1
00:00:01,070 --> 00:00:03,200
Welcome to part three of this module

2
00:00:05,860 --> 00:00:07,040
in this video.

3
00:00:07,150 --> 00:00:16,270
We're going to be taking a quick look at a very old program called Dimitri which is short for deep magic

4
00:00:16,360 --> 00:00:19,210
information gathering tool.

5
00:00:19,240 --> 00:00:27,100
Dimitri is another command line information gathering tool that will take either a hostname or an IP

6
00:00:27,100 --> 00:00:36,230
address as input and then attempt to gather more information such as additional subdomains email addresses.

7
00:00:36,280 --> 00:00:40,250
And it will even perform port scans of the host.

8
00:00:40,330 --> 00:00:44,420
The program was written in C by James Craig.

9
00:00:44,450 --> 00:00:50,110
Deliberated for a long time about where I should place this module because given its age.

10
00:00:50,260 --> 00:00:56,980
Dimitri is not as useful and therefore not really as widely used as some of the better programs out

11
00:00:56,980 --> 00:00:57,850
there.

12
00:00:57,850 --> 00:01:05,170
There are other tools in Cali that arguably to a much better job of collecting this kind of information.

13
00:01:05,260 --> 00:01:11,560
It has come prepackaged with the operating system for many many years now going all the way back to

14
00:01:11,560 --> 00:01:18,600
the earliest days of backtrack so it still has its uses and it is a classic.

15
00:01:18,790 --> 00:01:25,760
Therefore I'll present it now before we go into the bigger programs such as and map and z map.

16
00:01:25,830 --> 00:01:29,450
With that being said let's go ahead and get into it.

17
00:01:29,740 --> 00:01:36,400
The information categories available can be broken down into active and passive and as you can see I've

18
00:01:36,610 --> 00:01:44,290
broken them up into the available options that you can use with Dimitri so under passive you've got

19
00:01:44,290 --> 00:01:53,080
the ability to do who is lookups on IP addresses or a domain name of a host.

20
00:01:53,080 --> 00:01:56,120
You can set it to retrieve net craft data.

21
00:01:56,410 --> 00:02:03,910
You can tell it to search for domain any subdomains any email addresses that it finds.

22
00:02:03,910 --> 00:02:11,470
It does the searching on Google and I believe a few other now defunct services under the active section.

23
00:02:11,470 --> 00:02:17,950
You can set it to do a port scan and then it will also try to read the banner information for each port.

24
00:02:18,130 --> 00:02:23,630
You have this option as well to change the TTL setting.

25
00:02:23,830 --> 00:02:29,860
The default is two seconds but you can change that depending on your network that you're going against.

26
00:02:29,860 --> 00:02:38,380
This last option the TAC o or dash 0 just allows you to save the output to a text file if you don't

27
00:02:38,380 --> 00:02:41,140
specify this when you run the program.

28
00:02:41,140 --> 00:02:46,930
The data you collect will just be pushed through the terminal and will be lost when you close the window

29
00:02:47,440 --> 00:02:51,970
and Dimitri has no database capabilities such as recon Angie has

30
00:02:56,220 --> 00:03:00,480
sort of launched Dimitri just go to applications

31
00:03:02,760 --> 00:03:12,610
information gathering and it will be right at the top of the list or we can open up a terminal window

32
00:03:14,050 --> 00:03:18,580
and just type Dimitri with no arguments.

33
00:03:18,620 --> 00:03:25,880
This is as I said a fairly simple program by the standards of most open source intelligence tools and

34
00:03:25,880 --> 00:03:31,540
when you run it without any specifications you will just get a list of the basic options.

35
00:03:31,550 --> 00:03:39,890
However Dimitri also has a fairly detailed man page which can be viewed by typing man Dimitri pressing

36
00:03:39,920 --> 00:03:40,400
Enter

37
00:03:48,180 --> 00:03:51,600
you can pull it up yourself and read through it if you wish.

