How to use fierce command for DNS enumeration. Learn cyber security.

How to use Fierce for DNS Enumeration? OSINT RECON

The Fierce command line tool is a DNS reconnaissance tool for locating non-contiguous IP space using DNS records. This tool does not perform exploitation and does not scan the whole internet indiscriminately. Although this tool also scans networks like NMAP, it can excel at finding misconfigured networks that leak internal address space because it uses DNS primarily.

The examples below will be using the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Please visit this link to make sure the Facebook program is still open before attempting any of these commands.

Fierce Github repository: https://github.com/mschwager/fierce

Fierce Tool Options

ArgumentCommand ExampleDescription
–help$ fierce –helpshow the command options
–domain$ fierce –domain facebook.comdomain name to test
–connect$ fierce –domain facebook.com –connectattempt HTTP connection to non-RFC 1918 hosts
–wide$ fierce –domain facebookcom –widescan entire class c of discovered records
–traverse$ fierce –domain facebook.com –subdomains m –traverse 10scan IPs near discovered records
–search$ fierce –domain facebook.com –subdomains m –search fb.comfilter on these domains when expanding lookup
–range$ fierce –dns-servers 10.0.0.1 –range 10.0.0.0/24scan an internal IP range, use cidr notation
–delay$ fierce –domain facebook.com –delay 10time to wait between lookups (sec.)
–subdomains$ fierce –domain facebook.com –subdomains m use these subdomains
–subdomain-file$ fierce –domain facebook.com –subdomain-file file.txtuse subdomains specified in this file (one per line)
–dns-servers$ fierce –dns-servers 10.0.0.1use these dns servers for reverse lookups
–dns-file$ fierce –dns-file file.txtuse dns servers specified in this file (one per line)

Fierce Cheat Sheet

Fierce Cheat Sheet
Fierce arguments cheat sheet

Fierce –help Argument

$ fierce –help

The –help argument shows the command options available for use.

Fierce DNS Tutorial --help

Fierce –domain Argument

$ fierce –domain facebook.com

The domain name specified to test is listed after the –domain argument.

Fierce DNS Tutorial

Fierce –connect Argument

$ fierce –domain facebook.com –subdomains mail –connect

The fierce –connect argument gives you a list of subdomains for your target, and by using the -connect argument, it will show you if any of those subdomains are running web servers. It will try to pull the HTTP header information from any web servers that are online for recon purposes. Useful information extracted using the –connect could be version number of web server.

Fierce DNS Tutorial --connect

Fierce –wide Argument

$ fierce –domain google.com –wide

The fierce –wide argument scans entire class c of discovered records. This option generates a lot more traffic but can uncover more information.

Fierce DNS Tutorial --wide

Fierce –traverse Argument

$ fierce –domain facebook.com –subdomains m –traverse 10

The fierce –traverse argument scans IPs near discovered records and this option will not enter adjacent class c’s. The example below is using the facebook.com domain and the subdomain of m, which is m.facebook.com.

Fierce DNS Tutorial --traverse

Fierce –search Argument

$ fierce –domain facebook.com –subdomains m –search fb.com

The fierce –search argument filters on the domains specified when expanding lookup. Essentially, it will limit nearby IP traversal to certain domains. This argument is useful for finding names if the corporate servers are named differently than the public facing website.

Fierce DNS Tutorial --search

Fierce –range Argument

$ fierce –dns-servers 10.0.0.1 –range 10.0.0.0/24

The fierce –range argument scans an internal IP range using CIDR notation. The –range has to be used with the –dns-servers argument. Internal networks will often have large blocks of contiguous IP space assigned and can be scanned using this syntax.

Fierce DNS Tutorial --range

Fierce –delay Argument

$ fierce –domain facebook.com –delay 10

The fierce –delay argument is the time to wait between lookups counted in seconds. In the example below, you can see in the blue circle where the command finished the first lookup and has the 10 second delay before proceeding the query.

Fierce DNS Tutorial --delay

Fierce –subdomain Argument

$ fierce –domain facebook.com –subdomains m

The fierce –subdomains argument tells the tool to use the specified subdomains.

Fierce DNS Tutorial --subdomains

Fierce –subdomain-list Argument

$ fierce –domain facebook.com –subdomain-file file.txt

The fierce –subdomain-list uses a specified file to enumerate subdomains. The format for the text file should be only 1 subdomain per line.

Fierce DNS Tutorial --subdomain-list

All the examples above use the facebook.com domain. As of this writing, Facebook (Meta) has an open bug bounty program, which makes it available for scanning for security researching purposes. Please visit this link to make sure the Facebook program is still open before attempting any of these commands.

Similar Posts