.TH FIERCE 1
.SH NAME
fierce \- DNS scanner that helps locate non-contiguous IP space and hostnames against specified domains.
.SH SYNOPSIS
.B fierce
.RI
[-h] [--domain DOMAIN] [--connect] [--wide] [--traverse NUMBER]
[--search SEARCH [SEARCH ...]] [--range RANGE] [--delay DELAY]
[--subdomains SUBDOMAINS [SUBDOMAINS ...] | --subdomain-file SUBDOMAIN_FILE]
[--dns-servers DNS_SERVERS [DNS_SERVERS ...] | --dns-file DNS_FILE] [--tcp]

.SH DESCRIPTION
.PP
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, OpenVAS, nikto, etc, since all of those require that you already know what IP space you are looking for.
This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.
Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.
Originally written by RSnake along with others at http://ha.ckers.org/.
This is simply a conversion to Python 3 to simplify and modernize the codebase.
.SH OPTIONS
\fB\-h\fR, \fB\-\-help\fR
.RS 4
show this help message and exit
.RE

\fB\-\-domain\fR \fIDOMAIN\fR
.RS 4
domain name to test
.RE

\fB\-\-connect\fR
.RS 4
attempt HTTP connection to non-RFC 1918 hosts
.RE

\fB\-\-wide\fR
.RS 4
scan entire class c of discovered records
.RE

\fB\-\-traverse\fR \fINUMBER\fR
.RS 4
scan NUMBER IPs before and after discovered records. This respects Class C boundaries and won't enter adjacent subnets.
.RE

\fB\-\-search\fR \fISEARCH\fR [\fISEARCH\fR ...]
.RS 4
filter on these domains when expanding lookup
.RE

\fB\-\-range\fR \fIRANGE\fR
.RS 4
scan an internal IP range, use cidr notation
.RE

\fB\-\-delay\fR \fIDELAY\fR
.RS 4
time to wait between lookups
.RE

\fB\-\-subdomains\fR \fISUBDOMAINS\fR [\fISUBDOMAINS\fR ...]
.RS 4
use these subdomains
.RE

\fB\-\-subdomain-file\fR \fISUBDOMAIN_FILE\fR
.RS 4
use subdomains specified in this file (one per line)
.RE

\fB\-\-dns-servers\fR \fIDNS_SERVERS\fR [\fIDNS_SERVERS\fR ...]
.RS 4
use these dns servers for reverse lookups
.RE

\fB\-\-dns-file\fR \fIDNS_FILE\fR
.RS 4
use dns servers specified in this file for reverse lookups (one per line)
.RE

\fB\-\-tcp\fR
.RS 4
use TCP instead of UDP
.RE
.SH EXAMPLES
.PP
Something basic:
.nf
.RS
$ fierce --domain google.com --subdomains accounts admin ads
.RE
.fi
.PP
Scan 10 IP addresses before and after discovered domains to find coniguous blocks using the \`\-\-traverse\` flag:
.nf
.RS
$ fierce --domain facebook.com --subdomains admin --traverse 10
.RE
.fi
.PP
Limit nearby IP traversal to certain domains with the \`--search\` flag:
.nf
.RS
$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net
.RE
.fi
.PP
Attempt an `HTTP` connection on domains discovered with the `--connect` flag:
.nf
.RS
$ fierce --domain stackoverflow.com --subdomains mail --connect
.RE
.fi
.PP
Exchange speed for breadth with the `--wide` flag, which looks for nearby domains on all IPs of the [/24](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks) of a discovered domain:
.nf
.RS
$ fierce --domain facebook.com --wide
.RE
.fi
.PP
Zone transfers are rare these days, but they give us the keys to the DNS castle. [zonetransfer.me](https://digi.ninja/projects/zonetransferme.php) is a very useful service for testing for and learning about zone transfers:
.nf
.RS
$ fierce --domain zonetransfer.me
.RE
.fi
.PP
To save the results to a file for later use we can simply redirect output:
.nf
.RS
$ fierce --domain zonetransfer.me > output.txt
.RE
.fi
.PP
Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:
.nf
.RS
$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24
.RE
.fi