This is just a quick post about some fun I had recently with Fierce Domain Scanner. I always find it amusing when I hear people say that they think naming a Server something other than www will afford them some protection. I always assume if it's out there then people know about it, no matter what you call it.
Using Fierce Domain Scanner from the Backtrack Distro I was able to point it at a domain and query DNS for available hosts. Using the command line below it turned up some interesting results:
perl fierce.pl -dns boots.com
When run, Fierce will contact my DNS server to get the targets name servers and then use them to first attempt to get the SOA records (which will likely fail these days) and then it will use the hosts.txt file to guess names. The reason it will switch to using the targets DNS is because it assumed that there is a chance that the internal DNS and the external DNS are on the same box, so here theres a chance of getting some internal names.
This scan uses the hosts.txt file in the same directory as the perl script to bruteforce DNS names and discover live hosts. The hosts.txt file can be updated manually or you can point Fierce to an alternative one.
Once a name is found it will scan up and down that range (5 address by default but this can be changed) looking for hosts with the same domain name. Now if this is a pentest and earlier reconnaissance has uncovered other associated domain that are in the scope of the test, Fierce can be told to look out for host with those domain names (use the -search option).
This tool is great to run against your own domain to see if there's anything there that shouldn't be.
Please remember, this is Fierce at it's most basic. More information can be found here at the creator, Rsnakes site.