05 March 2012

BackTrack tool review: fierce

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.


Links: [ help page | un.org scan results ]


root@bt:/pentest/enumeration/dns/fierce# perl fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
Usage: perl fierce.pl [-dns example.com] [OPTIONS]
Overview:
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.  It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.  This does not perform exploitation and does not scan the whole internet indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.


Options:
-connect Attempt to make http connections to any non RFC1918
(public) addresses.  This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag.  I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).  
Inside the file specified the text "Host:\n" will be replaced
by the host specified. Usage:


perl fierce.pl -dns example.com -connect headers.txt


-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile   Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups 
(probably should be the DNS server of the target).  Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts.  Instead dump everything.  This is really noisy but
is useful for finding other domains that spammers might be
using.  It will also give you lots of false positives, 
especially on large domains.
-range Scan an internal IP range (must be combined with 
-dnsserver).  Note, that this does not support a pattern
and will simply output anything it finds.  Usage:


perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co


-search Search list.  When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company.  If you supply a 
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website.  Usage:


perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 


Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list.  The more the
better.
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds).  You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads  Specify how many threads to use while scanning (default
 is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs.  Default is 5 above and 
below.  Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C.  This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line).  Usage:
perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt


Compare the results below with the results we previously received here and here!

root@bt:/pentest/enumeration/dns/fierce# perl fierce.pl -dns un.org
DNS Servers for un.org:
ns3.un.org
ns2.un.org
ns1.un.org


Trying zone transfer first...
Testing ns3.un.org
Request timed out or transfer not allowed.
Testing ns2.un.org
Request timed out or transfer not allowed.
Testing ns1.un.org
Request timed out or transfer not allowed.


Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force


Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
98.129.229.168 blogs.un.org
157.150.195.207 unsmin.un.org
157.150.195.203 dfs-vbpproxy-03.un.org
157.150.195.204 secap1315.un.org
157.150.195.206 secnet128.un.org
157.150.195.208 secnet153.un.org
157.150.195.209 secnet154.un.org
157.150.195.210 secnet156.un.org
157.150.195.211 secnet157.un.org
157.150.195.212 secnet158.un.org
157.150.195.213 secap1439.un.org
157.150.195.214 secent161.un.org
157.150.195.215 secnetdss-tmp.un.org
157.150.195.216 secnet162.un.org
157.150.195.217 secnet163.un.org
157.150.195.218 secnet164.un.org
157.150.195.219 dfs-vbpproxy-01.un.org
157.150.195.220 dfs-vppproxy-02.un.org
157.150.195.221 secnet173.un.org
157.150.195.222 mobileofficebeta.un.org
157.150.195.212 careers.un.org
157.150.195.3 secap1515.un.org
157.150.195.1 sms4.un.org
157.150.195.2 itsraudio.un.org
157.150.195.5 www1.un.org
157.150.195.6 jsserver.un.org
157.150.195.7 secap262.un.org
157.150.195.8 cgi.un.org
157.150.195.9 www2.un.org
157.150.195.10 secint24.un.org
157.150.195.12 www4.un.org
157.150.195.14 secint05.un.org
157.150.195.16 secdhl01.un.org
157.150.195.18 untreaty.un.org
157.150.195.19 secln079.un.org
157.150.195.22 secint01.un.org
157.150.195.23 srch2.un.org
157.150.195.24 secrs02-195.un.org
157.150.195.25 secfil01.un.org
157.150.195.26 secap514.un.org
157.150.195.27 dcfs17.un.org
157.150.195.28 www0.un.org
157.150.195.29 secap591.un.org
157.150.195.30 secap061.un.org
157.150.195.31 secap254.un.org
157.150.195.33 secint02.un.org
157.150.195.34 secint03.un.org
157.150.195.36 secap068.un.org
157.150.195.37 secext1a.un.org
157.150.195.38 secext1b.un.org
157.150.195.39 secint00.un.org
157.150.195.40 secap093.un.org
157.150.195.41 secint26.un.org
157.150.195.42 secap097.un.org
157.150.195.43 websrch1.un.org
157.150.195.45 secap263.un.org
157.150.195.46 secint10.un.org
157.150.195.47 secint11.un.org
157.150.195.48 secint12.un.org
157.150.195.51 dcfs19.un.org
157.150.195.52 secap622.un.org
157.150.195.53 secap623.un.org
157.150.195.54 secap770.un.org
157.150.195.56 secap248.un.org
157.150.195.57 secap222.un.org
157.150.195.58 secap282.un.org
157.150.195.59 secap624.un.org
157.150.195.60 secap426.un.org
157.150.195.61 secap427.un.org
157.150.195.62 secap428.un.org
157.150.195.63 secap429.un.org
157.150.195.65 secap625.un.org
157.150.195.66 secap640.un.org
157.150.195.67 secap771.un.org
157.150.195.68 secap772.un.org
157.150.195.69 secap838.un.org
157.150.195.70 secap887.un.org
157.150.195.71 secap888.un.org
157.150.195.72 secap961.un.org
157.150.195.75 secap922.un.org
157.150.195.76 secint56.un.org
157.150.195.79 secap150-c3.un.org
157.150.195.81 secap014-c1.un.org
157.150.195.82 secap026.un.org
157.150.195.83 secap027.un.org
157.150.195.86 secap408.un.org
157.150.195.87 secap409.un.org
157.150.195.88 secap410.un.org
157.150.195.90 www.epas.un.org
157.150.195.91 training.epas.un.org
157.150.195.92 netscaler-unpa.un.org
157.150.195.93 secap510.un.org
157.150.195.94 secap509.un.org
157.150.195.96 ictsurvey.un.org
157.150.195.97 secap056-c5.un.org
157.150.195.101 secint33.un.org
157.150.195.102 secint34.un.org
157.150.195.103 secint35.un.org
157.150.195.104 secint36.un.org
157.150.195.105 secint38.un.org
157.150.195.106 secint50.un.org
157.150.195.110 escwadr.un.org
157.150.195.111 ns2e.un.org
157.150.195.116 secnet020.un.org
157.150.195.91 secap415.un.org
157.150.195.90 secap414.un.org
157.150.197.16 secln082.un.org
157.150.197.11 dpko-webmail.un.org
157.150.197.6 unhq-mail-05.un.org
157.150.197.1 unhq-ccmta-01.un.org
157.150.197.2 unhq-mail-01.un.org
157.150.197.3 unhq-mail-02.un.org
157.150.197.4 unhq-mail-03.un.org
157.150.197.5 unhq-mail-04.un.org
157.150.197.7 unhq-qp-02.un.org
157.150.197.8 unhq-zfover-01.un.org
157.150.197.9 secbes04.un.org
157.150.197.10 secl-09.un.org
157.150.197.12 ccipr01.un.org
157.150.197.13 ccipr02.un.org
157.150.197.14 ccipr03.un.org
157.150.197.15 ccipr04.un.org
157.150.197.17 un-mailhub-01.un.org
157.150.197.18 unhq-smtpmta-02.un.org
157.150.197.19 secap533.un.org
157.150.197.20 un-mailhub-02.un.org
157.150.197.21 unhq-appspub-01.un.org
157.150.197.22 secl16.un.org
157.150.197.23 hqsmtphub.un.org
157.150.197.28 secl17.un.org
157.150.197.29 secl18.un.org
157.150.197.30 secl-16a.un.org
157.150.197.31 secln051.un.org
157.150.197.33 secl-19.un.org
157.150.197.35 secl-17.un.org
157.150.197.36 secl-21.un.org
157.150.197.37 secl-22.un.org
157.150.197.38 dpko-st-01.un.org
157.150.197.39 secap117.un.org
157.150.197.41 secl-23.un.org
157.150.197.43 secbesc4.un.org
