Sunday, January 6, 2008

Using Dmitry in Backtrack

This is a small tutorial on using DMITRY in Backtrack.
Disclaimer: This information is for educational purposes only and not to commit a crime.
If you do something that causes you to hose your box don't come kicking and screaming on the forums.

First off a little background info. DMITRY aka Deep Magic Information Gathering Tool is a GNU/Linux command line application that's coded in C.
It has the ability to give as much info as possible about a host. It is open source, can be used to perform Internet Number whois lookups, Possible to retrieve up time system and server data. The ability to perform SubDomain searches on a target. Perform Email search on a target, and TCP port scanning as well.
Ok now on to the tool.
There are two ways to access the tool either through the menus K>Backtrack>Information Gathering>All>Dmitry or from the command line, either way works the same,
#dmitry [/code]
OK now we need to be able to use the program so let's first look at the switches presented
-o allows us to specify with a given name our output the default is host.txt you could name it anything you want.
-i allows us to perform a whois lookup of the IP address of a host, this tells us that if we only no the name that dmitry will find the IP for us.
-w will perform a whois lookup on the domain name of a host.
-n will give us information on a host (if you don't know about then go have a look you won't be disappointed).
-s performs a search for possible subdomains ( being a top level domain and being a subdomain.)
-e will perform a search for possible email addresses. (
-p will perform a TCP port scan on a host
*-f will perform a TCP port scan on a host showing output reporting filtered ports (useful if there is a firewall in place)
*-b will report to you a banner received from a scanned port (Note this will only work if the port sends us a banner when scanned).
(This may reveal some type of software running on a given port.)
*-t 0-9 is used to set the TTL in seconds when scanning the default is 2
The * means that the -p flag must also be set in order to work.

So now that we know what the flags mean let look at an example usage of the command.
#dmitry -winsepffb -o hosts.txt[/code]

Ok so we see that we are going to use all of the flags available to us to gather as much information about our target as possible and write the info to a file called
hosts.txt The next part is the domain name of our target.

Now for the good part the first thing we will see is that dmitry is writing the output to our file.
Next we should see:
HostIP: [/code]
Next we will see :[code]
Gathered Inet-whois information for [/code]
You will be provided lots of whois info about the IP address
I will not print it all here for you but rather, whois should give you the Organization's name and address info. As well as info about the network itself
You should see the net ranges for example the netnames and their registration date.
Next you should see: [code]
Gathered Inic-whois information for
Registrar: The Registrars info here
Whois Server:
Referral URL:
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-apr-2006
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011
>>> Last update of whois database: Sun, 23 Dec 2007 06:42:27 UTC [/code]
Again this provides more information about our target network. Now we have the names servers as well and the name of the registrar.
All of this is useful when we are "reconning" our target.
Next up netcraft with: [code]
Gathered Netcraft information for
Retrieving information for
Operating System: winblows server edition2007
WebServer: winblowswebserver v1.0
No uptime reports available for host: Information gathered
Now if our target network was using something other than the poorly coded Winblows Server Edition 2007
Then it might not get presented here for us. Same thing with the webserver info.
And because it’s so poorly coded we see that there is not uptime because it’s only on for about an hour before a reboot is needed.
Gathered Subdomain information for
Found 5 possible subdomain(s) for host, Searched 1 pages containing 1 result. [/code]
And on and on until it has searched through all the subdomains that it finds.
Next we will see: [code]
Gathered E-Mail information for
admin AT yournetwork DOT com
joeuser AT yournetwork DOT com
And finally the output from our TCP scan [code]
Gathered TCP Port information for
Port State
20 Open
21 Open
80 Open
Etc, Etc, Etc, because is running winblows server edition 2007 and left all the common ports open by default!
So I hope that this tutorial gets you going and you can start using dmitry to do some "reconning".
BTW All names and IP address have been changed to protect me!
If you feed in private block numbers like 192..... Then the data for whois will tell you that it is for internal network use only.
The only useful part of the entire scan will be port scanning!

No comments: