05 March 2012

BackTrack tool review: fierce

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.

Links: [ help page | un.org scan results ]

root@bt:/pentest/enumeration/dns/fierce# perl fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
Usage: perl fierce.pl [-dns example.com] [OPTIONS]
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains.  It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.  This does not perform exploitation and does not scan the whole internet indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

-connect Attempt to make http connections to any non RFC1918
(public) addresses.  This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag.  I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).  
Inside the file specified the text "Host:\n" will be replaced
by the host specified. Usage:

perl fierce.pl -dns example.com -connect headers.txt

-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile   Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups 
(probably should be the DNS server of the target).  Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts.  Instead dump everything.  This is really noisy but
is useful for finding other domains that spammers might be
using.  It will also give you lots of false positives, 
especially on large domains.
-range Scan an internal IP range (must be combined with 
-dnsserver).  Note, that this does not support a pattern
and will simply output anything it finds.  Usage:

perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

-search Search list.  When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company.  If you supply a 
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website.  Usage:

perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 

Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list.  The more the
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds).  You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads  Specify how many threads to use while scanning (default
 is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs.  Default is 5 above and 
below.  Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C.  This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line).  Usage:
perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

Compare the results below with the results we previously received here and here!

root@bt:/pentest/enumeration/dns/fierce# perl fierce.pl -dns un.org
DNS Servers for un.org:

Trying zone transfer first...
Testing ns3.un.org
Request timed out or transfer not allowed.
Testing ns2.un.org
Request timed out or transfer not allowed.
Testing ns1.un.org
Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)... blogs.un.org unsmin.un.org dfs-vbpproxy-03.un.org secap1315.un.org secnet128.un.org secnet153.un.org secnet154.un.org secnet156.un.org secnet157.un.org secnet158.un.org secap1439.un.org secent161.un.org secnetdss-tmp.un.org secnet162.un.org secnet163.un.org secnet164.un.org dfs-vbpproxy-01.un.org dfs-vppproxy-02.un.org secnet173.un.org mobileofficebeta.un.org careers.un.org secap1515.un.org sms4.un.org itsraudio.un.org www1.un.org jsserver.un.org secap262.un.org cgi.un.org www2.un.org secint24.un.org www4.un.org secint05.un.org secdhl01.un.org untreaty.un.org secln079.un.org secint01.un.org srch2.un.org secrs02-195.un.org secfil01.un.org secap514.un.org dcfs17.un.org www0.un.org secap591.un.org secap061.un.org secap254.un.org secint02.un.org secint03.un.org secap068.un.org secext1a.un.org secext1b.un.org secint00.un.org secap093.un.org secint26.un.org secap097.un.org websrch1.un.org secap263.un.org secint10.un.org secint11.un.org secint12.un.org dcfs19.un.org secap622.un.org secap623.un.org secap770.un.org secap248.un.org secap222.un.org secap282.un.org secap624.un.org secap426.un.org secap427.un.org secap428.un.org secap429.un.org secap625.un.org secap640.un.org secap771.un.org secap772.un.org secap838.un.org secap887.un.org secap888.un.org secap961.un.org secap922.un.org secint56.un.org secap150-c3.un.org secap014-c1.un.org secap026.un.org secap027.un.org secap408.un.org secap409.un.org secap410.un.org www.epas.un.org training.epas.un.org netscaler-unpa.un.org secap510.un.org secap509.un.org ictsurvey.un.org secap056-c5.un.org secint33.un.org secint34.un.org secint35.un.org secint36.un.org secint38.un.org secint50.un.org escwadr.un.org ns2e.un.org secnet020.un.org secap415.un.org secap414.un.org secln082.un.org dpko-webmail.un.org unhq-mail-05.un.org unhq-ccmta-01.un.org unhq-mail-01.un.org unhq-mail-02.un.org unhq-mail-03.un.org unhq-mail-04.un.org unhq-qp-02.un.org unhq-zfover-01.un.org secbes04.un.org secl-09.un.org ccipr01.un.org ccipr02.un.org ccipr03.un.org ccipr04.un.org un-mailhub-01.un.org unhq-smtpmta-02.un.org secap533.un.org un-mailhub-02.un.org unhq-appspub-01.un.org secl16.un.org hqsmtphub.un.org secl17.un.org secl18.un.org secl-16a.un.org secln051.un.org secl-19.un.org secl-17.un.org secl-21.un.org secl-22.un.org dpko-st-01.un.org secap117.un.org secl-23.un.org secbesc4.un.org ods-ddsback-ny.un.org secl-24.un.org dcln038.un.org unhq-hub-01.un.org secln055.un.org dcln042.un.org secl040.un.org unhq-sametime-01.un.org secbesc5.un.org secln058.un.org secint28.un.org secap478.un.org mx3.un.org dcap056.un.org secl-25.un.org mx7.un.org secap243.un.org secap244.un.org secap615.un.org secbes01.un.org secbes02.un.org secbes03.un.org mx5.un.org secap288.un.org secap289.un.org secap557.un.org secln062.un.org secap616.un.org secint29.un.org secap617.un.org secln-08.un.org secln070.un.org secln073.un.org secap592.un.org secap755.un.org secap825.un.org secap935.un.org secap936.un.org secap519.un.org secap459.un.org secap474.un.org mx1.un.org secap475.un.org secln075.un.org secln084.un.org secap691.un.org secap692.un.org secap693.un.org secap965.un.org secap372.un.org secap715.un.org itsd-vmotion-01.un.org itsd-vmotion-02.un.org itsd-vmotion-03.un.org itsd-vmotion-04.un.org itsd-vmotion-05.un.org itsd-vmotion-07.un.org itsd-vmotion-06.un.org secap966.un.org secap783.un.org secap785.un.org secap918.un.org secap919.un.org conf.un.org secnet086.un.org secnet087.un.org secnet088.un.org secnet089.un.org mobileoffice.un.org secnet105.un.org secnet106.un.org data.un.org domino.un.org secap1193.un.org events.un.org extranet.un.org sftp.un.org ftp.un.org sftp.un.org ftp.un.org gopher.un.org iassftp2.un.org www3.un.org helpdesk.un.org ishmael.un.org gatekeeper3.un.org intranet.un.org esdstest.un.org jobs.un.org unasav1.un.org unasav2.un.org qa.dss.un.org lists.un.org unasav3.un.org unasav4.un.org ldap04.un.org lists.un.org lists.un.org lists.un.org listserv.un.org eassets.un.org secap220.un.org secap235.un.org my.un.org ny-mail-p-cl-001.un.org ny-mail-p-av-001.un.org ny-mail-p-av-002.un.org ny-mail-p-cl-002.un.org ns1.un.org ns2.un.org ns3.un.org ntp.un.org radio.un.org radio.un.org radius.un.org search.un.org search.un.org sec.un.org sec.un.org shop.un.org tv.un.org tv.un.org webcast.un.org ny-mail-r-cl-002.un.org ny-mail-r-cl-001.un.org ldap02.un.org webmaildr.un.org webmail.un.org webmail.un.org www.un.org www.un.org

Subnets found (may want to probe here using nmap or unicornscan): : 3 hostnames found. : 19 hostnames found. : 5 hostnames found. : 119 hostnames found. : 6 hostnames found. : 100 hostnames found. : 18 hostnames found. : 1 hostnames found. : 1 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 272 entries.

Have a nice day.
Post a Comment