Fierce – DNS reconnaissance tool

Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.

This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware.



$ pip3 install fierce
$ fierce -h


$ git clone
$ cd fierce
$ pip3 install -r requirements.txt
$ python3 -h



Let’s start with something basic:

$ fierce --domain --subdomains accounts admin ads

Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:

$ fierce --domain --subdomains admin --traverse 10

Limit nearby IP traversal to certain domains with the --search flag:

$ fierce --domain --subdomains admin --search

Attempt an HTTP connection on domains discovered with the --connect flag:

$ fierce --domain --subdomains mail --connect

Exchange speed for breadth with the --wide flag, which looks for nearby domains on all IPs of the /24 of a discovered domain:

$ fierce --domain --wide

Zone transfers are rare these days, but they give us the keys to the DNS castle. is a very useful service for testing for and learning about zone transfers:

$ fierce --domain

To save the results to a file for later use we can simply redirect output:

$ fierce --domain > output.txt

Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:

$ fierce --dns-servers --range

Check out --help for further information:

$ fierce --help


DNS reconnaissance tool: Fierce Download


Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: