Fierce的介绍与简单使用

Fierce简介

Fierce是一款IP、域名互查的DNS工具，可进行域传送漏洞检测、字典爆破子域名、反查IP段、反查指定域名上下一段IP，属于一款半轻量级的多线程信息收集用具。Fierce可尝试建立HTTP连接以确定子域名是否存在，此功能为非轻量级功能，所以，定义为半轻量级。

参数选项

使用dnsenum -h来查询全部命令

fierce (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/                                                                                                      
                                                                                                                                                                           
    Usage: fierce [-dns example.com] [OPTIONS]                                                                                                                             
                                                                                                                                                                           
Overview:                                                                                                                                                                      
    Fierce is a semi-lightweight scanner that helps locate non-contiguous                                                                                                  
    IP space and hostnames against specified domains.  It's really meant                                                                                                   
    as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all                                                                                                    
    of those require that you already know what IP space you are looking                                                                                                   
    for.  This does not perform exploitation and does not scan the whole                                                                                                   
    internet indiscriminately.  It is meant specifically to locate likely                                                                                                  
    targets both inside and outside a corporate network.  Because it uses                                                                                                  
    DNS primarily you will often find mis-configured networks that leak                                                                                                    
    internal address space. That's especially useful in targeted malware.                                                                                                  
                                                                                                                                                                           
Options:                                                                                                                                                                       
    -connect  [header.txt]      Attempt to make http connections to any non RFC1918                                                                                                    
            (public) addresses.  This will output the return headers but                                                                                                   
            be warned, this could take a long time against a company with                                                                                                  
            many targets, depending on network/machine lag.  I wouldn't                                                                                                    
            recommend doing this unless it's a small company or you have a                                                                                                 
            lot of free time on your hands (could take hours-days).  
            Inside the file specified the text "Host:\n" will be replaced
            by the host specified. Usage:

    fierce -dns example.com -connect headers.txt

    -delay  <number>        The number of seconds to wait between lookups.
    -dns <domain>           The domain you would like scanned.
    -dnsfile  <dnsfile.txt>      Use DNS servers provided by a file (one per line) for
            reverse lookups (brute force).
    -dnsserver  <dnsserver>    Use a particular DNS server for reverse lookups 
            (probably should be the DNS server of the target).  Fierce
            uses your DNS server for the initial SOA query and then uses
            the target's DNS server for all additional queries by default.
    -file           A file you would like to output to be logged to.
    -fulloutput     When combined with -connect this will output everything
            the webserver sends back, not just the HTTP headers.
    -help           This screen.
    -nopattern      Don't use a search pattern when looking for nearby
            hosts.  Instead dump everything.  This is really noisy but
            is useful for finding other domains that spammers might be
            using.  It will also give you lots of false positives, 
            especially on large domains.
    -range   <IP>       Scan an internal IP range (must be combined with 
            -dnsserver).  Note, that this does not support a pattern
            and will simply output anything it finds.  Usage:

    fierce -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search  <Search list>       Search list.  When fierce attempts to traverse up and
            down ipspace it may encounter other servers within other
            domains that may belong to the same company.  If you supply a 
            comma delimited list to fierce it will report anything found.
            This is especially useful if the corporate servers are named
            different from the public facing website.  Usage:

     EXAMPLE:    fierce -dns examplecompany.com -search corpcompany,blahcompany 

            Note that using search could also greatly expand the number of
            hosts found, as it will continue to traverse once it locates
            servers that you specified in your search list.  The more the
            better.
    -suppress       Suppress all TTY output (when combined with -file).
    -tcptimeout <number>    Specify a different timeout (default 10 seconds).  You
            may want to increase this if the DNS server you are querying
            is slow or has a lot of network lag.
    -threads [number] Specify how many threads to use while scanning (default
      is single threaded).
    -traverse   [number]    Specify a number of IPs above and below whatever IP you
            have found to look for nearby IPs.  Default is 5 above and 
            below.  Traverse will not move into other C blocks.
    -version        Output the version number.
    -wide           Scan the entire class C after finding any matching
            hostnames in that class C.  This generates a lot more traffic
            but can uncover a lot more information.
    -wordlist   <sub.txt>    Use a seperate wordlist (one word per line).  Usage:

     EXAMPLE  fierce -dns examplecompany.com -wordlist dictionary.txt

示例

1. fierce -dns sina.com -threads 5 -tcptimeout 1（对sina.com进行dns查询，使用5个线程，超时时间为1s）

   
   DNS servers：sina.com 的dns服务器
   zone transfer: dns区域传送，现在大多数服务器对于dns区域传送有了严格的限制，所以大多数情况下都不能查出有用的信息。
   
   这里是对子域名进行传统的暴力破解，这里博主只列出了一部分，实际上有非常多的子域名，而且这一部分的扫描非常花费时间，但收获也非常多。

对子域名所在的IP地址进行分类，后续若有兴趣可以使用nmap进行扫描。

总结 fierce进行dns查询花费的时间比dnsenum多得多,(即便使用-threads和-tcptimeout 也要花费数分钟)，但是获得的子域名也比dnsenum多。如果时间充裕，且想要进行随机的目标选择，可以使用fierce。