I updated Fierce this morning. I got some feedback from id that he wanted to make it only scan using the target’s domain so that we could uncover more RFC1918 internal machines behind the firewall. Well, after much hacking I got Fierce to do just that. After the initial lookup to find the name servers it switches and uses the nameservers of the target domain. Way more effective.

In three tests of companies with between 100 and 10,000 machines the smallest increase was 2%, and the largest was nearly 50% increase in hosts found. A drastic improvement, especially considering most of that increase was on intranet hosts!

Also, I added a function to do IP ranges. So if you only want to query an internal class C Fierce will now do just that for you using the -range switch. I also added a -tcptimeout switch to increase the time that the socket will stay open, in the case of you wanting to test a domain that is far away or has a lot of network lag.

Whew! It’s been a crazy last few days. As Kuza55 mentioned, I’ll probably improve the -connect function to allow the user to use custom headers instead of a simple GET / HTTP/1.0 (to either speed things up or to do automated scanning of the Except problem or whatever strikes your fancy). I opted to use GET / instead of HEAD by default because some machines might not react well to HEAD, depending on the strange configuration of whatever webserver software the company is using. So making that configurable is a next step. Anyway, try out the updates and let me know what you guys think.

This entry was posted on Monday, January 1st, 2007 at 3:53 pm and is filed under Webappsec. Responses are currently closed, but you can trackback from your own site.