| 1 | ****** |
|---|
| 2 | README |
|---|
| 3 | ****** |
|---|
| 4 | |
|---|
| 5 | * Installation |
|---|
| 6 | * What is new in 2.0 ? |
|---|
| 7 | * Description |
|---|
| 8 | |
|---|
| 9 | |
|---|
| 10 | |
|---|
| 11 | ******************* |
|---|
| 12 | Installation |
|---|
| 13 | ******************* |
|---|
| 14 | |
|---|
| 15 | perl Makefile.PL |
|---|
| 16 | make |
|---|
| 17 | make test |
|---|
| 18 | sudo make install |
|---|
| 19 | |
|---|
| 20 | Install templates |
|---|
| 21 | |
|---|
| 22 | mkdir ~/.fierce2/ |
|---|
| 23 | cp -r tt ~/fierce2/ |
|---|
| 24 | |
|---|
| 25 | |
|---|
| 26 | ******************* |
|---|
| 27 | What is new in 2.0? |
|---|
| 28 | ******************* |
|---|
| 29 | |
|---|
| 30 | Fierce 2.0 is a complete rewrite of the Fierce code using a modular method of |
|---|
| 31 | development. Therefore, many of the pieces can be used as their own entity. |
|---|
| 32 | This will allow people to quickly create scripts using one or more features of |
|---|
| 33 | Fierce. |
|---|
| 34 | |
|---|
| 35 | Obviously, Fierce 2.0 will include the Fierce script which uses the new |
|---|
| 36 | modules. This will allow the code to be more readable and will enable faster |
|---|
| 37 | development and greater flexibility. |
|---|
| 38 | |
|---|
| 39 | Another major improvement in Fierce 2.0, is the testing framework. Each module |
|---|
| 40 | will have an included set of tests, allowing us to verify things are working |
|---|
| 41 | the way they should. |
|---|
| 42 | |
|---|
| 43 | |
|---|
| 44 | |
|---|
| 45 | *********** |
|---|
| 46 | Description |
|---|
| 47 | *********** |
|---|
| 48 | |
|---|
| 49 | Fierce domain scan was born out of personal frustration after performing a web |
|---|
| 50 | application security audit. It is traditionally very difficult to discover |
|---|
| 51 | large swaths of a corporate network that is non-contiguous. It's terribly easy |
|---|
| 52 | to run a scanner against an IP range, but if the IP ranges are nowhere near one |
|---|
| 53 | another you can miss huge chunks of networks. |
|---|
| 54 | |
|---|
| 55 | First what Fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, |
|---|
| 56 | it is not designed to scan the whole internet or perform any un-targeted |
|---|
| 57 | attacks. It is meant specifically to locate likely targets both inside and |
|---|
| 58 | outside a corporate network. Only those targets are listed (unless the |
|---|
| 59 | -nopattern switch is used). No exploitation is performed (unless you do |
|---|
| 60 | something intentionally malicious with the -connect switch). Fierce is a |
|---|
| 61 | reconnaissance tool. Fierce is a Perl script that quickly scans domains |
|---|
| 62 | (usually in just a few minutes, assuming no network lag) using several tactics. |
|---|
| 63 | |
|---|
| 64 | First it queries your DNS for the DNS servers of the target. It then switches |
|---|
| 65 | to using the target's DNS server (you can use a different one if you want by using |
|---|
| 66 | the -dnsserver switch, but this can cause problems if the server you use won't |
|---|
| 67 | tell you information about other people's sites and of course you won't find |
|---|
| 68 | much relevant internal address space). Fierce then attempts to dump the SOA |
|---|
| 69 | records for the domain in the very slim hope that the DNS server that your |
|---|
| 70 | target uses may be misconfigured. Once that fails (because it almost always |
|---|
| 71 | will) it attempts to "guess" names that are common amongst a lot of different |
|---|
| 72 | companies. Don't ask me where I got the list, it's just a list of names that id |
|---|
| 73 | and I have seen all over the place. I thought about adding a dictionary to |
|---|
