Provided by: fierce_1.5.0-1_all 
NAME
fierce - DNS scanner that helps locate non-contiguous IP space and hostnames against
specified domains.
SYNOPSIS
fierce [-h] [--domain DOMAIN] [--connect] [--wide] [--traverse TRAVERSE] [--search SEARCH
[SEARCH ...]] [--range RANGE] [--delay DELAY] [--subdomains SUBDOMAINS [SUBDOMAINS ...] |
--subdomain-file SUBDOMAIN_FILE] [--dns-servers DNS_SERVERS [DNS_SERVERS ...] | --dns-file
DNS_FILE] [--tcp]
DESCRIPTION
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and
hostnames against specified domains. It's really meant as a pre-cursor to nmap, OpenVAS,
nikto, etc, since all of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole internet
indiscriminately. It is meant specifically to locate likely targets both inside and
outside a corporate network. Because it uses DNS primarily you will often find mis-
configured networks that leak internal address space. That's especially useful in targeted
malware. Originally written by RSnake along with others at http://ha.ckers.org/. This is
simply a conversion to Python 3 to simplify and modernize the codebase.
OPTIONS
-h, --help show this help message and exit
--domain DOMAIN domain name to test
--connect attempt HTTP connection to non-RFC 1918 hosts
--wide scan entire class c of discovered records
--traverse TRAVERSE scan IPs near discovered records, this won't enter adjacent class
c's
--search SEARCH [SEARCH ...]
filter on these domains when expanding lookup
--range RANGE scan an internal IP range, use cidr notation
--delay DELAY time to wait between lookups
--subdomains SUBDOMAINS [SUBDOMAINS ...]
use these subdomains
--subdomain-file SUBDOMAIN_FILE
use subdomains specified in this file (one per line)
--dns-servers DNS_SERVERS [DNS_SERVERS ...]
use these dns servers for reverse lookups
--dns-file DNS_FILE use dns servers specified in this file for reverse lookups (one
per line)
--tcp use TCP instead of UDP
EXAMPLES
Something basic:
$ fierce --domain google.com --subdomains accounts admin ads
Traverse IPs near discovered domains to search for contiguous blocks with the `--traverse`
flag:
$ fierce --domain facebook.com --subdomains admin --traverse 10
Limit nearby IP traversal to certain domains with the `--search` flag:
$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net
Attempt an `HTTP` connection on domains discovered with the `--connect` flag:
$ fierce --domain stackoverflow.com --subdomains mail --connect
Exchange speed for breadth with the `--wide` flag, which looks for nearby domains on all
IPs of the [/24](https://en.wikipedia.org/wiki/Classless_Inter-
Domain_Routing#IPv4_CIDR_blocks) of a discovered domain:
$ fierce --domain facebook.com --wide
Zone transfers are rare these days, but they give us the keys to the DNS castle.
[zonetransfer.me](https://digi.ninja/projects/zonetransferme.php) is a very useful service
for testing for and learning about zone transfers:
$ fierce --domain zonetransfer.me
To save the results to a file for later use we can simply redirect output:
$ fierce --domain zonetransfer.me > output.txt
Internal networks will often have large blocks of contiguous IP space assigned. We can
scan those as well:
$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24
FIERCE(1)