root@kali:~# fierce -h fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/ Usage: perl fierce.pl [-dns example.com] [OPTIONS] Overview: Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware. Options: -connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn't recommend doing this unless it's a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text "Host: " will be replaced by the host specified. Usage: perl fierce.pl -dns example.com -connect headers.txt -delay The number of seconds to wait between lookups. -dns The domain you would like scanned. -dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force). -dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target's DNS server for all additional queries by default. -file A file you would like to output to be logged to. -fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers. -help This screen. -nopattern Don't use a search pattern when looking for nearby hosts. Instead dump everything. This is really noisy but is useful for finding other domains that spammers might be using. It will also give you lots of false positives, especially on large domains. -range Scan an internal IP range (must be combined with -dnsserver). Note, that this does not support a pattern and will simply output anything it finds. Usage: perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co -search Search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found. This is especially useful if the corporate servers are named different from the public facing website. Usage: perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number of hosts found, as it will continue to traverse once it locates servers that you specified in your search list. The more the better. -suppress Suppress all TTY output (when combined with -file). -tcptimeout Specify a different timeout (default 10 seconds). You may want to increase this if the DNS server you are querying is slow or has a lot of network lag. -threads Specify how many threads to use while scanning (default is single threaded). -traverse Specify a number of IPs above and below whatever IP you have found to look for nearby IPs. Default is 5 above and below. Traverse will not move into other C blocks. -version Output the version number. -wide Scan the entire class C after finding any matching hostnames in that class C. This generates a lot more traffic but can uncover a lot more information. -wordlist Use a seperate wordlist (one word per line). Usage: perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
root@kali:~# fierce -dns baidu.com DNS Servers for baidu.com: ns3.baidu.com ns7.baidu.com ns4.baidu.com dns.baidu.com ns2.baidu.com Trying zone transfer first... Testing ns3.baidu.com Request timed out or transfer not allowed. Testing ns7.baidu.com Request timed out or transfer not allowed. Testing ns4.baidu.com Request timed out or transfer not allowed. Testing dns.baidu.com Request timed out or transfer not allowed. Testing ns2.baidu.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 2280 test(s)... 