INFORMATION GATHERING WITH DMITRY IN BACKTRACK

 

INTRODUCTION :

 

First off a little background info. DMITRY aka Deep Magic Information Gathering Tool is a GNU/Linux command line application that's coded in C.
It has the ability to give as much info as possible about a host. It is an open source tool, that can be used to perform Internet Number whois lookups, Possible to retrieve up time system and server data.It has the ability to perform SubDomain searches on a target. It also performs Email search on a target, and TCP port scanning as well. So in a nutshell DMITRY is a tool which can provide a lot of information about the target.

The information are gathered with following methods:

• Perform an Internet Number whois lookup.

• Retrieve possible uptime data, system and server data.

• Perform a SubDomain search on a target host.

• Perform an E-Mail address search on a target host.

• Perform a TCP Portscan on the host target.

• A Modular program allowing user specified modules

DOWNLOAD AND INSTALLATION :

DMitry can be downloaded by issuing following commands:

$ cd /data/src/ $ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz

 

For installation, issue following commands:

$ tar xzvf DMitry-1.3a.tar.gz $ cd DMitry-1.3a/ $ ./configure $ make $ sudo make install 

LOCATION IN BACKTRACK :

 

To open DMitry goto , BackTrack > Information Gathering > Network Analysis > Route Analysis > dmitry;

 

HELP FOR DMITRY :

 

DMitry help can be displayed by issuing:

$ dmitry --help 

 

or, for a more complete documentation:

$ man dmitry 

OPTIONS : 

 

The options are listed below

-o 

Filename Create an ascii text output of the results to the "filename" specified. If no output filename is specified then output will be saved to "target.txt". If this option is not specified in any form output will be sent to the standard output (STDOUT) by default. This option MUST trail all other options, i.e. "./dmitry -winseo target". 

 

-i

Perform an Internet Number whois lookup on the target. This requires that the target be in the form of 4 part Internet Number with each octal seperated using the ‘.’ notation. For example, "./dmitry -i 255.255.255.255".

 

-w

 Perform a whois lookup on the ’host’ target. This requires that the target be in a named character format. For example, "./dmitry -w target" will perform a standard named whois lookup. 

 

-n

 Retrieve netcraft.com data concerning the host, this includes Operating System, Web Server release and UpTime information where available. 

 

-s

 Perform a SubDomain search on the specified target. This will use serveral search engines to attempt to locate sub-domains in the form of sub.target. There is no set limit to the level of sub-domain that can be located, however, there is a maximum string length of 40 characters (NCOL 40) to limit memory usage. Possible subdomains are then reversed to an IP address, if this comes back positive then the resulting subdomain is listed. However, if the host uses an asterisk in their DNS records all resolve subdomains will come back positive.

 

 -e

 Perform an EmailAddress search on the specified target. This modules works using the same concept as the SubDomain search by attempting to locate possible e-mail addresses for a target host. The e-mail addresses may also be for possible sub-domains of the target host. There is a limit to the length of the e- mail address set to 50 characters (NCOL 50) to limit memory usage.  

 

-p

 Perform a TCP Portscan on the host target. This is a pretty basic module at the moment, and we do advise users to use some‐ thing like nmap (www.insecure.org/nmap/) instead. This module will list open, closed and filtered ports within a specific range. There will probably be little advancement upon this mod‐ ule, though there will be some alterations to make it a little more user friendly. There are also other options for this mod‐ ule that can affect the scan and its relative output.  

 

-f

 This option will cause the TCP Portscan module to report/display output of filtered ports. These are usually ports that have been filtered and/or closed by a firewall at the specified host/target. This option requires that the ’-p’ option be passed as a previous option. For example, "./dmitry -pf tar‐ get".

 

 -b

 This option will cause the TCP Portscan module to output Banners if they are received when scanning TCP Ports. This option requres that the ’-p’ option be passed as a previous option. For example, "./dmitry -pb target".

 

 -t

 This sets the Time To Live (TTL) of the Portscan module when scanning individual ports. This is set to 2 seconds by default. This is usually required when scanning a host that has a fire‐ wall and/or has filtered ports which can slow a scan down.

 

 

Example :

 

The following command: 

 

#dmitry -winsepffb -o hosts.txt www.yourexample.com
 

Ok so we see that we are going to use all of the flags available to us to gather as much information about our target as possible and write the info to a file called hosts.txt. The next part is the domain name of our target. 

Now the best part is that DMITRY is writing the data that it found about our target to the output file.

Next we should see:

HostIP:192.168.1.1
HostName:www.yourexample.com
 

Next we will see :

Gathered Inet-whois information for 192.168.1.1
You will be provided lots of whois info about the IP address
I will not print it all here for you but rather, whois should give you the Organization's name and address info. As well as info about the network itself.You should see the net ranges for example the netnames and their registration dates.

Next you should see:

Gathered Inic-whois information for www.yourexampleofanetwork.com
---------------------------------
Domain Name: YOUREXAMPLE.COM
Registrar: The Registrars info here
Whois Server: whois.example.com
Referral URL: http://www.example.com
Name Server: NS1.YOUREXAMPLE.COM
Name Server: NS2YOUREXAMPLE.COM
Name Server: NS3.YOUREXAMPLE.COM
Name Server: NS4.YOUREXAMPLE.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Status: clientUpdateProhibited
Updated Date: 10-apr-2006
Creation Date: 15-sep-1997
Expiration Date: 14-sep-2011
>>> Last update of whois database: Sun, 23 Dec 2013 06:42:27 UTC
Again this provides more information about our target network. Now we have the names servers as well and the name of the registrar.
All of this is useful when we are "reconning" our target.
Next up netcraft with:
Gathered Netcraft information for www.yourexample.com
---------------------------------
Retrieving Netcraft.com information for www.yourexample.com
Operating System: winblows server edition2012 WebServer: winblowswebserver v1.0
No uptime reports available for host: www.yourexample.com
Netcraft.com Information gathered
Now if our target network was using something other than the poorly coded Windows

Server Edition 2012
Then it might not get presented here for us. Same thing with the webserver info.
And because it’s so poorly coded we see that there is not uptime because it’s only on for about an hour before a reboot is needed.
 

Gathered Subdomain information for www.yourexample.com
---------------------------------
Searching Google.com:80...
HostName:images.yourexampleofanetwork.com
HostIP:192.168.1.2
HostName:maps.yourexampleofanetwork.com
HostIP:192.168.1.3
HostName:news.yourexampleofanetwork.com
HostIP:192.168.1.100
HostName:www.yourexampleofanetwork.com
HostIP:192.168.1.1
HostName:mail.yourexampleofanetwork.com
HostIP:192.168.1.5
Found 5 possible subdomain(s) for host yourexampleofanetwork.com, 

Searched 1 pages containing 1 result.
And on and on until it has searched through all the subdomains that it finds.
Next we will see:
Gathered E-Mail information for yourexampleofanetwork.com
admin ATyourexampleofanetwork DOT com
joeuser AT yourexampleofanetwork DOT com
And finally the output from our TCP scan
Gathered TCP Port information for 192.168.1.1
---------------------------------
Port       State
20          Open
21          Open
80          Open
Etc, Etc, Etc.  

 

Thank you for support.....keep visiting for more updates