Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. Fierce est installé de base sur Kali.

Utilisation :

La commande et ses options

 1 root@kali:~# fierce -h
 2 fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
 3 
 4  Usage: perl fierce.pl [-dns example.com] [OPTIONS]
 5 
 6 Overview:
 7  Fierce is a semi-lightweight scanner that helps locate non-contiguous
 8  IP space and hostnames against specified domains.  It's really meant
 9     as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all 
10     of those require that you already know what IP space you are looking 
11     for.  This does not perform exploitation and does not scan the whole 
12     internet indiscriminately.  It is meant specifically to locate likely 
13     targets both inside and outside a corporate network.  Because it uses 
14     DNS primarily you will often find mis-configured networks that leak 
15     internal address space. That's especially useful in targeted malware.
16 
17 Options:
18  -connect  Attempt to make http connections to any non RFC1918
19      (public) addresses.  This will output the return headers but
20      be warned, this could take a long time against a company with
21      many targets, depending on network/machine lag.  I wouldn't
22         recommend doing this unless it's a small company or you have a
23      lot of free time on your hands (could take hours-days).  
24      Inside the file specified the text "Host:\n" will be replaced
25      by the host specified. Usage:
26 
27  perl fierce.pl -dns example.com -connect headers.txt
28 
29  -delay        The number of seconds to wait between lookups.
30  -dns      The domain you would like scanned.
31  -dnsfile      Use DNS servers provided by a file (one per line) for
32                 reverse lookups (brute force).
33  -dnsserver    Use a particular DNS server for reverse lookups 
34      (probably should be the DNS server of the target).  Fierce
35      uses your DNS server for the initial SOA query and then uses
36      the target's DNS server for all additional queries by default.
37     -file       A file you would like to output to be logged to.
38     -fulloutput When combined with -connect this will output everything
39         the webserver sends back, not just the HTTP headers.
40     -help       This screen.
41     -nopattern  Don't use a search pattern when looking for nearby
42      hosts.  Instead dump everything.  This is really noisy but
43      is useful for finding other domains that spammers might be
44      using.  It will also give you lots of false positives, 
45      especially on large domains.
46  -range        Scan an internal IP range (must be combined with 
47      -dnsserver).  Note, that this does not support a pattern
48      and will simply output anything it finds.  Usage:
49 
50  perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
51 
52  -search       Search list.  When fierce attempts to traverse up and
53      down ipspace it may encounter other servers within other
54      domains that may belong to the same company.  If you supply a 
55      comma delimited list to fierce it will report anything found.
56      This is especially useful if the corporate servers are named
57      different from the public facing website.  Usage:
58 
59  perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 
60 
61      Note that using search could also greatly expand the number of
62      hosts found, as it will continue to traverse once it locates
63      servers that you specified in your search list.  The more the
64      better.
65  -suppress Suppress all TTY output (when combined with -file).
66  -tcptimeout   Specify a different timeout (default 10 seconds).  You
67      may want to increase this if the DNS server you are querying
68      is slow or has a lot of network lag.
69  -threads  Specify how many threads to use while scanning (default
70    is single threaded).
71  -traverse Specify a number of IPs above and below whatever IP you
72      have found to look for nearby IPs.  Default is 5 above and 
73      below.  Traverse will not move into other C blocks.
74  -version  Output the version number.
75  -wide     Scan the entire class C after finding any matching
76      hostnames in that class C.  This generates a lot more traffic
77      but can uncover a lot more information.
78  -wordlist Use a seperate wordlist (one word per line).  Usage:
79 
80  perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

La commande par l'exemple

Basiquement

 1 root@kali:~# fierce -dns alasta.com
 2 DNS Servers for alasta.com:
 3  c.dns.gandi.net
 4  a.dns.gandi.net
 5  b.dns.gandi.net
 6 
 7 Trying zone transfer first...
 8  Testing c.dns.gandi.net
 9      Request timed out or transfer not allowed.
10  Testing a.dns.gandi.net
11      Request timed out or transfer not allowed.
12  Testing b.dns.gandi.net
13      Request timed out or transfer not allowed.
14 
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17 
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174   default.alasta.com
22 91.121.81.174   depot.alasta.com
23 91.121.81.174   dev.alasta.com
24 91.121.81.174   download.alasta.com
25 91.121.81.174   ip.alasta.com
26 91.121.81.174   www.alasta.com
27 
28 Subnets found (may want to probe here using nmap or unicornscan):
29  91.121.81.0-255 : 6 hostnames found.
30 
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33 
34 Have a nice day.

