Fierce DNS Scanner

Welcome to another tutorial! This tutorial is on the Fierce domain scanner in Kali 2.0.

FIERCE is a tool written by Robert Hansen, aka, RSnake. It’s another domain scanner, but it does a couple of things the other tools we’ve looked at don’t do. One cool feature is that when it finds a valid host/IP, it will do reverse lookups for the IP space above and below the valid one you found. This could help uncover additional hosts that the brute force method may not have found. We’ll look at this more in action as we start using the tool.

Options
In Kali, go to “Applications –> Information Gathering –> DNS Analysis –> FIERCE”. This will give you the standard listing of all the options, and a description for each.

fierce-help1

We’ll briefly go over them here:
-connect: make http connections to public web servers, and return the headers
-delay: delays the time between lookups
-dns: specify the domain you’re scanning
-dnsfile: provide list of DNS servers for reverse lookups
-dnsserver: use a specific DNS server for reverse lookups
-file: save results to a file
-fulloutput: used with “-connect” to return all results instead of just the HTTP headers
-nopattern: dumps all domains in the discovered IP ranges
-range: scan internal IP range; used with the “-dnsserver” switch
-search: let you search for additional hosts based on specific names the company might use
-traverse: specify number of IPs above and below discovered hosts
-wide: scan entire class C network; generates a lot of traffic
-wordlist: specify a custom wordlist

We’re not going to cover all of these in this tutorial, mainly because some of them would be considered quite intrusive, and can generate a lot of traffic on the target host. Let’s go ahead and start running through some scans.

Basic Scan
The first one we’ll do will be a basic scan. The syntax will be:

fierce -dns knifecenter.com -threads 10

fierce-defscan1

I added the “threads” switch so it would make the scan run faster. By default, Fierce runs in single threaded mode, so increasing this greatly improves the speed.

The first thing Fierce does is find the name servers for the target domain. Next, it attempts to do a zone transfer. If that fails, it checks is wildcard DNS is enabled, then performs a brute force against the domain using its built-in wordlist.

fierce-defscan2

Once the scan is finished, it shows any subdomains it found, along with the subnets, which you could then probe further by using nmap, or another port scanner.

By default, fierce uses its own built-in wordlist, but you can specify your own. Use the “-wordlist” switch, then point it to the location of your custom list. I’ve noticed that you can sometimes get a few more results by using different lists, so be sure you try a couple when running the test.

Here, I’m just using the list that comes with “dnsrecon”.

fierce-custwordlist1

The results are the same as the first scan, but it doesn’t hurt to try multiple lists on your target. Even better if you can customize a list for that specific domain.

Use the “Connect” Switch
Next, let’s look at the “-connect” option. This option will cause “fierce” to connect to the discovered domains, and try to pull back HTTP headers for any web servers that are running. This technique could get you a little more info, such as the type and version of web server running, which you could then target with an exploit. The output of this scan looks like this:

fierce-connect1

Like it says in the help file, this option can take a long time to run, especially if there are a lot of domains to go through, so only use this if you have the time to wait on the results. The results show the version of web server the target is using. You can use this information to look for public exploits, and possibly leverage that to gain entry to the server.

fierce-connect2

Saving Results
Next we’ll save results to a file, using the “-file” switch. We’ll save the file to the desktop.

fierce-saveresults1

If we open that file, we’ll see the results saved in the same format you see in the terminal window.

fierce-saveresults2

Fierce and a Zone Transfer
Let’s see what happens when Fierce comes across a site that allows a zone transfer to take place. We’ll use the “zonetransfer.me” site for this example.

fierce-zonetransfer1

fierce-zonetransfer2

If a zone transfer is successful, fierce stops running at that point. You could then take the information you got from the zone transfer, and continue probing, and planning other attacks such as phishing attacks, client-side attacks, etc.

Conclusion
Fierce is another good tool to use for DNS enumeration. It works like the other tools we’ve looked at, with a couple of extra features that can benefit the tester.

Thanks for looking!