Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. Fierce est installé de base sur Kali.

Utilisation :

La commande et ses options

 1 root@kali:~# fierce -h
 2 fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
 3 
 4  Usage: perl fierce.pl [-dns example.com] [OPTIONS]
 5 
 6 Overview:
 7  Fierce is a semi-lightweight scanner that helps locate non-contiguous
 8  IP space and hostnames against specified domains.  It's really meant
 9     as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all 
10     of those require that you already know what IP space you are looking 
11     for.  This does not perform exploitation and does not scan the whole 
12     internet indiscriminately.  It is meant specifically to locate likely 
13     targets both inside and outside a corporate network.  Because it uses 
14     DNS primarily you will often find mis-configured networks that leak 
15     internal address space. That's especially useful in targeted malware.
16 
17 Options:
18  -connect  Attempt to make http connections to any non RFC1918
19      (public) addresses.  This will output the return headers but
20      be warned, this could take a long time against a company with
21      many targets, depending on network/machine lag.  I wouldn't
22         recommend doing this unless it's a small company or you have a
23      lot of free time on your hands (could take hours-days).
24 Inside the file specified the text "Host:\n" will be replaced 25 by the host specified. Usage: 26 27 perl fierce.pl -dns example.com -connect headers.txt 28 29 -delay The number of seconds to wait between lookups. 30 -dns The domain you would like scanned. 31 -dnsfile Use DNS servers provided by a file (one per line) for 32 reverse lookups (brute force). 33 -dnsserver Use a particular DNS server for reverse lookups 34 (probably should be the DNS server of the target). Fierce 35 uses your DNS server for the initial SOA query and then uses 36 the target's DNS server for all additional queries by default. 37 -file A file you would like to output to be logged to. 38 -fulloutput When combined with -connect this will output everything 39 the webserver sends back, not just the HTTP headers. 40 -help This screen. 41 -nopattern Don't use a search pattern when looking for nearby 42 hosts. Instead dump everything. This is really noisy but 43 is useful for finding other domains that spammers might be 44 using. It will also give you lots of false positives, 45 especially on large domains. 46 -range Scan an internal IP range (must be combined with 47 -dnsserver). Note, that this does not support a pattern 48 and will simply output anything it finds. Usage: 49 50 perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co 51 52 -search Search list. When fierce attempts to traverse up and 53 down ipspace it may encounter other servers within other 54 domains that may belong to the same company. If you supply a 55 comma delimited list to fierce it will report anything found. 56 This is especially useful if the corporate servers are named 57 different from the public facing website. Usage: 58 59 perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 60 61 Note that using search could also greatly expand the number of 62 hosts found, as it will continue to traverse once it locates 63 servers that you specified in your search list. The more the 64 better. 65 -suppress Suppress all TTY output (when combined with -file). 66 -tcptimeout Specify a different timeout (default 10 seconds). You 67 may want to increase this if the DNS server you are querying 68 is slow or has a lot of network lag. 69 -threads Specify how many threads to use while scanning (default 70 is single threaded). 71 -traverse Specify a number of IPs above and below whatever IP you 72 have found to look for nearby IPs. Default is 5 above and 73 below. Traverse will not move into other C blocks. 74 -version Output the version number. 75 -wide Scan the entire class C after finding any matching 76 hostnames in that class C. This generates a lot more traffic 77 but can uncover a lot more information. 78 -wordlist Use a seperate wordlist (one word per line). Usage: 79 80 perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

La commande par l'exemple

Basiquement

 1 root@kali:~# fierce -dns alasta.com
 2 DNS Servers for alasta.com:
 3  c.dns.gandi.net
 4  a.dns.gandi.net
 5  b.dns.gandi.net
 6 
 7 Trying zone transfer first...
 8  Testing c.dns.gandi.net
 9      Request timed out or transfer not allowed.
10  Testing a.dns.gandi.net
11      Request timed out or transfer not allowed.
12  Testing b.dns.gandi.net
13      Request timed out or transfer not allowed.
14 
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17 
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174   default.alasta.com
22 91.121.81.174   depot.alasta.com
23 91.121.81.174   dev.alasta.com
24 91.121.81.174   download.alasta.com
25 91.121.81.174   ip.alasta.com
26 91.121.81.174   www.alasta.com
27 
28 Subnets found (may want to probe here using nmap or unicornscan):
29  91.121.81.0-255 : 6 hostnames found.
30 
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33 
34 Have a nice day.

Ajout des threads, permet de gagner en temps d'execution :

 1 root@kali:~# fierce  -dns alasta.com -threads 5
 2 DNS Servers for alasta.com:
 3  c.dns.gandi.net
 4  b.dns.gandi.net
 5  a.dns.gandi.net
 6 
 7 Trying zone transfer first...
 8  Testing c.dns.gandi.net
 9      Request timed out or transfer not allowed.
10  Testing b.dns.gandi.net
11      Request timed out or transfer not allowed.
12  Testing a.dns.gandi.net
13      Request timed out or transfer not allowed.
14 
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17 
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174   dev.alasta.com
22 91.121.81.174   depot.alasta.com
23 91.121.81.174   default.alasta.com
24 91.121.81.174   download.alasta.com
25 91.121.81.174   ip.alasta.com
26 91.121.81.174   www.alasta.com
27 
28 Subnets found (may want to probe here using nmap or unicornscan):
29  91.121.81.0-255 : 6 hostnames found.
30 
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33 
34 Have a nice day.

Ajout du DNS Server (option -dnsserver) qui permet de forcer le DNS à intéroger, par défaut c'est l'un des NS du domaine.
Et ajout du log de la sortie de commande (option -file).

 1 root@kali:~#fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -file /tmp/fierce.log
 2 Now logging to /tmp/fierce.log
 3 DNS Servers for alasta.com:
 4  a.dns.gandi.net
 5  c.dns.gandi.net
 6  b.dns.gandi.net
 7 
 8 Trying zone transfer first...
 9 
10 Unsuccessful in zone transfer (it was worth a shot)
11 Okay, trying the good old fashioned way... brute force
12 
13 Checking for wildcard DNS...
14 Nope. Good.
15 Now performing 2280 test(s)...
16 91.121.81.174   dev.alasta.com
17 91.121.81.174   depot.alasta.com
18 91.121.81.174   default.alasta.com
19 91.121.81.174   download.alasta.com
20 91.121.81.174   ip.alasta.com
21 91.121.81.174   www.alasta.com
22 
23 Subnets found (may want to probe here using nmap or unicornscan):
24  91.121.81.0-255 : 6 hostnames found.
25 
26 Done with Fierce scan: http://ha.ckers.org/fierce/
27 Found 6 entries.
28 
29 Have a nice day.

Quand on étudie la sortie de commande avec et sans -dnsserver, on s'apperçoit qu'avec on ne teste pas transfert de zone sur tous les NS du domaine.

Lorsqu'on fait une trace réseau, on voit qu'il recherche à partir d'une liste de noms, elle est disponible est modifiable dans /usr/share/fierce/hosts.txt.
Sinon il y a la possibilité de faire sa propre liste à vérifier :

 1 echo "kiel" > enreg.txt
 2 echo "www" >> enreg.txt
 3 
 4 root@kali:~# fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -wordlist enreg.txt 
 5 DNS Servers for alasta.com:
 6  a.dns.gandi.net
 7  c.dns.gandi.net
 8  b.dns.gandi.net
 9 
10 Trying zone transfer first...
11 
12 Unsuccessful in zone transfer (it was worth a shot)
13 Okay, trying the good old fashioned way... brute force
14 
15 Checking for wildcard DNS...
16 Nope. Good.
17 Now performing 2 test(s)...
18 91.121.81.174   www.alasta.com
19 91.121.81.174   kiel.alasta.com
20 
21 Subnets found (may want to probe here using nmap or unicornscan):
22  91.121.81.0-255 : 2 hostnames found.
23 
24 Done with Fierce scan: http://ha.ckers.org/fierce/
25 Found 2 entries.
26 
27 Have a nice day.