About four years ago to the date, I was looking for a DNS brute forcer due to the fact that many people were getting wise and locking down DNS zone transfers. I actually advised our security admin at work that we were allowing internal zone transfers to any IP that requested one. While not getting much help from the request for such a tool and not having time or enough interest to code my own, I dropped the idea. It appears that others in the InfoSec community had the same idea. About a week ago while catching up on old PaulDotCom Security Weekly episodes, I heard them mention a tool called Fierce Domain Scanner. This is a perl script that can be used on Windows using Cygwin (It does require a couple of perl modules). This tool first tries to perform a zone transfer. If that fails it the starts to guess domain names by doing a reverse lookup of the initial domain.com. What’s cool about it is that once it finds a computer in the domain space, it will start doing reverse lookups on either side of that IP five sequential IPs and below the IP it just found. It does this for each IP it finds in that domain using recursion. The number of IPs on either side defaults to 5, but can be set using the -traverse switch or expand it to the entire class C using the -wide switch. This is extremely helpful if the computers who’s IP addresses sequentially numbered. It also probes for internal IPs in case the target uses one DNS server for both internal (RFC 1918 addresses) and external DNS requests. Read the rest of this entry »