mschwager / fierce Goto Github PK
View Code? Open in Web Editor NEWA DNS reconnaissance tool for locating non-contiguous IP space.
License: GNU General Public License v3.0
A DNS reconnaissance tool for locating non-contiguous IP space.
License: GNU General Public License v3.0
I frequently receive a timeout during the zone transfer step that kills fierce. The program hangs for several minutes after printing the SOA, then crashes with the following:
Traceback (most recent call last):
File "./fierce.py", line 409, in <module>
main()
File "./fierce.py", line 406, in main
fierce(**vars(args))
File "./fierce.py", line 266, in fierce
zone = zone_transfer(master_address, domain)
File "./fierce.py", line 138, in zone_transfer
return dns.zone.from_xfr(dns.query.xfr(address, domain))
File "/usr/lib/python3/dist-packages/dns/zone.py", line 979, in from_xfr
for r in xfr:
File "/usr/lib/python3/dist-packages/dns/query.py", line 412, in xfr
_net_write(s, tcpmsg, expiration)
File "/usr/lib/python3/dist-packages/dns/query.py", line 260, in _net_write
current += sock.send(data[current:])
TimeoutError: [Errno 110] Connection timed out
This is on current master (9334f0f) but was present in 1.1.5 as well.
A Homebrew formula would be nice for easy install under MacOS.
Traceback (most recent call last):
File "fierce.py", line 239, in
main()
File "fierce.py", line 236, in main
fierce(**vars(args))
File "fierce.py", line 157, in fierce
subdomains = [sd.strip() for sd in open(kwargs["subdomain_file"]).readlines()]
FileNotFoundError: [Errno 2] No such file or directory: 'lists/default.txt'
The script does not create the file if it does not already exist. Also it seems to be specified by a relative path - if one installs this via pip, presumably this is intended to be executed from any directory, and the relative path would prevent that I think.
Hello,
Found out during a challenge on HackTheBox that when the DNS resolution is pointing to localhost (127.0.0.1), fierce is not able to perform a zone transfert even if zone transfert is possible with dig.
It could happen in a real engagement too.
I updated the code in my PR
It looks like when fierce gets something in a dns response it can't parse it breaks..
here's a sanitized version of the cmdline and immediate error results:
./fierce.py --domain asdfasdf.com
NS: asdfasdf.net. asdfasdf.net.
SOA: asdfasdf.net. (x.x.x.x)
Zone: failure
Wildcard: failure
Found: asdfasdf.asdfasd (x.x.x.x)
Nearby:
{'x.x.x.x': 'x.x.x-120.asdf.asdfasdfk.net.',
'x.x.x.121': 'x.x.x-121.asdf.asdfasdfk.net.',
'x.x.x.122': 'x.x.x-122.asdf.asdfasdfk.net.',
'x.x.x.123': 'x.x.x-123.asdf.asdfasdfk.net.',
'x.x.x.124': 'x.x.x-124.asdf.asdfasdfk.net.',
'x.x.x.125': 'x.x.x-125.asdf.kjh.net.',
'x.x.x.126': 'x.x.x-126.asdf.kjh.net.',
'x.x.x.127': 'x.x.x-127.asdf.kjh.net.',
'x.x.x.128': 'x.x.x-128.asdf.kjh.net.',
'x.x.x.129': 'x.x.x-129.asdf.kjh.net.',
'x.x.x.130': 'x.x.x-130.asdf.asdfasdfk.net.'}
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 126, in __init__
rdclass, rdtype)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 136, in __init__
dns.rdatatype.CNAME)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./fierce.py", line 210, in <module>
main()
File "./fierce.py", line 207, in main
fierce(**vars(args))
File "./fierce.py", line 134, in fierce
record = query(resolver, url, record_type='A')
File "./fierce.py", line 33, in query
return resolver.query(domain, record_type)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 910, in query
raise_on_no_answer)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 145, in __init__
raise NoAnswer
dns.resolver.NoAnswer
If the wildcard fails, its type is None
Consequently, this generates an error when each a A query is made on each subdomain because fierce verify the A query result is None or if the found address is the same as the wildcard (which is None here).
Please see the below query.
$fierce --domain facebook.com --wide
NS: a.ns.facebook.com. b.ns.facebook.com.
SOA: a.ns.facebook.com. (69.171.239.12)
Traceback (most recent call last):
File "/usr/local/bin/fierce", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 284, in main
fierce(**vars(args))
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 185, in fierce
zone = zone_transfer(master_address, domain)
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 110, in zone_transfer
return dns.zone.from_xfr(dns.query.xfr(address, domain))
File "/usr/lib/python3/dist-packages/dns/zone.py", line 979, in from_xfr
for r in xfr:
File "/usr/lib/python3/dist-packages/dns/query.py", line 412, in xfr
_net_write(s, tcpmsg, expiration)
File "/usr/lib/python3/dist-packages/dns/query.py", line 260, in _net_write
current += sock.send(data[current:])
ConnectionRefusedError: [Errno 111] Connection refused
No idea what causes the error. May be an issue with port number?
Using Python3 on Ubuntu 14.04
I received this using fierce 1.1.5 (installed via python3-pip) when doing a basic scan of my domain, brainonfire.net
, with the 20k subdomain list:
Traceback (most recent call last):
File "/usr/local/bin/fierce", line 11, in <module>
sys.exit(main())
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 405, in main
fierce(**vars(args))
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 284, in fierce
url = concatenate_subdomains(domain, [subdomain])
File "/usr/local/lib/python3.4/dist-packages/fierce.py", line 86, in concatenate_subdomains
result = dns.name.Name(tuple(subdomains) + domain.labels)
File "/usr/local/lib/python3.4/dist-packages/dns/name.py", line 329, in __init__
_validate_labels(self.labels)
File "/usr/local/lib/python3.4/dist-packages/dns/name.py", line 299, in _validate_labels
raise EmptyLabel
dns.name.EmptyLabel: A DNS label is empty.
Got this error:
$ fierce --domain example.com
NS: a.iana-servers.net. b.iana-servers.net.
SOA: ns.icann.org. (199.4.138.53)
Zone: failure
Traceback (most recent call last):
File "/usr/bin/fierce", line 33, in <module>
sys.exit(load_entry_point('fierce==1.5.0', 'console_scripts', 'fierce')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/site-packages/fierce-1.5.0-py3.12.egg/fierce/fierce.py", line 495, in main
fierce(**vars(args))
File "/usr/lib/python3.12/site-packages/fierce-1.5.0-py3.12.egg/fierce/fierce.py", line 338, in fierce
random_subdomain = str(random.randint(1e10, 1e11)) # noqa DUO102, non-cryptographic random use
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/random.py", line 336, in randint
return self.randrange(a, b+1)
^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.12/random.py", line 301, in randrange
istart = _index(start)
^^^^^^^^^^^^^
TypeError: 'float' object cannot be interpreted as an integer
Fixed it by replacing:
random_subdomain = str(random.randint(1e10, 1e11))
by
random_subdomain = str(random.randint(10000000000, 99999999999))
The line is:
Line 338 in f32f639
File "/usr/local/bin/fierce", line 9, in
load_entry_point('fierce==1.0', 'console_scripts', 'fierce')()
File "/usr/local/lib/python3.5/site-packages/fierce-1.0-py3.5.egg/fierce.py", line 235, in main
File "/usr/local/lib/python3.5/site-packages/fierce-1.0-py3.5.egg/fierce.py", line 137, in fierce
TypeError: 'NoneType' object is not subscriptable
I'm using the latest git and facing the following issue:
fierce --domain itdefence.asia
NS: ns-77-a.gandi.net. ns-187-b.gandi.net. ns-216-c.gandi.net.
SOA: ns1.gandi.net. (173.246.98.2)
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.5/fierce", line 11, in <module>
load_entry_point('fierce==1.2.0', 'console_scripts', 'fierce')()
File "/usr/lib64/python3.5/site-packages/fierce/fierce.py", line 389, in main
fierce(**vars(args))
File "/usr/lib64/python3.5/site-packages/fierce/fierce.py", line 248, in fierce
zone = zone_transfer(master_address, domain)
File "/usr/lib64/python3.5/site-packages/fierce/fierce.py", line 120, in zone_transfer
return dns.zone.from_xfr(dns.query.xfr(address, domain))
File "/usr/lib64/python3.5/site-packages/dns/zone.py", line 1063, in from_xfr
for r in xfr:
File "/usr/lib64/python3.5/site-packages/dns/query.py", line 611, in xfr
raise TransferError(rcode)
dns.query.TransferError: Zone transfer error: NOTAUTH
I have also seen the "REFUSED" error message with an another domain.