38
00:03:52,540 --> 00:03:59,740
Now you can run Dmitri without specifying any options at the command line other than of course the target

39
00:03:59,740 --> 00:04:03,780
information such as the IP address or hostname.

40
00:04:04,150 --> 00:04:11,620
If you do decide to run it this way it is going to run with most of the options set to default for legal

41
00:04:11,620 --> 00:04:12,250
reasons.

42
00:04:12,250 --> 00:04:18,790
I strongly recommend that you specify the types of options that you want so that you can be absolutely

43
00:04:18,790 --> 00:04:26,470
certain that you are conducting all of your scans in a manner that is consistent with any local laws

44
00:04:26,470 --> 00:04:28,690
that may be applicable to you.

45
00:04:28,690 --> 00:04:35,180
One thing to consider is that you may not want to do both active and passive reconnaissance.

46
00:04:35,200 --> 00:04:41,830
At the same time if you're using this program to scan sites out on the Internet that you do not have

47
00:04:41,920 --> 00:04:48,940
express written permission to scan you could potentially be doing something illegal in some jurisdictions

48
00:04:49,060 --> 00:04:55,990
unauthorized port scanning might be against the law and in truth the law as it is written seems to vary

49
00:04:55,990 --> 00:04:59,120
widely from jurisdiction to jurisdiction.

50
00:04:59,260 --> 00:05:06,370
It's extremely murky so always be 100 percent certain that you have direct written permission before

51
00:05:06,370 --> 00:05:11,150
conducting any port scans on machines you do not personally own.

52
00:05:11,290 --> 00:05:15,040
Always be lawful and ethical during your pen tests.

53
00:05:15,040 --> 00:05:21,820
So with that admonition out of the way let's go ahead and look at the passive recon options.

54
00:05:21,820 --> 00:05:26,800
I'm going to run it with multiple options at the same time and then we're going to take a look at the

55
00:05:26,800 --> 00:05:29,590
results within the terminal.

56
00:05:29,590 --> 00:05:35,170
I'm not going to bother saving it to a file this time although we could do so by adding the AU option

57
00:05:35,830 --> 00:05:46,030
so the syntax for running Dimitri is going to be Dimitri dash W N S E and our target is going to be

58
00:05:46,030 --> 00:05:49,210
scanned me Dot and map dot org.

59
00:05:49,900 --> 00:05:55,720
However before I execute this command I'd like to take a moment to quickly show you that the site I

60
00:05:55,720 --> 00:06:04,960
am passively scanning which is scan me Dot and map dot org has given express written permission to perform

61
00:06:04,960 --> 00:06:12,580
this type of operation both with the end map utility as well as other port scanners like Dimitri as

62
00:06:12,580 --> 00:06:17,950
you can see from the text on the screen though there are limits to this permission so please don't try

63
00:06:17,950 --> 00:06:25,630
to run any brute force crackers or perform any constant excessive scans as this sort of activity is

64
00:06:25,630 --> 00:06:28,480
not authorized or appreciated.

65
00:06:28,480 --> 00:06:33,940
So now we're telling Dmitri to perform a who is look up against the domain to try to obtain net craft

66
00:06:33,940 --> 00:06:37,450
information as well as any subdomains that it can find.

67
00:06:37,510 --> 00:06:43,270
Hit enter here and of course it is important that you spell Dmitri correctly

68
00:06:50,330 --> 00:06:51,740
and this may take a moment

69
00:06:54,680 --> 00:07:04,340
already found the host IP usually Dimitri is pretty fast but because some of the search functions that

70
00:07:04,340 --> 00:07:11,760
it uses are out of date it can slow down on occasion against certain targets.

71
00:07:11,910 --> 00:07:14,280
Right now it's gathering information with Google

72
00:07:17,170 --> 00:07:18,580
in the interest of expediency.

73
00:07:18,580 --> 00:07:25,810
I think I will just make a recording cut here and resume the video after Dimitri has finished gathering

74
00:07:25,810 --> 00:07:27,620
its information.

