kali工具箱

激烈包装说明

首先什么激烈的不是。枭不是IP扫描仪，它是不是一个DDoS攻击工具，它的目的不是要扫描整个网络或执行任何非针对性的攻击。它是指专门定位内外公司网络可能的目标。只有那些目标中列出（除非-nopattern开关时）。没有剥削执行（除非你做一些故意的恶意与-connect开关）。枭是侦察工具。枭是一个Perl脚本使用多种战术，快速扫描域（通常只需几分钟，假设没有网络延迟）。

资料来源：http://ha.ckers.org/fierce/
激烈首页 | 卡利激烈回购

作者：RSnake
许可：GPL第二版

包括在激烈的包装工具

激烈 - 域名DNS扫描仪

[email protected]:~# fierce -h

fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/



    Usage: perl fierce.pl [-dns example.com] [OPTIONS]



Overview:

    Fierce is a semi-lightweight scanner that helps locate non-contiguous

    IP space and hostnames against specified domains.  It's really meant

    as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all

    of those require that you already know what IP space you are looking

    for.  This does not perform exploitation and does not scan the whole

    internet indiscriminately.  It is meant specifically to locate likely

    targets both inside and outside a corporate network.  Because it uses

    DNS primarily you will often find mis-configured networks that leak

    internal address space. That's especially useful in targeted malware.



Options:

    -connect    Attempt to make http connections to any non RFC1918

        (public) addresses.  This will output the return headers but

        be warned, this could take a long time against a company with

        many targets, depending on network/machine lag.  I wouldn't

        recommend doing this unless it's a small company or you have a

        lot of free time on your hands (could take hours-days).

        Inside the file specified the text "Host:\n" will be replaced

        by the host specified. Usage:



    perl fierce.pl -dns example.com -connect headers.txt



    -delay      The number of seconds to wait between lookups.

    -dns        The domain you would like scanned.

    -dnsfile    Use DNS servers provided by a file (one per line) for

                reverse lookups (brute force).

    -dnsserver  Use a particular DNS server for reverse lookups

        (probably should be the DNS server of the target).  Fierce

        uses your DNS server for the initial SOA query and then uses

        the target's DNS server for all additional queries by default.

    -file       A file you would like to output to be logged to.

    -fulloutput When combined with -connect this will output everything

        the webserver sends back, not just the HTTP headers.

    -help       This screen.

    -nopattern  Don't use a search pattern when looking for nearby

        hosts.  Instead dump everything.  This is really noisy but

        is useful for finding other domains that spammers might be

        using.  It will also give you lots of false positives,

        especially on large domains.

    -range      Scan an internal IP range (must be combined with

        -dnsserver).  Note, that this does not support a pattern

        and will simply output anything it finds.  Usage:



    perl fierce.pl -range 111.222.333.0-255 -dnsserver ns1.example.co



    -search     Search list.  When fierce attempts to traverse up and

        down ipspace it may encounter other servers within other

        domains that may belong to the same company.  If you supply a

        comma delimited list to fierce it will report anything found.

        This is especially useful if the corporate servers are named

        different from the public facing website.  Usage:



    perl fierce.pl -dns examplecompany.com -search corpcompany,blahcompany



        Note that using search could also greatly expand the number of

        hosts found, as it will continue to traverse once it locates

        servers that you specified in your search list.  The more the

        better.

    -suppress   Suppress all TTY output (when combined with -file).

    -tcptimeout Specify a different timeout (default 10 seconds).  You

        may want to increase this if the DNS server you are querying

        is slow or has a lot of network lag.

    -threads  Specify how many threads to use while scanning (default

      is single threaded).

    -traverse   Specify a number of IPs above and below whatever IP you

        have found to look for nearby IPs.  Default is 5 above and

        below.  Traverse will not move into other C blocks.

    -version    Output the version number.

    -wide       Scan the entire class C after finding any matching

        hostnames in that class C.  This generates a lot more traffic

        but can uncover a lot more information.

    -wordlist   Use a seperate wordlist (one word per line).  Usage:



    perl fierce.pl -dns examplecompany.com -wordlist dictionary.txt

激烈的用法示例

针对运行在目标域（-dns example.com）默认扫描：

[email protected]:~# fierce -dns example.com

DNS Servers for example.com:

    b.iana-servers.net

    a.iana-servers.net



Trying zone transfer first...

    Testing b.iana-servers.net

        Request timed out or transfer not allowed.

    Testing a.iana-servers.net

        Request timed out or transfer not allowed.



Unsuccessful in zone transfer (it was worth a shot)

Okay, trying the good old fashioned way... brute force



Checking for wildcard DNS...

Nope. Good.

Now performing 2280 test(s)...