fierce

Fierce is a DNS reconnaissance tool used for locating non-contiguous IP space and hostnames against specified domains. It’s particularly useful for finding targets both inside and outside a corporate network.

Installation

# Kali/Debian
sudo apt install fierce

# Python pip
pip install fierce

Basic Syntax

fierce --domain <target_domain> [options]

Basic Usage

# Basic domain enumeration
fierce --domain example.com

# With verbose output
fierce --domain example.com --verbose

# Specify DNS server
fierce --domain example.com --dns-servers 8.8.8.8

Common Options

Zone Transfer Attempts

# Fierce automatically attempts zone transfers
fierce --domain example.com

# Output shows:
# NS: ns1.example.com. ns2.example.com.
# SOA: ns1.example.com.
# Zone: success/failure

Subdomain Brute-Forcing

# Using default wordlist
fierce --domain example.com

# Using custom wordlist
fierce --domain example.com --subdomain-file /path/to/wordlist.txt

# Using SecLists wordlist
fierce --domain example.com --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

IP Range Scanning

# Scan specific IP range
fierce --range 192.168.1.0/24

# Scan range with DNS resolution
fierce --range 10.0.0.0/24 --dns-servers 10.0.0.1

Traversal Mode

# Scan adjacent IPs of discovered hosts
fierce --domain example.com --traverse 10

# With search filter
fierce --domain example.com --traverse 5 --search "example"

Wide Scan

# Scan entire class C networks of discovered hosts
fierce --domain example.com --wide

Using Multiple DNS Servers

# Use multiple DNS servers
fierce --domain example.com --dns-servers 8.8.8.8,8.8.4.4,1.1.1.1

# Use internal DNS servers
fierce --domain internal.corp --dns-servers 10.0.0.53,10.0.0.54

Performance Tuning

# Add delay between requests
fierce --domain example.com --delay 0.5

# Multi-threaded scanning
fierce --domain example.com --threads 10

Output Examples

Successful Zone Transfer

NS: ns1.example.com. ns2.example.com.
SOA: ns1.example.com. (192.168.1.10)
Zone: success
{<DNS name @>: '@ 7200 IN SOA ns1.example.com. admin.example.com. ...'
 <DNS name www>: 'www 7200 IN A 192.168.1.20'
 <DNS name mail>: 'mail 7200 IN A 192.168.1.30'
 <DNS name ftp>: 'ftp 7200 IN A 192.168.1.40'
 ...
}

Subdomain Enumeration

Found: www.example.com (192.168.1.20)
Found: mail.example.com (192.168.1.30)
Found: vpn.example.com (192.168.1.50)
Found: admin.example.com (192.168.1.60)

Integration with Other Tools

# Save output for further processing
fierce --domain example.com > fierce_output.txt

# Extract IPs for nmap
fierce --domain example.com 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | sort -u > ips.txt
nmap -iL ips.txt -sV

# Pipe to other tools
fierce --domain example.com | tee results.txt

Common Wordlists for Subdomain Brute-Forcing

Comparison with Similar Tools

Example Workflow

# Step 1: Initial fierce scan
fierce --domain target.com

# Step 2: If zone transfer fails, brute-force subdomains
fierce --domain target.com --subdomain-file /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Step 3: Scan adjacent IPs
fierce --domain target.com --traverse 5

# Step 4: Check HTTP services on discovered hosts
fierce --domain target.com --connect

Troubleshooting

# If no results, try different DNS servers
fierce --domain example.com --dns-servers 8.8.8.8

# Increase delay if getting rate limited
fierce --domain example.com --delay 1

# Use verbose mode for debugging
fierce --domain example.com --verbose

Notes

• Fierce first attempts zone transfers on all discovered name servers
• If zone transfer fails, it falls back to subdomain brute-forcing
• The --traverse option is useful for finding additional hosts in the same network
• Always have permission before scanning - DNS enumeration may be logged