Wednesday, 10 September 2014

Episode 8: Fierce


Kali Linux Tools Tutorials
Episode 8
Fierce



Fierce is a powerful perl script written by a guy that i personally like in a non-homosexual way: Rsnake Hansen.
Fierce is used for DNS enumerations along with some other nice features along the way, which include zone transfers and subdomain bruteforcing.

The not so helpful page

By starting the tool without any arguments you will be supplied with a not-so-helpful help page.
To get to a more useful one you need to provide the switch -h to get the help page with all the options.





The flood of text unleashed by the -h
switch
Aaaaand as always a quick review of the options and their functions: 

  • -connect: Connects to a host on port 80 (HTTP) and execute the HTTP statements (requests) written in a file that you specify as an argument for the -connect.
  • -delay: Specifies the period of time between each query.
  • -dns : Specifies The target you'd want to scan.
  • -dnsfile: Use dns servers listed in a file that you specify.
  • -dnsserver: specifies a single dns server to use in querying.
  • -file: specifies a file to output results to
  • -fileoutput: specifies a file to output results from the connect switch to, which will be everything the webserver sends back
  • -range: Specifies a range of IPv4 addresses to scan, Must be used with the -dnsserver switch.
  • -wide: Scans the whole Class C network for more info.
  • -wordlist: Specifies a wordlist of your own for bruteforcing subdomains, Can be useful in case you have a few subdomains in mind that you want to scan for.
The rest of the options cannot be explained better than the help page, Now let's play around with it and see it in action.

For this tutorial im going to use fierce with the -dns obligatory switch to specify my target, 
-dnsserver switch to specify my DNS server to use and ill be using Google's public dns server for that (8.8.8.8), And finally im going to specify some subdomains to look for in the file (words.txt).

Results: 






As you can see from the picture there it first identified the Nameservers for the target ns1 and ns2, Then it attempted a zone transfer which wasn't successful so it tried to Bruteforce its way into knowing some subdomains using a word list of my humble creation which made it find 11 subdomains (one had a duplicate A record).
After that it showed the subnets it discovered during its journey and even gave you a hint on the programs to use to enumerate these !  Which concluded Fierce's job.

While not the best out there, Fierce is a nice "semi-lightweight" tool to enumerate domains for dns info, Perhaps its functionality could be expanded if you're a webapp pentester and used the -connect option "wisely".


_____________________________________


Next Episode: Maltego


































Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)