| 74 | this, but I think that would take a lot longer, and given that very few of the |
|---|
| 75 | words are dictionary words I don't think this would add a lot of value. |
|---|
| 76 | |
|---|
| 77 | Next, if it finds anything on any IP address it will scan up and down a set |
|---|
| 78 | amount (default 5 but you can expand it with -traverse or increase it to the |
|---|
| 79 | entire subnet with -wide) looking for anything else with the same domain name |
|---|
| 80 | in it using reverse lookups. If it finds anything on any of those it will |
|---|
| 81 | recursively scan until it doesn't find any more. In this way it ends up looping |
|---|
| 82 | a lot, and the bigger the domain is the more you get back. The reason Fierce |
|---|
| 83 | automatically switches to using the target's DNS server is so that it can probe |
|---|
| 84 | the Intranet (RFC1918) of the target, assuming the target uses a single DNS |
|---|
| 85 | server for both their Intranet and external sites. |
|---|
| 86 | |
|---|
| 87 | I also added a random call to something that should fail to test for wildcard |
|---|
| 88 | DNS. If it's found, the wildcard is discarded to reduce erroneous results. That |
|---|
| 89 | doesn't speed up the scan because it still needs to check to see if the test |
|---|
| 90 | resolves back to IP address that the wildcard is pointing to. However it does |
|---|
| 91 | reduce false positives. |
|---|
| 92 | |
|---|
| 93 | Also, I've added a "search" option that allows you to find other non-related |
|---|
| 94 | domain names. For example, let's say my target's domain is widget.com but I |
|---|
| 95 | know they have email addresses like soandso@widgetcompany.com, and own a |
|---|
| 96 | company called nutsandbolts.com--for these I can add search queries. This won't |
|---|
| 97 | scan for those domains, but if those names pop up, it won't ignore them. Fierce |
|---|
| 98 | will report on anything inside the search pattern as long as it matches. If you |
|---|
| 99 | want everything you could put a,b,c,...,x,y,z, but I'll probably make |
|---|
| 100 | something in the future to allow for scanning/reporting the entire C block once |
|---|
| 101 | anything is found in it that matches the DNS string. Here's the syntax: |
|---|
| 102 | |
|---|
| 103 | perl fierce -dns widget.com -search widgetcompany,nutsandbolts |
|---|
| 104 | |
|---|
| 105 | I also realized it can be a little bad about finding everything in a class C if |
|---|
| 106 | the target used non-contiguous blocks within the class C. To deal with that I |
|---|
| 107 | built in a function to allow a scan (of only C blocks). This is also really |
|---|
| 108 | useful for scanning intranets if the DNS is poorly configured. I might expand |
|---|
| 109 | on this later. |
|---|
| 110 | |
|---|
| 111 | perl fierce -range 10.10.10.0-255 -dnsserver ns1.example.com |
|---|
| 112 | |
|---|
| 113 | As an alternative, you can use the -wide switch which does a wide path of |
|---|
| 114 | reverse lookups after finding any C names that match your query in the C block. |
|---|
| 115 | This provides a lot more information but is a lot more noisy. |
|---|
| 116 | |
|---|
| 117 | perl fierce -dns example.com -wide -output output.txt |
|---|
| 118 | |
|---|
| 119 | Fierce also has wordlist support so that you can supply your own dictionary |
|---|
| 120 | using the -wordlist keyword. Since the brute force does rely on matching at |
|---|
| 121 | least a few internal targets, this could be helpful if you know that the naming |
|---|
| 122 | convention has to do with a certain non-obvious naming convention or uses |
|---|
| 123 | another language, etc. |
|---|
| 124 | |
|---|
| 125 | perl fierce -dns example.com -wordlist dictionary.txt -output output.txt |
|---|