Please also note that I'm using the latest git of dnspython:
dev-python/dnspython-1.16.0_pre20170831
When i tru to run the following command fierce --domain example.com --subdomain-file "/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt" --traverse 255
i get the below err
NS: ns-722.awsdns-26.net. ns-1475.awsdns-56.org. ns-440.awsdns-55.com. ns-1574.awsdns-04.co.uk.
SOA: ns-440.awsdns-55.com. (205.251.193.184)
Zone: failure
Wildcard: failure
Traceback (most recent call last):
File "/usr/local/bin/fierce", line 8, in <module>
sys.exit(main())
File "/usr/local/lib/python3.8/dist-packages/fierce/fierce.py", line 486, in main
fierce(**vars(args))
File "/usr/local/lib/python3.8/dist-packages/fierce/fierce.py", line 358, in fierce
url = concatenate_subdomains(domain, [subdomain])
File "/usr/local/lib/python3.8/dist-packages/fierce/fierce.py", line 103, in concatenate_subdomains
result = dns.name.Name(tuple(subdomains) + domain.labels)
File "/usr/local/lib/python3.8/dist-packages/dns/name.py", line 335, in __init__
_validate_labels(self.labels)
File "/usr/local/lib/python3.8/dist-packages/dns/name.py", line 295, in _validate_labels
raise LabelTooLong
dns.name.LabelTooLong: A DNS label is > 63 octets long.
The traverse expander subtracts small numbers from an IP address and constructs new IPs from the results. This breaks when the result goes negative, e.g. traversing backwards from 0.0.0.0
.
I had a little trouble reproducing this, but if you have a subdomain that is a CNAME of a domain that resolves to 0.0.0.0
, you'll get a stack trace like this:
Traceback (most recent call last):
File "./fierce/fierce.py", line 486, in <module>
main()
File "./fierce/fierce.py", line 480, in main
fierce(**vars(args))
File "./fierce/fierce.py", line 373, in fierce
ips = expander_func(ip)
File "./fierce/fierce.py", line 173, in traverse_expander
result = [ipaddress.IPv4Address(ip + i) for i in range(-n, n + 1)]
File "./fierce/fierce.py", line 173, in <listcomp>
result = [ipaddress.IPv4Address(ip + i) for i in range(-n, n + 1)]
File "/usr/lib/python3.5/ipaddress.py", line 575, in __add__
return self.__class__(int(self) + other)
File "/usr/lib/python3.5/ipaddress.py", line 1269, in __init__
self._check_int_address(address)
File "/usr/lib/python3.5/ipaddress.py", line 420, in _check_int_address
raise AddressValueError(msg % (address, self._version))
ipaddress.AddressValueError: -5 (< 0) is not permitted as an IPv4 address
I don't have a public domain I can share for this, but if you CNAME something to qa.cloudapp.net
it should do the trick. :-)
When I use --subdomain-file with subdomains each composed of two subdomains separated by a dot (e.g. "toto.tata"), I do not get an answer.
By putting some print inside fierce, I found that the problem comes from this line : "result = dns.name.Name(tuple(subdomains) + domain.labels)".
It replaces dots in subdomains by ".".
For example, the subdomain "toto.tata" becomes "toto.tata" which causes the DNS request to fail.
Is this an expected behavior ?
Am I not supposed to use the --subdomain-file option with this kind of input?
At the moment dnspython
is pinned. dnspython-2.0.0
was released a while ago.
Any change that newer dnspython
releases are allowed?
netwrkspider@linuxzone:~/fierce$ ./fierce.py --domain 00studios.com --subdomains accounts admin ads
NS: rose.ns.cloudflare.com. nick.ns.cloudflare.com.
SOA: nick.ns.cloudflare.com. (173.245.59.213)
Zone: failure
Wildcard: failure
Here are the raw errors with '...' denoting omitted info:
abraxas@AttackVM:~/recon/fierce$ python3 fierce.py --domain cnn.com --subdomain-file default.txt
.....
Found: access.cnn.com. (64.20.247.69)
Nearby:
{'64.20.247.64': 'mail3.access.cnn.com.'}
Found: alerts.cnn.com. (151.101.24.73)
Found: asia.cnn.com. (157.166.249.13)
Found: at.cnn.com. (157.166.226.26)
Nearby:
{'157.166.226.22': 'io.cnn.net.',
...
