Tools - Fierce
Alasta 29 Mars 2016 tools bash tools Linux Open Source Security shell dns collecte kali
Description : Nous allons utiliser Fierce pour de la collecte d'informations DNS.
Rappel :
Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali. Fierce est installé de base sur Kali.
Utilisation :
La commande et ses options
1 root@kali:~# fierce -h
2 fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/
3
4 Usage: perl fierce.pl [-dns example.com] [OPTIONS]
5
6 Overview:
7 Fierce is a semi-lightweight scanner that helps locate non-contiguous
8 IP space and hostnames against specified domains. It's really meant
9 as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
10 of those require that you already know what IP space you are looking
11 for. This does not perform exploitation and does not scan the whole
12 internet indiscriminately. It is meant specifically to locate likely
13 targets both inside and outside a corporate network. Because it uses
14 DNS primarily you will often find mis-configured networks that leak
15 internal address space. That's especially useful in targeted malware.
16
17 Options:
18 -connect Attempt to make http connections to any non RFC1918
19 (public) addresses. This will output the return headers but
20 be warned, this could take a long time against a company with
21 many targets, depending on network/machine lag. I wouldn't
22 recommend doing this unless it's a small company or you have a
23 lot of free time on your hands (could take hours-days).
24 Inside the file specified the text "Host:\n" will be replaced
25 by the host specified. Usage:
26
27 perl fierce.pl -dns example.com -connect headers.txt
28
29 -delay The number of seconds to wait between lookups.
30 -dns The domain you would like scanned.
31 -dnsfile Use DNS servers provided by a file (one per line) for
32 reverse lookups (brute force).
33 -dnsserver Use a particular DNS server for reverse lookups
34 (probably should be the DNS server of the target). Fierce
35 uses your DNS server for the initial SOA query and then uses
36 the target's DNS server for all additional queries by default.
37 -file A file you would like to output to be logged to.
38 -fulloutput When combined with -connect this will output everything
39 the webserver sends back, not just the HTTP headers.
40 -help This screen.
41 -nopattern Don't use a search pattern when looking for nearby
42 hosts. Instead dump everything. This is really noisy but
43 is useful for finding other domains that spammers might be
44 using. It will also give you lots of false positives,
45 especially on large domains.
46 -range Scan an internal IP range (must be combined with
47 -dnsserver). Note, that this does not support a pattern
48 and will simply output anything it finds. Usage:
49
50 perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co
51
52 -search Search list. When fierce attempts to traverse up and
53 down ipspace it may encounter other servers within other
54 domains that may belong to the same company. If you supply a
55 comma delimited list to fierce it will report anything found.
56 This is especially useful if the corporate servers are named
57 different from the public facing website. Usage:
58
59 perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany
60
61 Note that using search could also greatly expand the number of
62 hosts found, as it will continue to traverse once it locates
63 servers that you specified in your search list. The more the
64 better.
65 -suppress Suppress all TTY output (when combined with -file).
66 -tcptimeout Specify a different timeout (default 10 seconds). You
67 may want to increase this if the DNS server you are querying
68 is slow or has a lot of network lag.
69 -threads Specify how many threads to use while scanning (default
70 is single threaded).
71 -traverse Specify a number of IPs above and below whatever IP you
72 have found to look for nearby IPs. Default is 5 above and
73 below. Traverse will not move into other C blocks.
74 -version Output the version number.
75 -wide Scan the entire class C after finding any matching
76 hostnames in that class C. This generates a lot more traffic
77 but can uncover a lot more information.
78 -wordlist Use a seperate wordlist (one word per line). Usage:
79
80 perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
La commande par l'exemple
Basiquement
1 root@kali:~# fierce -dns alasta.com
2 DNS Servers for alasta.com:
3 c.dns.gandi.net
4 a.dns.gandi.net
5 b.dns.gandi.net
6
7 Trying zone transfer first...
8 Testing c.dns.gandi.net
9 Request timed out or transfer not allowed.
10 Testing a.dns.gandi.net
11 Request timed out or transfer not allowed.
12 Testing b.dns.gandi.net
13 Request timed out or transfer not allowed.
14
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174 default.alasta.com
22 91.121.81.174 depot.alasta.com
23 91.121.81.174 dev.alasta.com
24 91.121.81.174 download.alasta.com
25 91.121.81.174 ip.alasta.com
26 91.121.81.174 www.alasta.com
27
28 Subnets found (may want to probe here using nmap or unicornscan):
29 91.121.81.0-255 : 6 hostnames found.
