Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BSidesLV] Fierce v2

Fierce v2 – Joshua “Jabra” Abraham

I’m Jabra… I do a lot of programming in Perl

What is Fierce?

Written by Robert “rsnake” Hansen, designed to do lots of DNS recon techniques

Since then, it’s been rewritten into a brand new tool, more options, better….

Version 2 – README .:


What is new in 2.0?
Fierce v2.0 is a complete rewrite of version 1.0. Fierce 1.0 was a combination
multiple network enumeration techniques in a single large Perl script. With
Fierce v2.0 the techniques have been abstracted from the main fierce script so
that it is easier to read, modify and maintain. This will enable faster
development and greater flexibility.

Each technique has been coverted into a Perl module that they can be used used
by the main fierce script. There are also several new techniques that been
added with version 2.0, such as virtual host detection, extension bruteforcing
and subdomain bruteforcing. Version 2.0 also included the addition of
a template based output system. We have included stdout/text, html  and xml
formats. Leveraging the xml format is very easy, since we have even built an
xml parsing module that is available on CPAN.


(click on Fierce::Parser, this will bring you to the latest version of the
 Fierce::Parser module.)

Fierce Version 2 is a lot more complex than the simple brute-force that was used in the earlier versions.

Each technique is a module that’s included in the main script. This allows you to break out the functionality you require and develop modules without changing the core of the script.

Allows for prefixes to be passed through the command line… If none is passed, use default list

Support for top-level domain brute-forcing (i.e check .co.uk, .com, .xxx, …)

Ability to blacklist techniques that shouldn’t be run! Good to avoid triggering alarms on things like Zone Transfer attempts

New technique added to find virtual-hosts based on the IP search through MSN.com

FindNearbyHosts –> By putting in the domain and company name, you can identify PTR records that point back to the same domain

Code is much more readable that Fierce v1 –> Even I can read it…. and I don’t know Perl 😉

Erin Lookups on company names to find possible domains

Modules that use threading are marked with a t at the start of the module name. This allows them to be easily identified.

Threading handled by setting a queue of tasks and iterate through them.

Note: This talk was 100% live demo… no slides. Much respect for that! Checkout the video for the true Fierce v2 Experience


%d bloggers like this: