use in authorized penetration testing engagements only
  • Respect rate limits and don’t cause DoS conditions
  • Document all findings and handle data responsibly

Getting Help

Section intitulée « Getting Help »
fierce --help              # Show all options
fierce --help | grep -i wordlist   # Find specific option
man fierce                 # Manual page (if installed)

See Also

Section intitulée « See Also »
  • dnsrecon — Advanced DNS reconnaissance
  • dnsenum — DNS enumeration tool
  • subfinder — Passive subdomain discovery
  • amass — OWASP comprehensive asset discovery
  • dig — Manual DNS queries
  • nmap — Network scanning and host discovery