30
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33
34 Have a nice day.
Ajout des threads, permet de gagner en temps d'execution :
1 root@kali:~# fierce -dns alasta.com -threads 5
2 DNS Servers for alasta.com:
3 c.dns.gandi.net
4 b.dns.gandi.net
5 a.dns.gandi.net
6
7 Trying zone transfer first...
8 Testing c.dns.gandi.net
9 Request timed out or transfer not allowed.
10 Testing b.dns.gandi.net
11 Request timed out or transfer not allowed.
12 Testing a.dns.gandi.net
13 Request timed out or transfer not allowed.
14
15 Unsuccessful in zone transfer (it was worth a shot)
16 Okay, trying the good old fashioned way... brute force
17
18 Checking for wildcard DNS...
19 Nope. Good.
20 Now performing 2280 test(s)...
21 91.121.81.174 dev.alasta.com
22 91.121.81.174 depot.alasta.com
23 91.121.81.174 default.alasta.com
24 91.121.81.174 download.alasta.com
25 91.121.81.174 ip.alasta.com
26 91.121.81.174 www.alasta.com
27
28 Subnets found (may want to probe here using nmap or unicornscan):
29 91.121.81.0-255 : 6 hostnames found.
30
31 Done with Fierce scan: http://ha.ckers.org/fierce/
32 Found 6 entries.
33
34 Have a nice day.
Ajout du DNS Server (option -dnsserver) qui permet de forcer le DNS à intéroger, par défaut c'est l'un des NS du domaine.
Et ajout du log de la sortie de commande (option -file).
1 root@kali:~#fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -file /tmp/fierce.log
2 Now logging to /tmp/fierce.log
3 DNS Servers for alasta.com:
4 a.dns.gandi.net
5 c.dns.gandi.net
6 b.dns.gandi.net
7
8 Trying zone transfer first...
9
10 Unsuccessful in zone transfer (it was worth a shot)
11 Okay, trying the good old fashioned way... brute force
12
13 Checking for wildcard DNS...
14 Nope. Good.
15 Now performing 2280 test(s)...
16 91.121.81.174 dev.alasta.com
17 91.121.81.174 depot.alasta.com
18 91.121.81.174 default.alasta.com
19 91.121.81.174 download.alasta.com
20 91.121.81.174 ip.alasta.com
21 91.121.81.174 www.alasta.com
22
23 Subnets found (may want to probe here using nmap or unicornscan):
24 91.121.81.0-255 : 6 hostnames found.
25
26 Done with Fierce scan: http://ha.ckers.org/fierce/
27 Found 6 entries.
28
29 Have a nice day.
Quand on étudie la sortie de commande avec et sans -dnsserver, on s'apperçoit qu'avec on ne teste pas transfert de zone sur tous les NS du domaine.
Lorsqu'on fait une trace réseau, on voit qu'il recherche à partir d'une liste de noms, elle est disponible est modifiable dans /usr/share/fierce/hosts.txt.
Sinon il y a la possibilité de faire sa propre liste à vérifier :
1 echo "kiel" > enreg.txt
2 echo "www" >> enreg.txt
3
4 root@kali:~# fierce -dnsserver a.dns.gandi.net -dns alasta.com -threads 5 -wordlist enreg.txt
5 DNS Servers for alasta.com:
6 a.dns.gandi.net
7 c.dns.gandi.net
8 b.dns.gandi.net
9
10 Trying zone transfer first...
11
12 Unsuccessful in zone transfer (it was worth a shot)
13 Okay, trying the good old fashioned way... brute force
14
15 Checking for wildcard DNS...
16 Nope. Good.
17 Now performing 2 test(s)...
18 91.121.81.174 www.alasta.com
19 91.121.81.174 kiel.alasta.com
20
21 Subnets found (may want to probe here using nmap or unicornscan):
22 91.121.81.0-255 : 2 hostnames found.
23
24 Done with Fierce scan: http://ha.ckers.org/fierce/
25 Found 2 entries.
26
27 Have a nice day.