Ajout des threads, permet de gagner en temps d'execution :

 1 root@kali:~# fierce  -dns alasta.com -threads 5
 2 DNS Servers for alasta.com:
 3  c.dns.gandi.net
 4  b.dns.gandi.net
 5  a.dns.gandi.net
 6 
 7 Trying zone transfer first...
 8  Testing c.dns.gandi.net
 9      Request timed out or transfer not allowed.
10  Testing b.dns.gandi.net
11      Request timed out or transfer not allowed.
12  Testing a.dns.gandi.net
13      Request timed out or transfer not allowed.
14 
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17 
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174   dev.alasta.com
22 91.121.81.174   depot.alasta.com
23 91.121.81.174   default.alasta.com
24 91.121.81.174   download.alasta.com
25 91.121.81.174   ip.alasta.com
26 91.121.81.174   www.alasta.com
27 
28 Subnets found (may want to probe here using nmap or unicornscan):
29  91.121.81.0-255 : 6 hostnames found.
30 
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33 
34 Have a nice day.

Ajout du DNS Server (option -dnsserver) qui permet de forcer le DNS à intéroger, par défaut c'est l'un des NS du domaine.
Et ajout du log de la sortie de commande (option -file).

 1 root@kali:~#fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -file /tmp/fierce.log
 2 Now logging to /tmp/fierce.log
 3 DNS Servers for alasta.com:
 4  a.dns.gandi.net
 5  c.dns.gandi.net
 6  b.dns.gandi.net
 7 
 8 Trying zone transfer first...
 9 
10 Unsuccessful in zone transfer (it was worth a shot)
11 Okay, trying the good old fashioned way... brute force
12 
13 Checking for wildcard DNS...
14 Nope. Good.
15 Now performing 2280 test(s)...
16 91.121.81.174   dev.alasta.com
17 91.121.81.174   depot.alasta.com
18 91.121.81.174   default.alasta.com
19 91.121.81.174   download.alasta.com
20 91.121.81.174   ip.alasta.com
21 91.121.81.174   www.alasta.com
22 
23 Subnets found (may want to probe here using nmap or unicornscan):
24  91.121.81.0-255 : 6 hostnames found.
25 
26 Done with Fierce scan: http://ha.ckers.org/fierce/
27 Found 6 entries.
28 
29 Have a nice day.

Quand on étudie la sortie de commande avec et sans -dnsserver, on s'apperçoit qu'avec on ne teste pas transfert de zone sur tous les NS du domaine.

Lorsqu'on fait une trace réseau, on voit qu'il recherche à partir d'une liste de noms, elle est disponible est modifiable dans /usr/share/fierce/hosts.txt.
Sinon il y a la possibilité de faire sa propre liste à vérifier :

 1 echo "kiel" > enreg.txt
 2 echo "www" >> enreg.txt
 3 
 4 root@kali:~# fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -wordlist enreg.txt 
 5 DNS Servers for alasta.com:
 6  a.dns.gandi.net
 7  c.dns.gandi.net
 8  b.dns.gandi.net
 9 
10 Trying zone transfer first...
11 
12 Unsuccessful in zone transfer (it was worth a shot)
13 Okay, trying the good old fashioned way... brute force
14 
15 Checking for wildcard DNS...
16 Nope. Good.
17 Now performing 2 test(s)...
18 91.121.81.174   www.alasta.com
19 91.121.81.174   kiel.alasta.com
20 
21 Subnets found (may want to probe here using nmap or unicornscan):
22  91.121.81.0-255 : 2 hostnames found.
23 
24 Done with Fierce scan: http://ha.ckers.org/fierce/
25 Found 2 entries.
26 
27 Have a nice day.