10.94.49.39 access.baidu.com 10.11.252.74 accounts.baidu.com 10.42.4.225 ads.baidu.com 123.125.114.244 ag.baidu.com 172.22.15.16 agent.baidu.com 172.22.15.17 agent.baidu.com 10.42.4.219 alpha.baidu.com 10.57.8.26 alpha.baidu.com 10.57.29.13 apollo.baidu.com 10.57.16.39 ar.baidu.com 180.97.34.56 ars.baidu.com 10.42.122.102 at.baidu.com 10.91.161.102 athena.baidu.com 10.81.7.51 ba.baidu.com 172.18.100.200 bd.baidu.com 10.38.19.40 bh.baidu.com 10.36.155.42 bh.baidu.com 10.36.160.22 bh.baidu.com 10.42.3.85 bi.baidu.com 59.56.21.144 bt.baidu.com 59.56.21.145 bt.baidu.com 10.42.4.177 bugs.baidu.com 10.23.250.58 build.baidu.com 220.181.163.139 cafe.baidu.com 10.26.7.113 cc.baidu.com 10.36.253.83 cc.baidu.com 10.81.187.23 cc.baidu.com 10.81.11.67 cd.baidu.com 10.26.252.56 checkpoint.baidu.com 10.242.112.16 client.baidu.com 10.26.7.93 cms.baidu.com 125.39.79.52 columbus.baidu.com 125.39.79.51 columbus.baidu.com 10.26.137.29 com.baidu.com 10.94.40.19 con.baidu.com 220.181.112.208 content.baidu.com 10.36.7.99 crm.baidu.com 10.26.7.125 crm.baidu.com 10.91.160.210 cs.baidu.com 10.23.248.28 ct.baidu.com 10.94.80.152 datastore.baidu.com 10.92.149.22 dc.baidu.com 10.81.211.170 des.baidu.com 202.108.22.220 dns.baidu.com 220.181.38.10 dns1.baidu.com 10.91.160.56 do.baidu.com 10.99.57.42 docs.baidu.com 10.65.211.94 dt.baidu.com 10.202.105.28 eagle.baidu.com 172.18.0.180 ecom.baidu.com 10.46.133.175 ee.baidu.com 10.42.7.18 erp.baidu.com 10.46.7.213 et.baidu.com 220.181.111.202 f.baidu.com 61.135.186.150 f.baidu.com 10.36.253.135 falcon.baidu.com 10.26.26.88 falcon.baidu.com 10.65.43.129 files.baidu.com 10.46.23.19 flow.baidu.com 10.94.52.44 fox.baidu.com 10.42.8.186 fs.baidu.com 10.42.3.234 fw.baidu.com 10.42.3.55 ga.baidu.com 220.181.57.71 gandalf.baidu.com 220.181.163.64 gandalf.baidu.com 61.135.185.144 gandalf.baidu.com 123.125.112.77 gandalf.baidu.com 180.76.2.33 ge.baidu.com 172.16.1.2 gw1.baidu.com 10.81.187.81 gy.baidu.com 10.240.31.12 h.baidu.com 10.94.49.55 hermes.baidu.com 106.120.159.12 id.baidu.com 123.125.65.230 inside.baidu.com 10.48.40.64 intern.baidu.com 10.46.104.43 io.baidu.com 10.92.143.21 ip.baidu.com 10.92.143.22 ip.baidu.com 10.42.61.42 ip.baidu.com 10.42.94.12 ip.baidu.com 10.81.12.102 iq.baidu.com 10.42.7.203 it.baidu.com 119.63.198.132 jp.baidu.com 10.50.13.175 kg.baidu.com 10.42.7.54 km.baidu.com 10.95.39.53 kr.baidu.com 10.224.183.33 la.baidu.com 220.181.163.74 labs.baidu.com 10.94.66.52 launch.baidu.com 10.40.20.46 lib.baidu.com 180.149.131.57 link.baidu.com 10.99.31.43 linux.baidu.com 10.26.39.14 log.baidu.com 10.23.65.13 log02.baidu.com 10.65.43.129 logs.baidu.com 10.99.27.20 maa.baidu.com 10.91.160.191 mars.baidu.com 10.11.250.228 mirror.baidu.com 10.42.174.14 mk.baidu.com 10.26.140.39 ml.baidu.com 10.26.3.49 mom.baidu.com 10.36.3.27 mom.baidu.com 10.94.25.52 monitor.baidu.com 10.57.44.52 moon.baidu.com 10.92.16.61 mq.baidu.com 10.208.6.11 mt.baidu.com 61.135.163.61 mx.baidu.com 10.95.23.39 name.baidu.com 10.57.8.161 ng.baidu.com 10.42.6.106 ng.baidu.com 10.42.7.232 nl.baidu.com 10.42.4.219 node.baidu.com 10.57.8.26 node.baidu.com 202.108.22.220 ns1.baidu.com 61.135.165.235 ns2.baidu.com 220.181.37.10 ns3.baidu.com 220.181.38.10 ns4.baidu.com 220.181.166.1 ns5.baidu.com 10.48.49.44 ntp.baidu.com 10.57.16.39 o.baidu.com 10.207.6.76 oc.baidu.com 10.26.3.48 ocean.baidu.com 10.42.6.124 odin.baidu.com 10.99.72.22 office.baidu.com 10.23.240.246 openview.baidu.com 10.26.5.201 orion.baidu.com 123.125.112.68 oscar.baidu.com 180.97.33.34 oscar.baidu.com 112.80.248.40 oscar.baidu.com 123.125.65.117 oscar.baidu.com 10.23.65.19 pe.baidu.com 119.75.219.41 pf.baidu.com 10.48.48.31 pg.baidu.com 10.94.52.39 pgp.baidu.com 10.99.57.43 ph.baidu.com 10.83.128.22 phoenix.baidu.com 10.42.3.244 pi.baidu.com 10.40.8.27 pi.baidu.com 10.94.52.44 pluto.baidu.com 10.94.20.56 pop.baidu.com 172.22.1.82 portal.baidu.com 10.40.61.49 project.baidu.com 220.181.37.10 proxy.baidu.com 10.48.50.39 