| 126 | |
|---|
| 127 | Not convinced? Prior to running the scan I had never been to either mail.ru or |
|---|
| 128 | rambler.ru (a few of the top Alexa sites in Russia). Since I don't read |
|---|
| 129 | Russian, performing an audit against them is far more difficult. Here's some |
|---|
| 130 | sample output from the two. In the first example you can see that mail.ru has a |
|---|
| 131 | non-contiguous address for it's mobile.mail.ru than it does for the rest of the |
|---|
| 132 | site. That would have been very difficult to locate with any other scanner. In |
|---|
| 133 | the rambler.ru example you can see the RFC1918 space 10.* pop up: |
|---|
| 134 | |
|---|
| 135 | * mail.ru - 418 entries and 303 hostnames found. |
|---|
| 136 | * rambler.ru - 472 entries and 458 hostnames found. |
|---|
| 137 | |
|---|
| 138 | Trust me, we've found far more interesting sites than these two in our tests, |
|---|
| 139 | but I don't want to disparage any companies for their mistakes. I'm sure you |
|---|
| 140 | can think of a few companies to test this against. The results can be pretty |
|---|
| 141 | amazing. If you don't get many results, that could be one of three things, 1) |
|---|
| 142 | you aren't scanning their corporate domain, you are only scanning their |
|---|
| 143 | external domain which they only have one or two machines on, 2) it's a very |
|---|
| 144 | small company, or 3) you typo'd the domain name (I haven't built any checks to |
|---|
| 145 | make sure the domain you entered is valid). |
|---|
| 146 | |
|---|
| 147 | Requirements: This is a Perl program requiring the Perl interpreter with the |
|---|
| 148 | additional perl modules listed below. You can install modules using CPAN: |
|---|
| 149 | |
|---|
| 150 | perl -MCPAN -e 'install Net::DNS' |
|---|
| 151 | perl -MCPAN -e 'install Net::CIDR' |
|---|
| 152 | perl -MCPAN -e 'install Net::Whois::ARIN' |
|---|
| 153 | perl -MCPAN -e 'install Object::InsideOut' |
|---|
| 154 | perl -MCPAN -e 'install Template' |
|---|
| 155 | perl -MCPAN -e 'install Test::Class' |
|---|
| 156 | perl -MCPAN -e 'install HTML::SimpleLinkExtor' |
|---|
| 157 | perl -MCPAN -e 'install threads' |
|---|
| 158 | perl -MCPAN -e 'install threads::shared' |
|---|
| 159 | perl -MCPAN -e 'install Thread::Queue' |
|---|
| 160 | |
|---|
| 161 | Windows users: You can use Fierce under Windows if you use Cygwin with Perl and |
|---|
| 162 | the above modules installed. I have not tested this using ActivePerl in |
|---|
| 163 | Windows, so I would recommend Cygwin until ActivePerl can be thoroughly tested. |
|---|
| 164 | I am/was working on a win32 version of Fierce, but have put the project on |
|---|
| 165 | hold. If anyone is interested in picking up where I left off, drop me a line. |
|---|
| 166 | |
|---|
| 167 | Version: Fierce is currently at version 2.0 - 11/08/2009 |
|---|
| 168 | |
|---|
| 169 | (Thanks to Kristian Erik Hermansen and Robert E Lee for the help with this and to Michael Thumann's |
|---|
| 170 | DNSDigger wordlist). |
|---|
| 171 | |
|---|
| 172 | Getting started: perl fierce -help |
|---|
| 173 | |
|---|
| 174 | This may some bugs in it. Also this can be a noisy scanner, but in the tests |
|---|
| 175 | I've performed it's exceptionally effective at finding non-contiguous IP blocks |
|---|
| 176 | and new attack points. This should be considered a pre-cursor to nmap, |
|---|
| 177 | unicornscan or nessus, as it gives you enough information to begin a much more |
|---|
| 178 | thorough scan with one of those other tools. Also, it can point out DNS entries |
|---|
| 179 | for hosts that are no longer up or have not yet been put into production. |
|---|
| 180 | Please use Fierce with care and at your own risk. |
|---|
| 181 | |
|---|
