Welcome to another tutorial! This tutorial is on the Fierce domain scanner in Kali 2.0.
FIERCE is a tool written by Robert Hansen, aka, RSnake. It’s another domain scanner, but it does a couple of things the other tools we’ve looked at don’t do. One cool feature is that when it finds a valid host/IP, it will do reverse lookups for the IP space above and below the valid one you found. This could help uncover additional hosts that the brute force method may not have found. We’ll look at this more in action as we start using the tool.
In Kali, go to “Applications –> Information Gathering –> DNS Analysis –> FIERCE”. This will give you the standard listing of all the options, and a description for each.
We’ll briefly go over them here:
-connect: make http connections to public web servers, and return the headers
-delay: delays the time between lookups
-dns: specify the domain you’re scanning
-dnsfile: provide list of DNS servers for reverse lookups
-dnsserver: use a specific DNS server for reverse lookups
-file: save results to a file
-fulloutput: used with “-connect” to return all results instead of just the HTTP headers
-nopattern: dumps all domains in the discovered IP ranges
-range: scan internal IP range; used with the “-dnsserver” switch
-search: let you search for additional hosts based on specific names the company might use
-traverse: specify number of IPs above and below discovered hosts
-wide: scan entire class C network; generates a lot of traffic
-wordlist: specify a custom wordlist
We’re not going to cover all of these in this tutorial, mainly because some of them would be considered quite intrusive, and can generate a lot of traffic on the target host. Let’s go ahead and start running through some scans.
The first one we’ll do will be a basic scan. The syntax will be:
fierce -dns knifecenter.com -threads 10
I added the “threads” switch so it would make the scan run faster. By default, Fierce runs in single threaded mode, so increasing this greatly improves the speed.
The first thing Fierce does is find the name servers for the target domain. Next, it attempts to do a zone transfer. If that fails, it checks is wildcard DNS is enabled, then performs a brute force against the domain using its built-in wordlist.
Once the scan is finished, it shows any subdomains it found, along with the subnets, which you could then probe further by using nmap, or another port scanner.
By default, fierce uses its own built-in wordlist, but you can specify your own. Use the “-wordlist” switch, then point it to the location of your custom list. I’ve noticed that you can sometimes get a few more results by using different lists, so be sure you try a couple when running the test.
Here, I’m just using the list that comes with “dnsrecon”.
The results are the same as the first scan, but it doesn’t hurt to try multiple lists on your target. Even better if you can customize a list for that specific domain.
Use the “Connect” Switch
Next, let’s look at the “-connect” option. This option will cause “fierce” to connect to the discovered domains, and try to pull back HTTP headers for any web servers that are running. This technique could get you a little more info, such as the type and version of web server running, which you could then target with an exploit. The output of this scan looks like this:
Like it says in the help file, this option can take a long time to run, especially if there are a lot of domains to go through, so only use this if you have the time to wait on the results. The results show the version of web server the target is using. You can use this information to look for public exploits, and possibly leverage that to gain entry to the server.
Next we’ll save results to a file, using the “-file” switch. We’ll save the file to the desktop.
If we open that file, we’ll see the results saved in the same format you see in the terminal window.
Fierce and a Zone Transfer
Let’s see what happens when Fierce comes across a site that allows a zone transfer to take place. We’ll use the “zonetransfer.me” site for this example.
If a zone transfer is successful, fierce stops running at that point. You could then take the information you got from the zone transfer, and continue probing, and planning other attacks such as phishing attacks, client-side attacks, etc.
Fierce is another good tool to use for DNS enumeration. It works like the other tools we’ve looked at, with a couple of extra features that can benefit the tester.
Thanks for looking!