}
Traceback (most recent call last):
File "fierce.py", line 301, in <module>
main()
File "fierce.py", line 298, in main
fierce(**vars(args))
File "fierce.py", line 223, in fierce
ip = ipaddress.IPv4Address(record[0].address)
File "/home/abraxas/.local/lib/python3.5/site-packages/dns/resolver.py", line 192, in __getitem__
return self.rrset[i]
TypeError: 'NoneType' object is not subscriptable
Another example:
abraxas@AttackVM:~/recon/fierce$ python3 fierce.py --domain .... --subdomain-file default.txt
SOA: ns0.dnsmadeeasy.com. (208.94.148.2)
Zone: failure
Wildcard: failure
Found: backup.....com.
Nearby:
Traceback (most recent call last):
File "fierce.py", line 301, in <module>
main()
File "fierce.py", line 298, in main
fierce(**vars(args))
File "fierce.py", line 246, in fierce
find_nearby(resolver, ips, filter_func=filter_func)
File "fierce.py", line 162, in find_nearby
pprint.pprint({k: v[0].to_text() for k, v in reversed_ips.items() if v})
File "fierce.py", line 162, in <dictcomp>
pprint.pprint({k: v[0].to_text() for k, v in reversed_ips.items() if v})
File "/home/abraxas/.local/lib/python3.5/site-packages/dns/resolver.py", line 186, in __len__
return len(self.rrset)
TypeError: object of type 'NoneType' has no len()
I cannot get any scans using the files to finish.
Hi, I have installed the tool as system module using provided setup.py. It installed .txt files into "/usr" prefix as below:
/usr/lists/20000.txt
/usr/lists/5000.txt
/usr/lists/default.txt
The tool is unable to find that location and fails with the following error:
bash$ fierce --domain facebook.com --wide
NS: b.ns.facebook.com. a.ns.facebook.com.
SOA: a.ns.facebook.com. (69.171.239.12)
Zone: failure
Wildcard: failure
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.5/fierce", line 11, in <module>
load_entry_point('fierce==1.2.0', 'console_scripts', 'fierce')()
File "/usr/lib64/python3.5/site-packages/fierce.py", line 405, in main
fierce(**vars(args))
File "/usr/lib64/python3.5/site-packages/fierce.py", line 278, in fierce
kwargs["subdomain_file"]
File "/usr/lib64/python3.5/site-packages/fierce.py", line 201, in get_subdomains
return get_stripped_file_lines(subdomain_filename)
File "/usr/lib64/python3.5/site-packages/fierce.py", line 189, in get_stripped_file_lines
return [line.strip() for line in open(filename).readlines()]
FileNotFoundError: [Errno 2] No such file or directory: 'default.txt'
The problem seems with find_subdomain_list_file function as it tries to find that location in the current directly only.
Hey guys!
There are several errors when using the --connect page due to the non existence of error handling in the head_request class.
To avoid connection timeouts i have added a two seconds timeout for each domain, and i have additionally passed every exception occuring (there will be at leas two errors at the current script:
I have changed the code a bit as a suggestion, for the usability i'd handle the exceptions accordingly and maybe set the timeout as an argument for the user :-)
def head_request(url):
try:
conn = http.client.HTTPConnection(url,timeout=2)
conn.request("HEAD", "/")
except:
return []
resp = conn.getresponse()
conn.close()
best
Patrik
Would be nice to be able to just 'pip install fierce'
If the DNS resolver gets a timeout, the program crashes:
File "./fierce.py", line 408, in <module>
main()
File "./fierce.py", line 405, in main
fierce(**vars(args))
File "./fierce.py", line 285, in fierce
record = query(resolver, url, record_type='A')
File "./fierce.py", line 96, in query
resp = resolver.query(domain, record_type, raise_on_no_answer=False)
File "/usr/local/lib/python3.4/dist-packages/dns/resolver.py", line 1041, in query
timeout = self._compute_timeout(start)
File "/usr/local/lib/python3.4/dist-packages/dns/resolver.py", line 858, in _compute_timeout
raise Timeout(timeout=duration)
dns.exception.Timeout: The DNS operation timed out after 30.00057625770569 seconds
I don't see a way to prevent that, but perhaps exceptions raised for any one subdomain should be reported and suppressed so the program can continue to run.
It would help if you added a version number and a change log. This would make it easier for the Kali Linux dev team to track.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.