The idea is to gather as much interesting details as possible about your target before starting the attack.
Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux distributions.
It is a great tool for discover non-contiguous IP address for a certain company. You can try a DNS transfer zone, DNS brute force, reverse lookups...
These are the Fierce options.
root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -h fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/ Usage: perl fierce.pl [-dns example.com] [OPTIONS] Options: -connect Attempt to make http connections to any non RFC1918 (public) addresses. This will output the return headers but be warned, this could take a long time against a company with many targets, depending on network/machine lag. I wouldn't recommend doing this unless it's a small company or you have a lot of free time on your hands (could take hours-days). Inside the file specified the text "Host:\n" will be replaced by the host specified. Usage: perl fierce.pl -dns example.com -connect headers.txt -delay The number of seconds to wait between lookups. -dns The domain you would like scanned. -dnsfile Use DNS servers provided by a file (one per line) for reverse lookups (brute force). -dnsserver Use a particular DNS server for reverse lookups (probably should be the DNS server of the target). Fierce uses your DNS server for the initial SOA query and then uses the target's DNS server for all additional queries by default. -file A file you would like to output to be logged to. -fulloutput When combined with -connect this will output everything the webserver sends back, not just the HTTP headers. -help This screen. -nopattern Don't use a search pattern when looking for nearby hosts. Instead dump everything. This is really noisy but is useful for finding other domains that spammers might be using. It will also give you lots of false positives, especially on large domains. -range Scan an internal IP range (must be combined with -dnsserver). Note, that this does not support a pattern and will simply output anything it finds. Usage: perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co -search Search list. When fierce attempts to traverse up and down ipspace it may encounter other servers within other domains that may belong to the same company. If you supply a comma delimited list to fierce it will report anything found. This is especially useful if the corporate servers are named different from the public facing website. Usage: perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany Note that using search could also greatly expand the number of hosts found, as it will continue to traverse once it locates servers that you specified in your search list. The more the better. -suppress Suppress all TTY output (when combined with -file). -tcptimeout Specify a different timeout (default 10 seconds). You may want to increase this if the DNS server you are querying is slow or has a lot of network lag. -threads Specify how many threads to use while scanning (default is single threaded). -traverse Specify a number of IPs above and below whatever IP you have found to look for nearby IPs. Default is 5 above and below. Traverse will not move into other C blocks. -version Output the version number. -wide Scan the entire class C after finding any matching hostnames in that class C. This generates a lot more traffic but can uncover a lot more information. -wordlist Use a seperate wordlist (one word per line). Usage: perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt
We can make a reverse lookup for a entire class C network like 65.55.58.0/24
root@bt:/pentest/enumeration/ dns/fierce# ./fierce.pl -range 65.55.58.0-255 65.55.58.2 ten1-2-194.co1-6nf-1a.ntwk.msn.net 65.55.58.3 ten1-2-194.co1-6nf-1b.ntwk.msn.net 65.55.58.38 discussions.connect.microsoft.com 65.55.58.183 submit.microsoft.com 65.55.58.186 cvp.membership.microsoft.com 65.55.58.192 microsoftevents.org 65.55.58.197 eugrantsadvisor.com 65.55.58.201 00001001.ch 65.55.58.202 bizspark.microsoft.com 65.55.58.204 cvp.services.microsoft.com 65.55.58.205 piinternalfe2.microsoft.com 65.55.58.206 cvp.services.ppe.microsoft.com 65.55.58.210 livests.test.itasignon.com 65.55.58.211 sts.test.itasignon.com 65.55.58.212 beta.itasignon.microsoft.com 65.55.58.213 itasignon.microsoft.com 65.55.58.214 websitespark.microsoft.com 65.55.58.241 co1vlsc04.microsoft.com 65.55.58.242 co1vlsc05.microsoft.com 65.55.58.243 co1vlsc06.microsoft.com 65.55.58.247 lva.beta.msllab.microsoft.com 65.55.58.248 pi.beta.msllab.microsoft.com
We can try to make a DNS transfer zone and a DNS brute force against google.es. You can choose the DNS that you desire to make the DNS requests. If it isn't specified, Fierce will request to the DNS servers of the target company. In this case, we make the requests against OpenDNS servers 208.67.222.222.
root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns google.es -dnsserver 208.67.222.222 DNS Servers for google.es: ns3.google.com ns2.google.com ns4.google.com ns1.google.com Trying zone transfer first... Testing ns3.google.com Request timed out or transfer not allowed. Testing ns2.google.com Request timed out or transfer not allowed. Testing ns4.google.com Request timed out or transfer not allowed. Testing ns1.google.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... Nope. Good. Now performing 1895 test(s)... 173.194.41.241 academico.google.es 173.194.41.243 academico.google.es 173.194.41.240 academico.google.es 173.194.41.244 academico.google.es 173.194.41.242 academico.google.es 173.194.67.94 accounts.google.es ... ... ...
You can edit the brute force list as you want.
root@bt:/pentest/enumeration/dns/fierce# more hosts.txt 0 01 02 03 1 10 11 12 13 14 15 16 17 18 19 2 20 3 3com 4 5 6 7 8 9 ILMI a a.auth-ns a01 a02 a1 a2 abc about ac academico acceso access accounting accounts acid activestat ad adam adkit admin administracion administrador ... ... ...
0 comments:
Post a Comment