{"id":442,"date":"2007-02-20T00:07:01","date_gmt":"2007-02-20T00:07:01","guid":{"rendered":"https:\/\/www.darknet.org.uk\/2007\/02\/fierce-domain-scanner-released-domain-reconnaissance-tool\/"},"modified":"2010-06-29T07:19:00","modified_gmt":"2010-06-29T06:19:00","slug":"fierce-domain-scanner-released-domain-reconnaissance-tool","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2007\/02\/fierce-domain-scanner-released-domain-reconnaissance-tool\/","title":{"rendered":"Fierce Domain Scanner Released – Domain Reconnaissance Tool"},"content":{"rendered":"
<\/p>\n
Fierce domain scan was born out of personal frustration after performing a web application security audit. It is traditionally very difficult to discover large swaths of a corporate network that is non-contiguous. It’s terribly easy to run a scanner against an IP range, but if the IP ranges are nowhere near one another you can miss huge chunks of networks.<\/p>\n
<\/p>\n
First what fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed. No exploitation is performed. Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.<\/p>\n
First it queries your DNS for the DNS servers of the target. It then switches to using the target’s DNS server (you can use a different one if you want using the -dnsserver switch). Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured.<\/p>\n
Once that fails (because it almost always will) it attempts to “guess” names that are common amongst a lot of different companies. Don’t ask me where I got the list, it’s just a list of names that id and I have seen all over the place. I thought about adding a dictionary to this, but I think that would take a lot longer, and given that very few of the words are dictionary words I don’t think this would add a lot of value.<\/p>\n
The syntax is something like this:<\/p>\n
perl fierce.pl -dns widget.com -search widgetcompany,nutsandbolts<\/code><\/pre>\nYou can download Fierce Domain Scanner here:<\/p>\n
fierce.pl<\/a> – Download host list: hosts.txt<\/a><\/p>\nMore info here:<\/p>\n