ptr.baidu.com 103.235.46.33 public.baidu.com 180.76.153.161 qa.baidu.com 10.11.0.12 r2.baidu.com 10.32.10.74 ra.baidu.com 10.42.4.86 red.baidu.com 10.91.160.44 red.baidu.com 10.26.3.240 red.baidu.com 10.36.4.130 red.baidu.com 111.13.100.190 relay.baidu.com 160.153.56.66 research.baidu.com 202.108.22.10 rs.baidu.com 202.108.22.11 rs.baidu.com 202.108.22.12 rs.baidu.com 202.108.22.13 rs.baidu.com 180.76.128.209 rw.baidu.com 10.94.35.13 sa.baidu.com 123.125.115.209 sac.baidu.com 220.181.57.166 sac.baidu.com 111.13.100.150 sac.baidu.com 123.125.115.174 sac.baidu.com 111.206.37.106 sam.baidu.com 10.46.248.42 sb.baidu.com 10.99.27.31 se.baidu.com 10.226.94.33 sea.baidu.com 10.42.7.217 security.baidu.com 10.65.25.83 serv.baidu.com 10.26.95.45 sk.baidu.com 10.42.4.184 sms.baidu.com 10.42.7.54 so.baidu.com 10.65.18.22 speed.baidu.com 61.135.186.150 ss.baidu.com 220.181.111.202 ss.baidu.com 10.42.7.217 ssl.baidu.com 61.135.166.56 stat.baidu.com 10.46.11.23 sun.baidu.com 10.42.3.249 supplier.baidu.com 103.235.46.165 thailand.baidu.com 10.46.28.36 tiger.baidu.com 10.99.31.41 titan.baidu.com 10.46.129.37 tk.baidu.com 10.44.66.5 tn.baidu.com 10.48.30.110 tool.baidu.com 10.48.30.110 tools.baidu.com 10.42.4.66 tp.baidu.com 10.23.1.162 training.baidu.com 10.26.84.26 trinity.baidu.com 61.135.162.116 ts.baidu.com 10.46.104.42 ups.baidu.com 160.153.56.66 usa.baidu.com 10.23.248.87 ut.baidu.com 10.224.122.45 va.baidu.com 10.42.4.183 vi.baidu.com 111.206.45.40 voip.baidu.com 10.207.7.95 wa.baidu.com 10.48.30.87 web.baidu.com 10.26.214.75 webserver.baidu.com 10.42.3.112 welcome.baidu.com 10.42.7.70 wiki.baidu.com 10.65.19.212 win.baidu.com 10.42.8.38 work.baidu.com 10.26.209.25 ws.baidu.com 180.149.131.218 x.baidu.com 180.97.34.158 xr.baidu.com 220.181.111.213 zeus.baidu.com Subnets found (may want to probe here using nmap or unicornscan): 10.11.0.0-255 : 1 hostnames found. 10.11.250.0-255 : 1 hostnames found. 10.11.252.0-255 : 1 hostnames found. 10.202.105.0-255 : 1 hostnames found. 10.207.6.0-255 : 1 hostnames found. 10.207.7.0-255 : 1 hostnames found. 10.208.6.0-255 : 1 hostnames found. 10.224.122.0-255 : 1 hostnames found. 10.224.183.0-255 : 1 hostnames found. 10.226.94.0-255 : 1 hostnames found. 10.23.1.0-255 : 1 hostnames found. 10.23.240.0-255 : 1 hostnames found. 10.23.248.0-255 : 2 hostnames found. 10.23.250.0-255 : 1 hostnames found. 10.23.65.0-255 : 2 hostnames found. 10.240.31.0-255 : 1 hostnames found. 10.242.112.0-255 : 1 hostnames found. 10.26.137.0-255 : 1 hostnames found. 10.26.140.0-255 : 1 hostnames found. 10.26.209.0-255 : 1 hostnames found. 10.26.214.0-255 : 1 hostnames found. 10.26.252.0-255 : 1 hostnames found. 10.26.26.0-255 : 1 hostnames found. 10.26.3.0-255 : 3 hostnames found. 10.26.39.0-255 : 1 hostnames found. 10.26.5.0-255 : 1 hostnames found. 10.26.7.0-255 : 3 hostnames found. 10.26.84.0-255 : 1 hostnames found. 10.26.95.0-255 : 1 hostnames found. 10.32.10.0-255 : 1 hostnames found. 10.36.155.0-255 : 1 hostnames found. 10.36.160.0-255 : 1 hostnames found. 10.36.253.0-255 : 2 hostnames found. 10.36.3.0-255 : 1 hostnames found. 10.36.4.0-255 : 1 hostnames found. 10.36.7.0-255 : 1 hostnames found. 10.38.19.0-255 : 1 hostnames found. 10.40.20.0-255 : 1 hostnames found. 10.40.61.0-255 : 1 hostnames found. 10.40.8.0-255 : 1 hostnames found. 10.42.122.0-255 : 1 hostnames found. 10.42.174.0-255 : 1 hostnames found. 10.42.3.0-255 : 6 hostnames found. 10.42.4.0-255 : 8 hostnames found. 10.42.6.0-255 : 2 hostnames found. 10.42.61.0-255 : 1 hostnames found. 