fierce

fierce [-dns <domain> | -range <IP range>] [options]

-dns <domain>
    Specifies the target domain for DNS enumeration.
Example: -dns example.com

-range <IP range>
    Specifies an IP range (e.g., CIDR notation) to scan for hosts.
Example: -range 192.168.1.0/24

-file <filename> or -wordlist <filename>
    Uses a custom wordlist for brute-forcing subdomains instead of the default.
Example: -file my_subdomains.txt

-delay <seconds>
    Sets a delay in seconds between DNS requests to avoid detection or rate limiting.

-threads <number>
    Specifies the number of concurrent threads for faster scanning.

-dns-servers <server1,server2,...>
    Provides a comma-separated list of DNS servers to use for lookups.

-search <domain>
    Appends the specified domain to the wordlist entries, searching for subdomains in that context.

-full-lookup
    Performs a comprehensive DNS lookup for all discovered hosts.

-connect
    Attempts to connect to discovered hosts on a list of common ports (e.g., 80, 443, 21, 22, 23, etc.) to verify liveness.

-nopattern
    Disables the anti-pattern matching feature, which is designed to reduce false positives in subdomain discovery.

-noexact
    Prevents performing exact record lookups, which might miss some entries but speed up the scan.

-nonameservers
    Skips querying Name Server (NS) records for discovered subdomains.

-nonrecurse
    Disables recursive lookups for newly found hosts, focusing only on direct DNS queries.

-noreverse
    Disables reverse IP lookups for identified IP addresses.

-print-only
    Outputs only the discovered hostnames to the console.

-print-ip-only
    Outputs only the discovered IP addresses to the console.

-print-file <filename>
    Saves all scan results (hostnames and IPs) to the specified file.

-silent
    Suppresses most informational output, showing only critical data.

-verbose
    Enables more detailed output for debugging and comprehensive reporting.

-h or -help
    Displays the command's help message and available options.

-v or -version
    Shows the version information of the fierce tool.

fierce is a powerful and efficient DNS enumeration tool designed for penetration testers and security researchers. Its primary goal is to locate non-contiguous IP space and identify hostnames within target domains.
It achieves this by attempting zone transfers, brute-forcing common subdomains from a built-in wordlist, and scanning for IP addresses associated with discovered hostnames. The tool is effective at uncovering hidden infrastructure, helping to map out an organization's network presence, and identifying potential attack surface areas that might otherwise be overlooked.
It's a key component in the reconnaissance phase of ethical hacking, providing crucial intelligence for subsequent security assessments.

fierce relies heavily on DNS server responsiveness and might be slow or inaccurate if DNS servers are overloaded or misconfigured.
Brute-forcing can be noisy and detectable by intrusion detection systems (IDS) or firewall rules, potentially leading to blocks.
Zone transfers are often disabled on modern DNS servers for security reasons, limiting this aspect of the tool's effectiveness.
The effectiveness of brute-forcing depends heavily on the quality and comprehensiveness of the wordlist used.

Reconnaissance Phase: Utilized by penetration testers to gather initial information about a target's online presence before launching more focused attacks.
Asset Discovery: Helps organizations discover previously unknown or forgotten assets (subdomains, IP ranges) that might be vulnerable.
Attack Surface Mapping: Creates a comprehensive map of an organization's publicly exposed network components.

fierce employs a brute-force dictionary attack against a target domain, attempting to resolve common subdomain names (e.g., www, mail, vpn, dev) combined with the target domain. This method is effective even when zone transfers are disabled.
It also attempts to discover hostnames in adjacent IP ranges by looking for common patterns, often uncovering hosts that are not directly linked to the primary domain's DNS.

fierce was originally developed by RSnake (Robert Hansen) and gained popularity in the early 2000s as a go-to tool for DNS enumeration in penetration testing. It was often part of ethical hacking toolkits, valued for its ability to uncover hidden network infrastructure. While its effectiveness for zone transfers has diminished due to improved DNS security, its brute-forcing capabilities, especially with custom wordlists, remain highly valuable in the reconnaissance phase of security assessments. It has seen ongoing community contributions and updates.

dig(1), nslookup(1), host(1), nmap(1), dnsrecon(1), sublist3r(1)