75
00:07:27,640 --> 00:07:33,520
Well that took a bit longer than I expected to complete and we didn't really find much of anything with

76
00:07:33,520 --> 00:07:41,000
the passive scan although I wasn't expecting to I believe the reason that it ended up taking so long

77
00:07:41,000 --> 00:07:49,640
as it was attempting to search AltaVista and each time it tried to search AltaVista it it didn't get

78
00:07:49,640 --> 00:07:51,830
anywhere for obvious reasons.

79
00:07:52,070 --> 00:07:57,080
And I had to wait for it to time out so you may run into that issue.

80
00:07:57,080 --> 00:08:05,330
This is another example of this tool being rather dated but now we'll look at using the active recon

81
00:08:05,330 --> 00:08:06,300
options.

82
00:08:06,440 --> 00:08:11,480
We'll be doing a port scan and then getting any banner information available from the target.

83
00:08:12,140 --> 00:08:13,440
So this is pretty simple.

84
00:08:13,460 --> 00:08:20,300
The command will be Dmitri be scanned me DOD and map Borg

85
00:08:28,600 --> 00:08:32,550
remember to add the O in there if you want to write this to an out.

86
00:08:32,560 --> 00:08:39,760
The output to a text file here we're telling it to do a t c p port scan.

87
00:08:40,000 --> 00:08:47,880
It's not doing any UDP scans it is reading the banner information and one word of caution about this.

88
00:08:48,670 --> 00:08:50,500
Well it is doing port scans.

89
00:08:50,500 --> 00:08:58,370
It's actually pretty slow so this may take a few minutes to complete.

90
00:08:58,390 --> 00:09:05,600
Please just be patient and once again in this recording if this ends up taking more than a couple more

91
00:09:05,600 --> 00:09:07,600
seconds I'm going to make an edit.

92
00:09:07,910 --> 00:09:11,920
So your search will probably be quite a bit longer.

93
00:09:11,960 --> 00:09:19,280
All right so it finally finished and you can see that it scanned one hundred and fifty ports and one

94
00:09:19,280 --> 00:09:26,890
hundred and forty three of those were in a closed state and it found two specifically open ports twenty

95
00:09:26,890 --> 00:09:28,450
two and eighty.

96
00:09:28,680 --> 00:09:31,290
So that's basically it in a nutshell.

97
00:09:32,630 --> 00:09:40,400
Not nearly the depth that an end map scan would have given us but it is a pretty good start.

98
00:09:42,000 --> 00:09:48,000
I think and maps results are considerably more detailed and of course and map but I don't wish to speak

99
00:09:48,030 --> 00:09:52,350
ill of such an old and well established program as Dimitri.

100
00:09:52,350 --> 00:09:57,550
I think there's a lot of nostalgia behind this program for a lot of people.

101
00:09:57,600 --> 00:10:02,640
Like I said It dates all the way back to the earliest iterations of backtrack which was the operating

102
00:10:02,640 --> 00:10:05,310
system that predated Cally Linux.

103
00:10:05,310 --> 00:10:12,440
So there's a lot of sentiment where Dimitri is concerned anyway I realized this was a short video but

104
00:10:12,460 --> 00:10:17,760
Dmitri really is a relatively simple program and there isn't a whole lot to go into here.

105
00:10:17,770 --> 00:10:21,820
Its users are pretty simple and straightforward when all is said and done.

106
00:10:22,010 --> 00:10:27,760
The mere fact that it still uses the now defunct AltaVista for its look ups is proof that you should

107
00:10:27,760 --> 00:10:33,990
probably consider using more current tools for your reconnaissance operations.

108
00:10:34,210 --> 00:10:39,120
But it's a little piece of Kelly's past and it still has its uses every now and again.

109
00:10:39,340 --> 00:10:40,650
So I hope you enjoyed it.

110
00:10:40,660 --> 00:10:41,130
Thank you.