10.42.7.0-255 : 8 hostnames found. 10.42.8.0-255 : 2 hostnames found. 10.42.94.0-255 : 1 hostnames found. 10.44.66.0-255 : 1 hostnames found. 10.46.104.0-255 : 2 hostnames found. 10.46.11.0-255 : 1 hostnames found. 10.46.129.0-255 : 1 hostnames found. 10.46.133.0-255 : 1 hostnames found. 10.46.23.0-255 : 1 hostnames found. 10.46.248.0-255 : 1 hostnames found. 10.46.28.0-255 : 1 hostnames found. 10.46.7.0-255 : 1 hostnames found. 10.48.30.0-255 : 3 hostnames found. 10.48.40.0-255 : 1 hostnames found. 10.48.48.0-255 : 1 hostnames found. 10.48.49.0-255 : 1 hostnames found. 10.48.50.0-255 : 1 hostnames found. 10.50.13.0-255 : 1 hostnames found. 10.57.16.0-255 : 2 hostnames found. 10.57.29.0-255 : 1 hostnames found. 10.57.44.0-255 : 1 hostnames found. 10.57.8.0-255 : 3 hostnames found. 10.65.18.0-255 : 1 hostnames found. 10.65.19.0-255 : 1 hostnames found. 10.65.211.0-255 : 1 hostnames found. 10.65.25.0-255 : 1 hostnames found. 10.65.43.0-255 : 2 hostnames found. 10.81.11.0-255 : 1 hostnames found. 10.81.12.0-255 : 1 hostnames found. 10.81.187.0-255 : 2 hostnames found. 10.81.211.0-255 : 1 hostnames found. 10.81.7.0-255 : 1 hostnames found. 10.83.128.0-255 : 1 hostnames found. 10.91.160.0-255 : 4 hostnames found. 10.91.161.0-255 : 1 hostnames found. 10.92.143.0-255 : 2 hostnames found. 10.92.149.0-255 : 1 hostnames found. 10.92.16.0-255 : 1 hostnames found. 10.94.20.0-255 : 1 hostnames found. 10.94.25.0-255 : 1 hostnames found. 10.94.35.0-255 : 1 hostnames found. 10.94.40.0-255 : 1 hostnames found. 10.94.49.0-255 : 2 hostnames found. 10.94.52.0-255 : 3 hostnames found. 10.94.66.0-255 : 1 hostnames found. 10.94.80.0-255 : 1 hostnames found. 10.95.23.0-255 : 1 hostnames found. 10.95.39.0-255 : 1 hostnames found. 10.99.27.0-255 : 2 hostnames found. 10.99.31.0-255 : 2 hostnames found. 10.99.57.0-255 : 2 hostnames found. 10.99.72.0-255 : 1 hostnames found. 103.235.46.0-255 : 2 hostnames found. 106.120.159.0-255 : 1 hostnames found. 111.13.100.0-255 : 2 hostnames found. 111.206.37.0-255 : 1 hostnames found. 111.206.45.0-255 : 1 hostnames found. 112.80.248.0-255 : 1 hostnames found. 119.63.198.0-255 : 1 hostnames found. 119.75.219.0-255 : 1 hostnames found. 123.125.112.0-255 : 2 hostnames found. 123.125.114.0-255 : 1 hostnames found. 123.125.115.0-255 : 2 hostnames found. 123.125.65.0-255 : 2 hostnames found. 125.39.79.0-255 : 2 hostnames found. 160.153.56.0-255 : 2 hostnames found. 172.16.1.0-255 : 1 hostnames found. 172.18.0.0-255 : 1 hostnames found. 172.18.100.0-255 : 1 hostnames found. 172.22.1.0-255 : 1 hostnames found. 172.22.15.0-255 : 2 hostnames found. 180.149.131.0-255 : 2 hostnames found. 180.76.128.0-255 : 1 hostnames found. 180.76.153.0-255 : 1 hostnames found. 180.76.2.0-255 : 1 hostnames found. 180.97.33.0-255 : 1 hostnames found. 180.97.34.0-255 : 2 hostnames found. 202.108.22.0-255 : 6 hostnames found. 220.181.111.0-255 : 3 hostnames found. 220.181.112.0-255 : 1 hostnames found. 220.181.163.0-255 : 3 hostnames found. 220.181.166.0-255 : 1 hostnames found. 220.181.37.0-255 : 2 hostnames found. 220.181.38.0-255 : 2 hostnames found. 220.181.57.0-255 : 2 hostnames found. 59.56.21.0-255 : 2 hostnames found. 61.135.162.0-255 : 1 hostnames found. 61.135.163.0-255 : 1 hostnames found. 61.135.165.0-255 : 1 hostnames found. 61.135.166.0-255 : 1 hostnames found. 61.135.185.0-255 : 1 hostnames found. 61.135.186.0-255 : 2 hostnames found. Done with Fierce scan: http://ha.ckers.org/fierce/ Found 208 entries. Have a nice day.