Rappel :

Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. Fierce est installé de base sur Kali.

Utilisation :

La commande et ses options

root@kali:~# fierce -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

	Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
	Fierce is a semi-lightweight scanner that helps locate non-contiguous
	IP space and hostnames against specified domains.  It's really meant
	as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all 
	of those require that you already know what IP space you are looking 
	for.  This does not perform exploitation and does not scan the whole 
	internet indiscriminately.  It is meant specifically to locate likely 
	targets both inside and outside a corporate network.  Because it uses 
	DNS primarily you will often find mis-configured networks that leak 
	internal address space. That's especially useful in targeted malware.

Options:
	-connect	Attempt to make http connections to any non RFC1918
		(public) addresses.  This will output the return headers but
		be warned, this could take a long time against a company with
		many targets, depending on network/machine lag.  I wouldn't
		recommend doing this unless it's a small company or you have a
		lot of free time on your hands (could take hours-days).  
		Inside the file specified the text "Host:\n" will be replaced
		by the host specified. Usage:

	perl fierce.pl -dns example.com -connect headers.txt

	-delay		The number of seconds to wait between lookups.
	-dns		The domain you would like scanned.
	-dnsfile  	Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
	-dnsserver	Use a particular DNS server for reverse lookups 
		(probably should be the DNS server of the target).  Fierce
		uses your DNS server for the initial SOA query and then uses
		the target's DNS server for all additional queries by default.
	-file		A file you would like to output to be logged to.
	-fulloutput	When combined with -connect this will output everything
		the webserver sends back, not just the HTTP headers.
	-help		This screen.
	-nopattern	Don't use a search pattern when looking for nearby
		hosts.  Instead dump everything.  This is really noisy but
		is useful for finding other domains that spammers might be
		using.  It will also give you lots of false positives, 
		especially on large domains.
	-range		Scan an internal IP range (must be combined with 
		-dnsserver).  Note, that this does not support a pattern
		and will simply output anything it finds.  Usage:

	perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

	-search		Search list.  When fierce attempts to traverse up and
		down ipspace it may encounter other servers within other
		domains that may belong to the same company.  If you supply a 
		comma delimited list to fierce it will report anything found.
		This is especially useful if the corporate servers are named
		different from the public facing website.  Usage:

	perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 

		Note that using search could also greatly expand the number of
		hosts found, as it will continue to traverse once it locates
		servers that you specified in your search list.  The more the
		better.
	-suppress	Suppress all TTY output (when combined with -file).
	-tcptimeout	Specify a different timeout (default 10 seconds).  You
		may want to increase this if the DNS server you are querying
		is slow or has a lot of network lag.
	-threads  Specify how many threads to use while scanning (default
	  is single threaded).
	-traverse	Specify a number of IPs above and below whatever IP you
		have found to look for nearby IPs.  Default is 5 above and 
		below.  Traverse will not move into other C blocks.
	-version	Output the version number.
	-wide		Scan the entire class C after finding any matching
		hostnames in that class C.  This generates a lot more traffic
		but can uncover a lot more information.
	-wordlist	Use a seperate wordlist (one word per line).  Usage:

	perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

La commande par l’exemple

Basiquement

root@kali:~# fierce -dns alasta.com
DNS Servers for alasta.com:
	c.dns.gandi.net
	a.dns.gandi.net
	b.dns.gandi.net

Trying zone transfer first...
	Testing c.dns.gandi.net
		Request timed out or transfer not allowed.
	Testing a.dns.gandi.net
		Request timed out or transfer not allowed.
	Testing b.dns.gandi.net
		Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
91.121.81.174	default.alasta.com
91.121.81.174	depot.alasta.com
91.121.81.174	dev.alasta.com
91.121.81.174	download.alasta.com
91.121.81.174	ip.alasta.com
91.121.81.174	www.alasta.com

Subnets found (may want to probe here using nmap or unicornscan):
	91.121.81.0-255 : 6 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 6 entries.

Have a nice day.

Ajout des threads, permet de gagner en temps d’execution :

root@kali:~# fierce  -dns alasta.com -threads 5
DNS Servers for alasta.com:
	c.dns.gandi.net
	b.dns.gandi.net
	a.dns.gandi.net

Trying zone transfer first...
	Testing c.dns.gandi.net
		Request timed out or transfer not allowed.
	Testing b.dns.gandi.net
		Request timed out or transfer not allowed.
	Testing a.dns.gandi.net
		Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
91.121.81.174	dev.alasta.com
91.121.81.174	depot.alasta.com
91.121.81.174	default.alasta.com
91.121.81.174	download.alasta.com
91.121.81.174	ip.alasta.com
91.121.81.174	www.alasta.com

Subnets found (may want to probe here using nmap or unicornscan):
	91.121.81.0-255 : 6 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 6 entries.

Have a nice day.

Ajout du DNS Server (option -dnsserver) qui permet de forcer le DNS à intéroger, par défaut c’est l’un des NS du domaine.
Et ajout du log de la sortie de commande (option -file).

root@kali:~#fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -file /tmp/fierce.log
Now logging to /tmp/fierce.log
DNS Servers for alasta.com:
	a.dns.gandi.net
	c.dns.gandi.net
	b.dns.gandi.net

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2280 test(s)...
91.121.81.174	dev.alasta.com
91.121.81.174	depot.alasta.com
91.121.81.174	default.alasta.com
91.121.81.174	download.alasta.com
91.121.81.174	ip.alasta.com
91.121.81.174	www.alasta.com

Subnets found (may want to probe here using nmap or unicornscan):
	91.121.81.0-255 : 6 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 6 entries.

Have a nice day.

Quand on étudie la sortie de commande avec et sans -dnsserver, on s’apperçoit qu’avec on ne teste pas transfert de zone sur tous les NS du domaine.

Lorsqu’on fait une trace réseau, on voit qu’il recherche à partir d’une liste de noms, elle est disponible est modifiable dans /usr/share/fierce/hosts.txt.
Sinon il y a la possibilité de faire sa propre liste à vérifier :

echo "kiel" > enreg.txt
echo "www" >> enreg.txt

root@kali:~# fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -wordlist enreg.txt 
DNS Servers for alasta.com:
	a.dns.gandi.net
	c.dns.gandi.net
	b.dns.gandi.net

Trying zone transfer first...

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 2 test(s)...
91.121.81.174	www.alasta.com
91.121.81.174	kiel.alasta.com

Subnets found (may want to probe here using nmap or unicornscan):
	91.121.81.0-255 : 2 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 2 entries.

Have a nice day.