fierce Cheatsheet

Type: User-friendly recursive subdomain discovery with wildcard detection

Installation

sudo apt install fierce
# or
pip3 install fierce
# or
git clone https://github.com/mschwager/fierce.git

Basic Usage

fierce --domain <domain>
fierce --domain example.com

Common Flags

Flag	Description
`--domain <domain>`	Target domain
`--wordlist <file>`	Custom wordlist for brute forcing
`--dns-servers <ns>`	Use specific DNS servers (space-separated)
`--delay <seconds>`	Delay between requests
`--subdomains <list>`	Manually specify subdomains to check
`--wide`	Scan entire Class C of discovered hosts
`--traverse <n>`	Scan IPs n away from discovered hosts
`--search <domains>`	Filter results by domain pattern
`--range <cidr>`	Scan an IP range for PTR records
`--connect`	Attempt HTTP/HTTPS connections to found hosts
`--output <file>`	Save results to JSON file

Common Commands

# Basic scan (uses built-in wordlist)
fierce --domain example.com

# Custom wordlist
fierce --domain example.com \
  --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

# Use specific DNS server
fierce --domain example.com --dns-servers 8.8.8.8

# Wide scan (scan Class C of discovered IPs)
fierce --domain example.com --wide

# Add delay to evade detection
fierce --domain example.com --delay 3

# Traverse IPs near discovered hosts
fierce --domain example.com --traverse 5

# Check HTTP/HTTPS on found hosts
fierce --domain example.com --connect

# Save to JSON
fierce --domain example.com --output results.json

# Scan IP range for reverse DNS
fierce --range 192.168.1.0/24

Key Features

- Wildcard detection (avoids false positives from wildcard DNS)
- Recursive: checks subdomains of subdomains
- Identifies adjacent IPs in same IP space
- Clean, readable output format
- Built-in default wordlist

Wildcard Detection

Fierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., *.example.com → same IP), fierce identifies this and handles it gracefully instead of reporting false positives.

Recommended Wordlists

/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/fierce-hostlist.txt
/usr/share/wordlists/dnsmap.txt

Example Full Run

fierce --domain example.com \
  --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
  --dns-servers 8.8.8.8 \
  --connect \
  --output fierce_results.json

fierce Cheatsheet#

Installation#

Basic Usage#

Common Flags#

Common Commands#

Key Features#

Wildcard Detection#

Recommended Wordlists#

Example Full Run#