└─$ perl fierce.pl -h |more

fierce.pl (C) Copywrite 2006,2007 - By RSnake at http://ha.ckers.org/fierce/

    Usage: perl fierce.pl [-dns example.com] [OPTIONS]

Overview:

    Fierce is a semi-lightweight scanner that helps locate non-contiguous

    IP space and hostnames against specified domains.  It's really meant

    as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all

    of those require that you already know what IP space you are looking

    for.  This does not perform exploitation and does not scan the whole

    internet indiscriminately.  It is meant specifically to locate likely

    targets both inside and outside a corporate network.  Because it uses

    DNS primarily you will often find mis-configured networks that leak

    internal address space. That's especially useful in targeted malware.

Options:

    -connect    Attempt to make http connections to any non RFC1918

        (public) addresses.  This will output the return headers but

        be warned, this could take a long time against a company with

        many targets, depending on network/machine lag.  I wouldn't

        recommend doing this unless it's a small company or you have a

        lot of free time on your hands (could take hours-days).

        Inside the file specified the text "Host:\n" will be replaced

        by the host specified. Usage:

    perl fierce.pl -dns example.com -connect headers.txt

    -delay        The number of seconds to wait between lookups.

    -dns        The domain you would like scanned.

    -dnsfile      Use DNS servers provided by a file (one per line) for

                reverse lookups (brute force).

    -dnsserver    Use a particular DNS server for reverse lookups

        (probably should be the DNS server of the target).  Fierce

        uses your DNS server for the initial SOA query and then uses

        the target's DNS server for all additional queries by default.

    -file        A file you would like to output to be logged to.

    -fulloutput    When combined with -connect this will output everything

        the webserver sends back, not just the HTTP headers.

    -help        This screen.

    -nopattern    Don't use a search pattern when looking for nearby

        hosts.  Instead dump everything.  This is really noisy but

        is useful for finding other domains that spammers might be

        using.  It will also give you lots of false positives,

        especially on large domains.