Fierce
Overview
섹션 제목: “Overview”Fierce is a semi-lightweight DNS reconnaissance tool designed to locate non-contiguous IP space and hostnames against specified domains. Originally written in Perl, it’s now available as a Python-based tool. It’s effective for initial reconnaissance, identifying additional networks connected to your target, and discovering hosts that may be misconfigured or forgotten.
Installation
섹션 제목: “Installation”Pip (Recommended)
섹션 제목: “Pip (Recommended)”pip install fierceKali Linux
섹션 제목: “Kali Linux”sudo apt update
sudo apt install fierceFrom Source
섹션 제목: “From Source”git clone https://github.com/mschwager/fierce.git
cd fierce
pip install -e .Docker
섹션 제목: “Docker”docker run -it mschwager/fierce:latest fierce --helpBasic Usage
섹션 제목: “Basic Usage”Simple Domain Scan
섹션 제목: “Simple Domain Scan”fierce --domain example.comSpecify Output File
섹션 제목: “Specify Output File”fierce --domain example.com --output results.txtJSON Output
섹션 제목: “JSON Output”fierce --domain example.com --output results.json --format jsonZone Transfer Attempts
섹션 제목: “Zone Transfer Attempts”Fierce attempts zone transfers by default, which can reveal entire DNS records if misconfigured:
# Zone transfers are included in basic scan
fierce --domain example.com
# Zone transfers are tried against discovered nameservers
# Results show all A records if transfer succeedsSubdomain Brute Forcing
섹션 제목: “Subdomain Brute Forcing”Default Wordlist Brute Force
섹션 제목: “Default Wordlist Brute Force”# Uses built-in default wordlist (140+ common subdomains)
fierce --domain example.comCustom Wordlist
섹션 제목: “Custom Wordlist”fierce --domain example.com --wordlist /path/to/wordlist.txtLarge Wordlist (SecLists)
섹션 제목: “Large Wordlist (SecLists)”fierce --domain example.com --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txtDNS Wildcard Filtering
섹션 제목: “DNS Wildcard Filtering”# Fierce automatically detects DNS wildcards to reduce false positives
fierce --domain example.comDNS Server Specification
섹션 제목: “DNS Server Specification”Query Specific Nameserver
섹션 제목: “Query Specific Nameserver”fierce --domain example.com --nameserver 8.8.8.8Use Multiple Nameservers
섹션 제목: “Use Multiple Nameservers”# Fierce queries all discovered nameservers by default
fierce --domain example.comPublic DNS Servers
섹션 제목: “Public DNS Servers”# Google
fierce --domain example.com --nameserver 8.8.8.8
# Cloudflare
fierce --domain example.com --nameserver 1.1.1.1
# OpenDNS
fierce --domain example.com --nameserver 208.67.222.222Reverse DNS Lookups
섹션 제목: “Reverse DNS Lookups”Reverse Lookup Range
섹션 제목: “Reverse Lookup Range”# Find hostnames in IP range
fierce --domain example.com --range 192.168.1.0/24Reverse Lookups After Finding IPs
섹션 제목: “Reverse Lookups After Finding IPs”# Fierce performs reverse lookups on discovered IPs automatically
fierce --domain example.comManual Reverse Range Scan
섹션 제목: “Manual Reverse Range Scan”fierce --domain example.com --range 10.0.0.0/8Wide Scanning
섹션 제목: “Wide Scanning”Find Nearby/Adjacent Networks
섹션 제목: “Find Nearby/Adjacent Networks”# Looks for nearby IP ranges connected to target
fierce --domain example.comExtended IP Range Scanning
섹션 제목: “Extended IP Range Scanning”# Scan broader range to find non-contiguous space
fierce --domain example.com --range 192.168.0.0/16Threading & Performance
섹션 제목: “Threading & Performance”Increase Threads (Faster Scanning)
섹션 제목: “Increase Threads (Faster Scanning)”# Default is 1 (slow), increase for faster results
fierce --domain example.com --threads 10Balanced Performance
섹션 제목: “Balanced Performance”fierce --domain example.com --threads 5Aggressive Threading (Resource Intensive)
섹션 제목: “Aggressive Threading (Resource Intensive)”fierce --domain example.com --threads 50Output Options
섹션 제목: “Output Options”Text Output (Default)
섹션 제목: “Text Output (Default)”fierce --domain example.com --output results.txtJSON Format
섹션 제목: “JSON Format”fierce --domain example.com --format json --output results.jsonCSV Format
섹션 제목: “CSV Format”fierce --domain example.com --format csv --output results.csvStandard Output (No File)
섹션 제목: “Standard Output (No File)”fierce --domain example.comAdvanced Options
