Tuesday, December 25, 2007

FierceDNS for DNS enumeration

"Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics. First it queries your DNS for the DNS servers of the target. It then switches to using the target's DNS server. Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured. Once that fails (because it almost always will) it attempts to "guess" names that are common amongst a lot of different companies. Next, if it finds anything on any IP address it will scan up and down a set amount (default 5 but you can expand it with -traverse or increase it to the entire subnet with -wide) looking for anything else with the same domain name in it using reverse lookups. If it finds anything on any of those it will recursively scan until it doesn't find any more. In this way it ends up looping a lot, and the bigger the domain is the more you get back. The reason Fierce automatically switches to using the target's DNS server is so that it can probe the Intranet (RFC1918) of the target, assuming the target uses a single DNS server for both their Intranet and external sites."

Let's run it without any arguments to see the help

cg@segfault:~/evil/enumeration/dns/fierceDNS$ perl fierce.pl -h
fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:
Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains. It's really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for. This does not perform exploitation and does not scan the whole
internet indiscriminately. It is meant specifically to locate likely
targets both inside and outside a corporate network. Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That's especially useful in targeted malware.

Options:
-connect Attempt to make http connections to any non RFC1918
(public) addresses. This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag. I wouldn't
recommend doing this unless it's a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text "Host:n" will be replaced
by the host specified. Usage:

perl fierce.pl -dns example.com -connect headers.txt

-delay The number of seconds to wait between lookups.
-dns The domain you would like scanned.
-dnsfile Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target). Fierce
uses your DNS server for the initial SOA query and then uses
the target's DNS server for all additional queries by default.
-file A file you would like to output to be logged to.
-fulloutput When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help This screen.
-nopattern Don't use a search pattern when looking for nearby
hosts. Instead dump everything. This is really noisy but
is useful for finding other domains that spammers might be
using. It will also give you lots of false positives,
especially on large domains.
-range Scan an internal IP range (must be combined with
-dnsserver). Note, that this does not support a pattern
and will simply output anything it finds. Usage:

perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co

-search Search list. When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company. If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website. Usage:

perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany

Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list. The more the
better.
-stop Stop scan if Zone Transfer works.
-suppress Suppress all TTY output (when combined with -file).
-tcptimeout Specify a different timeout (default 10 seconds). You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads Specify how many threads to use while scanning (default
is single threaded).
-traverse Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs. Default is 5 above and
below. Traverse will not move into other C blocks.
-version Output the version number.
-wide Scan the entire class C after finding any matching
hostnames in that class C. This generates a lot more traffic
but can uncover a lot more information.
-wordlist Use a seperate wordlist (one word per line). Usage:

perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

Let's run it against a "fictional" domain

cg@segfault:~/evil/enumeration/dns/fierceDNS$ perl fierce.pl -dns example.com -connect headers.txt
DNS Servers for example.com:
ns2.xyz.com
ns5.xyz.com
dns31.xyz.com
dns11.xyz.com
xyzgate.xyz.com

Trying zone transfer first...
Testing 192.168.136.101
Request timed out or transfer not allowed.
Testing 192.200.104.140
Request timed out or transfer not allowed.
Testing 192.100.1.34
Request timed out or transfer not allowed.
Testing 192.150.100.51
Request timed out or transfer not allowed.
Testing 192.168.136.100
Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...
192.1.136.108 ap.example.com
192.11.234.101 at.example.com
192.168.16.21 shop.example.com
192.168.16.20 chi.example.com
192.5.217.200 developer.example.com
192.112.22.193 europe.example.com
192.112.30.69 europe.example.com
192.168.136.82 extranet.example.com
192.168.154.105 ftp0.example.com
192.50.230.82 images.example.com
192.168.154.21 int.example.com
127.0.0.1 localhost.example.com
127.0.0.1 loghost.example.com
192.168.16.21 sh.example.com
192.25.201.3 store.example.com
192.25.27.144 wap.example.com
192.168.8.168 www-01.example.com
192.168.8.169 www-02.example.com

Subnets found (may want to probe here using nmap or unicornscan):
127.0.0.0-255 : 2 hostnames found.
192.168.136.0-255 : 1 hostnames found.
192.168.154.0-255 : 2 hostnames found.
192.168.16.0-255 : 3 hostnames found.
192.168.8.0-255 : 2 hostnames found.
192.11.234.0-255 : 1 hostnames found.
192.50.230.0-255 : 1 hostnames found.
192.25.27.0-255 : 1 hostnames found.
192.1.136.0-255 : 1 hostnames found.
192.25.201.0-255 : 1 hostnames found.
192.5.217.0-255 : 1 hostnames found.
192.112.22.0-255 : 1 hostnames found.
192.112.30.0-255 : 1 hostnames found.
IO::Socket::INET=GLOB(0x851a194)

HTTP output for 192.168.16.20 chi.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:26 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x85282b0)

HTTP output for 192.168.16.21 sh.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:26 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.168.16.21 shop.example.com
HTTP/1.0 500 Server Error
Date: Sat, 22 Dec 2007 18:53:31 GMT
Content-Length: 285
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x8519f60)

HTTP output for 192.168.8.168 www-01.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:31 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x8527ba8)

HTTP output for 192.168.8.169 www-02.example.com
HTTP/1.0 504 Gateway Timeout
Date: Sat, 22 Dec 2007 18:53:32 GMT
Content-Length: 282
Content-Type: text/html
Server: NetCache appliance (NetApp/5.6.2R1D6)
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.25.201.3 store.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:51:27 GMT
Server: Apache
Location: http://www.store.example.com/
Content-Length: 282
Connection: close
Content-Type: text/html; charset=iso-8859-1
IO::Socket::INET=GLOB(0x852768c)

HTTP output for 192.5.217.200 developer.example.com
HTTP/1.1 200 OK
Date: Sat, 22 Dec 2007 18:54:15 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.3
Set-Cookie: PHPSESSID=4f413bdcdb4e800b991b0d04d40e99fa; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
IO::Socket::INET=GLOB(0x8527dac)

HTTP output for 192.112.22.193 europe.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:54:16 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.5
Location: http://europe.example.com/uk/xyzoz8
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
IO::Socket::INET=GLOB(0x851e6d0)

HTTP output for 192.112.30.69 europe.example.com
HTTP/1.1 302 Found
Date: Sat, 22 Dec 2007 18:54:16 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/5.2.5
Location: http://europe.example.com/uk/xyzoz8
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 18 entries.
and 9 webservers.
Have a nice day.

Lets see what's in the headers.txt file:

cg@segfault:~/evil/enumeration/dns/fierceDNS$ more headers.txt
GET / HTTP/1.0
User-Agent: Mozilla/5.0
Host:

You can also do fun things like specifying specific nameservers to use , scan ranges, and doing reverse lookups. The wide scan option is also worth taking a look at.

No comments: