Fierce is a great script written in Perl by RSnake . This tool will help you for the first steps of a pentesting: the reconnaissance.

The idea is to gather as much interesting details as possible about your target before starting the attack.

Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux distributions.

It is a great tool for discover non-contiguous IP address for a certain company. You can try a DNS transfer zone,  DNS brute force, reverse lookups...




These are the Fierce options.

root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Options:
    -connect    Attempt to make http connections to any non RFC1918
        (public) addresses.  This will output the return headers but
        be warned, this could take a long time against a company with
        many targets, depending on network/machine lag.  I wouldn't
        recommend doing this unless it's a small company or you have a
        lot of free time on your hands (could take hours-days). 
        Inside the file specified the text "Host:\n" will be replaced
        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.
    -dns        The domain you would like scanned.
    -dnsfile      Use DNS servers provided by a file (one per line) for
                reverse lookups (brute force).
    -dnsserver    Use a particular DNS server for reverse lookups
        (probably should be the DNS server of the target).  Fierce
        uses your DNS server for the initial SOA query and then uses
        the target's DNS server for all additional queries by default.
    -file        A file you would like to output to be logged to.
    -fulloutput    When combined with -connect this will output everything
        the webserver sends back, not just the HTTP headers.
    -help        This screen.
    -nopattern    Don't use a search pattern when looking for nearby
        hosts.  Instead dump everything.  This is really noisy but
        is useful for finding other domains that spammers might be
        using.  It will also give you lots of false positives,
        especially on large domains.
    -range        Scan an internal IP range (must be combined with
        -dnsserver).  Note, that this does not support a pattern
        and will simply output anything it finds.  Usage:

    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

    -search        Search list.  When fierce attempts to traverse up and
        down ipspace it may encounter other servers within other
        domains that may belong to the same company.  If you supply a
        comma delimited list to fierce it will report anything found.
        This is especially useful if the corporate servers are named
        different from the public facing website.  Usage:

    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

        Note that using search could also greatly expand the number of
        hosts found, as it will continue to traverse once it locates
        servers that you specified in your search list.  The more the
        better.
    -suppress    Suppress all TTY output (when combined with -file).
    -tcptimeout    Specify a different timeout (default 10 seconds).  You
        may want to increase this if the DNS server you are querying
        is slow or has a lot of network lag.
    -threads  Specify how many threads to use while scanning (default
      is single threaded).
    -traverse    Specify a number of IPs above and below whatever IP you
        have found to look for nearby IPs.  Default is 5 above and
        below.  Traverse will not move into other C blocks.
    -version    Output the version number.
    -wide        Scan the entire class C after finding any matching
        hostnames in that class C.  This generates a lot more traffic
        but can uncover a lot more information.
    -wordlist    Use a seperate wordlist (one word per line).  Usage:

    perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt 


We can make a reverse lookup for a entire class C network like 65.55.58.0/24
root@bt:/pentest/enumeration/
dns/fierce# ./fierce.pl -range 65.55.58.0-255
65.55.58.2    ten1-2-194.co1-6nf-1a.ntwk.msn.net
65.55.58.3    ten1-2-194.co1-6nf-1b.ntwk.msn.net
65.55.58.38    discussions.connect.microsoft.com
65.55.58.183    submit.microsoft.com
65.55.58.186    cvp.membership.microsoft.com
65.55.58.192    microsoftevents.org
65.55.58.197    eugrantsadvisor.com
65.55.58.201    00001001.ch
65.55.58.202    bizspark.microsoft.com
65.55.58.204    cvp.services.microsoft.com
65.55.58.205    piinternalfe2.microsoft.com
65.55.58.206    cvp.services.ppe.microsoft.com
65.55.58.210    livests.test.itasignon.com
65.55.58.211    sts.test.itasignon.com
65.55.58.212    beta.itasignon.microsoft.com
65.55.58.213    itasignon.microsoft.com
65.55.58.214    websitespark.microsoft.com
65.55.58.241    co1vlsc04.microsoft.com
65.55.58.242    co1vlsc05.microsoft.com
65.55.58.243    co1vlsc06.microsoft.com
65.55.58.247    lva.beta.msllab.microsoft.com
65.55.58.248    pi.beta.msllab.microsoft.com


We can try to make a DNS transfer zone and a DNS brute force against google.es. You can choose the DNS that you desire to make the DNS requests. If it isn't specified, Fierce will request to the DNS servers of the target company. In this case, we make the requests against OpenDNS servers 208.67.222.222.
root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns google.es -dnsserver 208.67.222.222
DNS Servers for google.es:
    ns3.google.com
    ns2.google.com
    ns4.google.com
    ns1.google.com

Trying zone transfer first...
    Testing ns3.google.com
        Request timed out or transfer not allowed.
    Testing ns2.google.com
        Request timed out or transfer not allowed.
    Testing ns4.google.com
        Request timed out or transfer not allowed.
    Testing ns1.google.com
        Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
173.194.41.241    academico.google.es
173.194.41.243    academico.google.es
173.194.41.240    academico.google.es
173.194.41.244    academico.google.es
173.194.41.242    academico.google.es
173.194.67.94    accounts.google.es
...
...
...


You can edit the brute force list as you want.
root@bt:/pentest/enumeration/dns/fierce# more hosts.txt
0
01
02
03
1
10
11
12
13
14
15
16
17
18
19
2
20
3
3com
4
5
6
7
8
9
ILMI
a
a.auth-ns
a01
a02
a1
a2
abc
about
ac
academico
acceso
access
accounting
accounts
acid
activestat
ad
adam
adkit
admin
administracion
administrador
...
...
...