Sign up to save your podcasts
Or
Share DMitry: Diving Into an Old-School Information Gathering Tool
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
DMitry: Diving Into an Old-School Information Gathering Tool
How much information about a target can you possibly get? Is there an invisible barrier that delimits when enough information is gathered? What about cross-checking results and looking for differences? Data retrieval results may vary, depending on the location source you're running for the analysis.
Let's answer these questions today, by running DMitry along with our own SurfaceBrowserTM️ enterprise tool. We'll find out what happens when information is extracted from different sources so they can complement each other.
What is DMitry?
While this small tool called DMitry is considered old code, it does have a few useful information gathering tricks up its sleeve. Check out these options:
As we see above, it can do the following tasks:
Perform an IP Who-Is check - placing a determined IP address and getting its owner information
Perform a Who-Is lookup on the domain name (this is self-explanatory)
Extract information about a target on the netcraft.com website
Utilize a subdomain finder to look upon different records available
Search the web for 'low-hanging fruit' information regarding email addresses, like the ones within Who-Is records or start of authority DNS records
Conduct port scanning and banner grabbing regarding discovered open ports
Testing DMitry
We're using the Kali Linux distribution to run this tool but you can download the source code here. Be aware that with the current version (1.3a), there's an issue regarding netcraft.com queries, which doesn't work due to the change of the URL that it points to for conducting hostname queries.
Aside from that, to emulate this inquiry you can access this link, and using this tool can look like the following example:
This check alone brings some additional information about our target in just one place. As we mentioned earlier this feature inside the tool is broken at the time of this writing.
Who-Is against IP addresses and hostnames
"Who-is" (as pronounced) is a protocol running on port TCP/43 that's used to query databases of ownership information regarding internet assets—such as domain names, autonomous systems, and internet protocol addresses block numbers.
Contrary to what one might think, IP addresses also have information regarding reverse pointer records about ownership and several other details (such as name servers), which could be obtained from Who-Is records.
While the truthfulness of this information depends on the owner of the IP range, we often find obsolete information that can be misleading. In some cases, however, it could also be treated as historical information that can be used for competitive advantage in case of a company's attack surface reduction endeavors (forgotten and vulnerable services come to mind).
DMitry, when used with the flag **-i**, will query IP addresses to gather Who-Is information, and if you include a hostname it will solve the corresponding A record. After this, it will query the server and display information as shown:
When the **-w** flag is used, the execution is similar, but information regarding the specified domain name will be shown:
This will search the Who-Is record for the desired domain name and display its results to the screen.
Harvesting subdomains
An interesting feature included with this exploratory software is subdomain retrieval capability; it scraps the entire World Wide Web to search for possible hostnames within a certain specified registered name. This is possible by using the **-s** flag before the domain name:
For the sake of obtaining the most accurate information, we are going to double-check the subdomain surface and see what else we can find regarding this subdomain. This time, we'll do it by using our very own SurfaceBrowserTM️.
Great! The resulting difference is outstanding... but why? Just to understand how DMitry works, we decided to look under the hood to check its source code. Specifically, we'll be looking at the subsearch.c file located inside t...
View all episodes
By SecurityTrailsHow much information about a target can you possibly get? Is there an invisible barrier that delimits when enough information is gathered? What about cross-checking results and looking for differences? Data retrieval results may vary, depending on the location source you're running for the analysis.
Let's answer these questions today, by running DMitry along with our own SurfaceBrowserTM️ enterprise tool. We'll find out what happens when information is extracted from different sources so they can complement each other.
What is DMitry?
While this small tool called DMitry is considered old code, it does have a few useful information gathering tricks up its sleeve. Check out these options:
As we see above, it can do the following tasks:
Perform an IP Who-Is check - placing a determined IP address and getting its owner information
Perform a Who-Is lookup on the domain name (this is self-explanatory)
Extract information about a target on the netcraft.com website
Utilize a subdomain finder to look upon different records available
Search the web for 'low-hanging fruit' information regarding email addresses, like the ones within Who-Is records or start of authority DNS records
Conduct port scanning and banner grabbing regarding discovered open ports
Testing DMitry
We're using the Kali Linux distribution to run this tool but you can download the source code here. Be aware that with the current version (1.3a), there's an issue regarding netcraft.com queries, which doesn't work due to the change of the URL that it points to for conducting hostname queries.
Aside from that, to emulate this inquiry you can access this link, and using this tool can look like the following example:
This check alone brings some additional information about our target in just one place. As we mentioned earlier this feature inside the tool is broken at the time of this writing.
Who-Is against IP addresses and hostnames
"Who-is" (as pronounced) is a protocol running on port TCP/43 that's used to query databases of ownership information regarding internet assets—such as domain names, autonomous systems, and internet protocol addresses block numbers.
Contrary to what one might think, IP addresses also have information regarding reverse pointer records about ownership and several other details (such as name servers), which could be obtained from Who-Is records.
While the truthfulness of this information depends on the owner of the IP range, we often find obsolete information that can be misleading. In some cases, however, it could also be treated as historical information that can be used for competitive advantage in case of a company's attack surface reduction endeavors (forgotten and vulnerable services come to mind).
DMitry, when used with the flag **-i**, will query IP addresses to gather Who-Is information, and if you include a hostname it will solve the corresponding A record. After this, it will query the server and display information as shown:
When the **-w** flag is used, the execution is similar, but information regarding the specified domain name will be shown:
This will search the Who-Is record for the desired domain name and display its results to the screen.
Harvesting subdomains
An interesting feature included with this exploratory software is subdomain retrieval capability; it scraps the entire World Wide Web to search for possible hostnames within a certain specified registered name. This is possible by using the **-s** flag before the domain name:
For the sake of obtaining the most accurate information, we are going to double-check the subdomain surface and see what else we can find regarding this subdomain. This time, we'll do it by using our very own SurfaceBrowserTM️.
Great! The resulting difference is outstanding... but why? Just to understand how DMitry works, we decided to look under the hood to check its source code. Specifically, we'll be looking at the subsearch.c file located inside t...