섹션 제목: “Advanced Options”Full Domain List With Records
섹션 제목: “Full Domain List With Records”fierce --domain example.com --fullDelay Between Requests
섹션 제목: “Delay Between Requests”# Add delay to avoid detection/blocking (milliseconds)
fierce --domain example.com --delay 500Timeout for Requests
섹션 제목: “Timeout for Requests”fierce --domain example.com --timeout 5Verbosity/Debug Mode
섹션 제목: “Verbosity/Debug Mode”fierce --domain example.com --verboseCommon Recon Workflows
섹션 제목: “Common Recon Workflows”Initial Corporate Network Mapping
섹션 제목: “Initial Corporate Network Mapping”# Basic scan to identify primary infrastructure
fierce --domain example.com --output initial_recon.txt
# Then expand to adjacent ranges
fierce --domain example.com --range 10.0.0.0/8 --threads 5Complete Subdomain Enumeration
섹션 제목: “Complete Subdomain Enumeration”# With custom wordlist for better coverage
fierce --domain example.com \
--wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \
--threads 10 \
--format json \
--output subdomains.jsonNetwork Boundary Discovery
섹션 제목: “Network Boundary Discovery”# Find non-contiguous spaces
fierce --domain example.com \
--range 192.168.0.0/16 \
--threads 5 \
--delay 200Integration With Other Tools
섹션 제목: “Integration With Other Tools”# Output to feed into other reconnaissance tools
fierce --domain example.com --format csv --output hosts.csv
# Extract IPs for further scanning
fierce --domain example.com | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' | sort -u > ips.txtComparison With Similar Tools
섹션 제목: “Comparison With Similar Tools”| Tool | Strengths | Use Case |
|---|---|---|
| Fierce | Fast, simple, zone transfers, adjacent IP finding | Quick recon, non-contiguous space discovery |
| DNSRecon | More options, DNSSEC checks, Google dorking | Comprehensive DNS analysis |
| DNSenum | Zone transfer, reverse lookups, subdomain enum | Detailed DNS mapping |
| Subfinder | Fast, passive sources, multiple APIs | Passive subdomain collection |
| Amass | Advanced, data aggregation, API integration | Enterprise-grade discovery |
DNS Zone Transfer Exploitation
섹션 제목: “DNS Zone Transfer Exploitation”Understand Zone Transfer Security
섹션 제목: “Understand Zone Transfer Security”# If fierce returns full zone data, the target has misconfigured AXFR
# This reveals the entire DNS structure
fierce --domain example.com
# Check if nameservers allow transfers
nslookup -type=NS example.com
fierce --domain example.com --nameserver [nameserver-from-above]Common Issues & Troubleshooting
섹션 제목: “Common Issues & Troubleshooting”Excessive False Positives (Wildcard DNS)
섹션 제목: “Excessive False Positives (Wildcard DNS)”# Fierce detects wildcards, but verify manually
nslookup doesnotexist.example.com
# If it resolves, the domain uses wildcard DNS
# Fierce will filter these out automaticallySlow Scanning
섹션 제목: “Slow Scanning”# Increase threads if network allows
fierce --domain example.com --threads 20
# Reduce timeout if network is fast
fierce --domain example.com --timeout 3Blocked by Rate Limiting
섹션 제목: “Blocked by Rate Limiting”# Add delays between requests
fierce --domain example.com --delay 1000
# Use different DNS servers
fierce --domain example.com --nameserver 8.8.8.8No Results For Subdomains
섹션 제목: “No Results For Subdomains”# Try with a larger wordlist
fierce --domain example.com --wordlist /path/to/larger-list.txt
# Some subdomains may require custom wordlistsLegal & Ethical Considerations
섹션 제목: “Legal & Ethical Considerations”- Only use Fierce on systems you own or have explicit written permission to test
- Unauthorized network reconnaissance is illegal
- Use in authorized penetration testing engagements only
- Respect rate limits and don’t cause DoS conditions
- Document all findings and handle data responsibly
Getting Help
섹션 제목: “Getting Help”fierce --help # Show all options
fierce --help | grep -i wordlist # Find specific option
man fierce # Manual page (if installed)See Also
섹션 제목: “See Also”- dnsrecon — Advanced DNS reconnaissance
- dnsenum — DNS enumeration tool
- subfinder — Passive subdomain discovery
- amass — OWASP comprehensive asset discovery
- dig — Manual DNS queries
- nmap — Network scanning and host discovery