157.150.197.44 ods-ddsback-ny.un.org
157.150.197.45 secl-24.un.org
157.150.197.47 dcln038.un.org
157.150.197.49 unhq-hub-01.un.org
157.150.197.50 secln055.un.org
157.150.197.51 dcln042.un.org
157.150.197.52 secl040.un.org
157.150.197.53 unhq-sametime-01.un.org
157.150.197.55 secbesc5.un.org
157.150.197.56 secln058.un.org
157.150.197.58 secint28.un.org
157.150.197.59 secap478.un.org
157.150.197.60 mx3.un.org
157.150.197.61 dcap056.un.org
157.150.197.62 secl-25.un.org
157.150.197.63 mx7.un.org
157.150.197.64 secap243.un.org
157.150.197.65 secap244.un.org
157.150.197.68 secap615.un.org
157.150.197.69 secbes01.un.org
157.150.197.70 secbes02.un.org
157.150.197.71 secbes03.un.org
157.150.197.72 mx5.un.org
157.150.197.73 secap288.un.org
157.150.197.74 secap289.un.org
157.150.197.75 secap557.un.org
157.150.197.78 secln062.un.org
157.150.197.79 secap616.un.org
157.150.197.80 secint29.un.org
157.150.197.81 secap617.un.org
157.150.197.82 secln-08.un.org
157.150.197.83 secln070.un.org
157.150.197.84 secln073.un.org
157.150.197.86 secap592.un.org
157.150.197.87 secap755.un.org
157.150.197.88 secap825.un.org
157.150.197.91 secap935.un.org
157.150.197.96 secap936.un.org
157.150.197.97 secap519.un.org
157.150.197.98 secap459.un.org
157.150.197.99 secap474.un.org
157.150.197.100 mx1.un.org
157.150.197.102 secap475.un.org
157.150.197.103 secln075.un.org
157.150.197.104 secln084.un.org
157.150.197.106 secap691.un.org
157.150.197.107 secap692.un.org
157.150.197.108 secap693.un.org
157.150.197.109 secap965.un.org
157.150.197.110 secap372.un.org
157.150.197.111 secap715.un.org
157.150.197.112 itsd-vmotion-01.un.org
157.150.197.113 itsd-vmotion-02.un.org
157.150.197.114 itsd-vmotion-03.un.org
157.150.197.115 itsd-vmotion-04.un.org
157.150.197.116 itsd-vmotion-05.un.org
157.150.197.117 itsd-vmotion-07.un.org
157.150.197.118 itsd-vmotion-06.un.org
157.150.197.120 secap966.un.org
157.150.197.121 secap783.un.org
157.150.197.122 secap785.un.org
157.150.197.125 secap918.un.org
157.150.197.126 secap919.un.org
157.150.197.21 conf.un.org
157.150.195.185 secnet086.un.org
157.150.195.186 secnet087.un.org
157.150.195.187 secnet088.un.org
157.150.195.188 secnet089.un.org
157.150.195.190 mobileoffice.un.org
157.150.195.193 secnet105.un.org
157.150.195.194 secnet106.un.org
157.150.195.186 data.un.org
157.150.197.159 domino.un.org
157.150.164.18 secap1193.un.org
157.150.164.15 events.un.org
157.150.164.23 extranet.un.org
157.150.34.31 sftp.un.org
157.150.34.31 ftp.un.org
157.150.185.73 sftp.un.org
157.150.185.73 ftp.un.org
157.150.195.39 gopher.un.org
157.150.192.1 iassftp2.un.org
157.150.192.3 www3.un.org
157.150.192.6 helpdesk.un.org
157.150.192.7 ishmael.un.org
157.150.192.12 gatekeeper3.un.org
157.150.196.1 intranet.un.org
157.150.196.3 esdstest.un.org
157.150.195.69 jobs.un.org
157.150.185.201 unasav1.un.org
157.150.185.202 unasav2.un.org
157.150.185.203 qa.dss.un.org
157.150.185.202 lists.un.org
157.150.34.65 unasav3.un.org
157.150.34.66 unasav4.un.org
157.150.34.68 ldap04.un.org
157.150.34.65 lists.un.org
157.150.34.66 lists.un.org
157.150.185.201 lists.un.org
157.150.195.39 listserv.un.org
157.150.196.62 eassets.un.org
157.150.196.63 secap220.un.org
157.150.196.65 secap235.un.org
157.150.196.65 my.un.org
157.150.185.26 ny-mail-p-cl-001.un.org
157.150.185.21 ny-mail-p-av-001.un.org
157.150.185.22 ny-mail-p-av-002.un.org
157.150.185.27 ny-mail-p-cl-002.un.org
157.150.185.28 ns1.un.org
157.150.34.57 ns2.un.org
85.159.200.204 ns3.un.org
157.150.195.33 ntp.un.org
157.150.185.49 radio.un.org
157.150.34.32 radio.un.org
157.150.195.39 radius.un.org
157.150.34.32 search.un.org
157.150.185.49 search.un.org
157.150.185.49 sec.un.org
157.150.34.32 sec.un.org
157.150.195.92 shop.un.org
157.150.34.32 tv.un.org
157.150.185.49 tv.un.org
157.150.185.71 webcast.un.org
157.150.34.38 ny-mail-r-cl-002.un.org
157.150.34.37 ny-mail-r-cl-001.un.org
157.150.34.40 ldap02.un.org
157.150.34.43 webmaildr.un.org
157.150.34.43 webmail.un.org
157.150.185.55 webmail.un.org
157.150.185.49 www.un.org
157.150.34.32 www.un.org


Subnets found (may want to probe here using nmap or unicornscan):
157.150.164.0-255 : 3 hostnames found.
157.150.185.0-255 : 19 hostnames found.
157.150.192.0-255 : 5 hostnames found.
157.150.195.0-255 : 119 hostnames found.
157.150.196.0-255 : 6 hostnames found.
157.150.197.0-255 : 100 hostnames found.
157.150.34.0-255 : 18 hostnames found.
85.159.200.0-255 : 1 hostnames found.
98.129.229.0-255 : 1 hostnames found.


Done with Fierce scan: http://ha.ckers.org/fierce/
Found 272 entries.


Have a nice day.
Post a Comment