Fierce Cheat Sheet
DNS reconnaissance tool that locates non-contiguous IP space near target domains.
Overview
Fierce (classic and fierce Python3 reimplementation) finds likely corporate IP ranges by walking DNS, performing subdomain brute force, and scanning nearby addresses for HTTP. Helps map hosting scattered across netblocks.
Authorized testing only. Includes optional port scanning of discovered IPs—confirm network scanning is in scope.
Install
sudo apt install -y fiercepip install fiercefierce --helpEssential commands
Basic scan
fierce --domain target.example.comDNS server and wordlist
fierce --domain target.example.com --dns-servers 8.8.8.8 --subdomains wordlist.txtWide search
fierce --domain target.example.com --wideCommon workflows
Traverse nearby class C —
fierce --domain target.example.com --connectSupply subdomains file (SecLists) —
fierce --domain target.example.com --subdomains /usr/share/seclists/Discovery/DNS/fierce-hostlist.txtLegacy Perl fierce (if installed) —
fierce -dns target.example.com -wordlist hosts.txtFlags reference
--domain | Target domain |
|---|---|
--dns-servers | Resolvers (comma-separated) |
--subdomains | Wordlist file |
--wide | Scan entire class C of discovered IPs |
--connect | Attempt HTTP connection to hits |
--delay | Query delay |
--search | Search list of domains |
Tips
- Output highlights “near” IPs not obviously tied to main domain—verify ownership (WHOIS, ASN).
- Less maintained than amass/dnsrecon but still useful for quick DNS sweeps.
- Follow discovered IPs with nmap only if RoE permits network scanning.
- Distinguish Python3 fierce vs old fierce.pl—flags differ slightly.