source: fierce2/branch/fierce.man.1 @ 119

#!/usr/bin/perl
#
# pod2man fierce.man.1 | gzip -c > fierce.1p.gz && gunzip fierce.1p.gz
#
# Copyright (C) 2008-2009
#                       RSnake < h@ckers.org > 
#                                               Joshua D. Abraham < jabra@spl0it.org >
#
# This manpage is released under the terms of the GNU General Public
# License (GPL), which is distributed with this software in the file
# "COPYING". The GPL specifies the terms under which users may copy
# and use this software.
#

=pod

=begin man

=head1 NAME
 
 Fierce - the ulimate network reconnaissance script

=head1 SYNOPSIS

 fierce [Options] {target specification}

=cut

=begin man

=head1 DESCRIPTION

 Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space
 and hostnames against specified domains. It's really meant as a pre-cursor to
 nmap, unicornscan, nessus, nikto, etc, since all of those require that you
 already know what IP space you are looking for. This does not perform
 exploitation and does not scan the whole internet indiscriminately.  It is
 meant specifically to locate likely targets both inside and outside
 a corporate network. Since it uses DNS primarily you will often find
 mis-configured networks that leak internal address space. That's especially
 useful in targeted malware.
 
=head1 OPTIONS 

    -dns    [dns name(s)]       The domain you would like scanned.
                                (Single domain, or Multiple (Comma seperated)
    
    -format [type]              Defaults to output
                                One of the following: [txt || xml || html]     
    -output [output]            Output file

    -prefix [prefix file]       Prefix list for bruteforce attack
    -maxbruteforce [max num]    Max number concatted onto prefix

    -dnsfile [dns list]         Use DNS servers provided by a file
    -exts [file]                List of extensions for bruteforce attack
    -subdomains [file]          List of subdomains to test
    -dnsserver [dns server]     Use a particular DNS server for reverse lookups 
    -ztstop                     Stop scan if Zone Transfer works.

    -no     [option(s)]         Do not perform (comma seperated)
            zt                      Zone Transfer
            prebf                   Prefix Brute Force
            subbf                   Subdomain Brute Force
            extbf                   Extension Brute Force
            findmx                  Find MX Records
            wildc                   Check for Wild Card
            revlook                 Reverse Lookups
            vhost                   Vhost Hosts
            whois                   Whois Lookup

    -threads [num]              Number of threads (default 5 threads)
    -delay [num]                Number of seconds to delay (default 5 seconds)
    -tcptimeout [num]           Specify a different TCP timeout (default 10 seconds).  
                                You may want to increase this if the DNS server you are querying
                                is slow or has a lot of network lag.

    -udptimeout [num]           Specify a different UDP timeout (default 10 seconds).  

        -debug [num]            Debug option (1-5)
        -verbose [num]          Verbose option (1-5)
    -h  -help                   This help screen.
    -v  -version                Output the version number.

    Basic usage:    perl fierce -dns example.com -prefix hosts.txt    

    Type 'man fierce' for more information

=end man

=cut


__END__

=begin man
 
=head1 OPTION DETAILS

=head2  -delay          
                
                The number of seconds to wait between lookups.

=head2  -dns

                The domain you would like scanned.

=head2  -dnsfile        

                Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).

=head2  -dnsserver      

                Use a particular DNS server for reverse lookups 
                (probably should be the DNS server of the target).  Fierce
                uses your DNS server for the initial SOA query and then uses
                the target's DNS server for all additional queries by default.

=head2  -file           
        
                A file you would like to output to be logged to.

=head2  -fulloutput     
        
                When combined with -connect this will output everything
                the webserver sends back, not just the HTTP headers.

=head2  -help
        
                Help info.

=head2  -nopattern
                
                Don't use a search pattern when looking for nearby
                hosts.  Instead dump everything.  This is really noisy but
                is useful for finding other domains that spammers might be
                using.  It will also give you lots of false positives, 
                especially on large domains.

=head2  -range          
                
                Scan an internal IP range (must be combined with 
                -dnsserver).  Note, that this does not support a pattern
                and will simply output anything it finds.  Usage:

        perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

=head2  -search

                Search list.  When fierce attempts to traverse up and
                down ipspace it may encounter other servers within other
                domains that may belong to the same company.  If you supply a 
                comma delimited list to fierce it will report anything found.
                This is especially useful if the corporate servers are named
                different from the public facing website.  Usage:

        perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany 

                Note that using search could also greatly expand the number of
                hosts found, as it will continue to traverse once it locates
                servers that you specified in your search list.  The more the
                better.

=head2  -stop   
        
                Stop scan if Zone Transfer works.

=head2  -suppress       

                Suppress all TTY output (when combined with -file).

=head2  -tcptimeout     

                Specify a different timeout (default 10 seconds).  You
                may want to increase this if the DNS server you are querying
                is slow or has a lot of network lag.

=head2  -threads  
                
                Specify how many threads to use while scanning (default
                  is single threaded).

=head2  -traverse       
                
                Specify a number of IPs above and below whatever IP you
                have found to look for nearby IPs.  Default is 5 above and 
                below.  Traverse will not move into other C blocks.

=head2  -version        Output the version number.

=head2  -wide

                Scan the entire class C after finding any matching
                hostnames in that class C.  This generates a lot more traffic
                but can uncover a lot more information.

-wordlist       
                Use a seperate wordlist (one word per line).  Usage:

        perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

=head1 FEATURE REQUESTS or BUG REPORTS
 
 These should be submitted using :
 
 http://trac.assembla.com/fierce/newticket

 For Bug Reports, please include the version of Fierce and a detailed
 description of the issue

 For Feature Requests, please include a detailed description of the feature and
 why this would be a useful addtion to Fierce.

=head1 SEE ALSO

 nmap(1), unicornscan(1)

=head1 AUTHORS

 RSnake < h@ckers.org >
 Joshua D. Abraham < jabra@spl0it.org >

=head1 LEGAL NOTICES

 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 General Public License for more details at
 http://www.gnu.org/copyleft/gpl.html, or in the COPYING file included
 with Fierce.

 Please use Fierce with care and at your own risk.

=end man