DMitry

Overview

DMitry (Deepmagic Information Gathering Tool) is a comprehensive reconnaissance tool that automates information gathering during the reconnaissance phase of penetration testing. It combines multiple data collection techniques into a single command-line utility, making it ideal for initial OSINT investigations and target profiling.

Installation

Debian/Ubuntu

sudo apt-get update
sudo apt-get install dmitry

From Source

wget http://www.deepmagic.com/dmitry/dmitry-1.3.3.tar.gz
tar -xzf dmitry-1.3.3.tar.gz
cd dmitry-1.3.3
./configure
make
sudo make install

Verify Installation

dmitry -v

Basic Syntax

Command	Description
`dmitry [options] target`	Primary syntax for running dmitry
`dmitry -h`	Display help menu
`dmitry -v`	Show version information
`target`	Domain name, IP address, or hostname

WHOIS Lookups

WHOIS queries retrieve registrar and registrant information for domain names and IP addresses.

Basic WHOIS Query

dmitry -w example.com
dmitry -w 192.0.2.1

Save WHOIS Results

dmitry -w example.com > whois_results.txt
dmitry -w example.com -o whois_output.txt

WHOIS with Verbose Output

dmitry -w -v example.com

Flag	Function
`-w`	Perform WHOIS lookup on target
`-o filename`	Write output to specified file
`-v`	Verbose output with additional details

Subdomain Enumeration

Subdomain enumeration identifies additional subdomains associated with the target domain through various DNS techniques and database queries.

Basic Subdomain Search

dmitry -s example.com

Subdomain Search with Verbose Output

dmitry -s -v example.com

Save Subdomain Results

dmitry -s example.com -o subdomains.txt

Multiple Subdomain Searches

dmitry -s example.com > subdomains1.txt
dmitry -s example.net > subdomains2.txt

Flag	Function
`-s`	Perform subdomain search on target
`-o filename`	Save results to file
`-v`	Verbose mode with detailed enumeration info

Email Harvesting

Email harvesting extracts email addresses associated with the target domain from public sources and search indexes.

Basic Email Harvesting

dmitry -e example.com

Email Harvesting with Verbose Output

dmitry -e -v example.com

Save Email Results

dmitry -e example.com -o emails.txt

Filter Email Results

dmitry -e example.com | grep "@example.com"
dmitry -e example.com | sort | uniq

Flag	Function
`-e`	Perform email harvesting on target
`-o filename`	Output results to file
`-v`	Verbose output with source information

TCP Port Scanning

TCP port scanning identifies open ports and services running on the target system, providing service identification and availability information.

Basic Port Scan

dmitry -p example.com

Full TCP Port Scan

dmitry -p example.com

Port Scan with Service Detection

dmitry -p -v example.com

Scan Specific Port Range

dmitry -p example.com

Common Ports Quick Scan

dmitry -p example.com 2>&1 | head -20

Flag	Function
`-p`	Perform TCP port scan on target
`-v`	Show service names and additional details
`-o filename`	Save scan results to file

OS Fingerprinting

OS fingerprinting analyzes network responses and system characteristics to determine the target operating system and version.

Basic OS Fingerprinting

dmitry -f example.com

OS Fingerprinting with Verbose Output

dmitry -f -v example.com

Save Fingerprinting Results

dmitry -f example.com -o fingerprint.txt

Flag	Function
`-f`	Perform OS fingerprinting on target
`-v`	Verbose output with detailed analysis
`-o filename`	Write fingerprint results to file

Combined Operations

Dmitry’s power comes from combining multiple reconnaissance techniques in a single command, creating comprehensive target profiles.

Full Target Profile

dmitry -w -s -e -p -f example.com

Full Profile with Verbose Output

dmitry -w -s -e -p -f -v example.com

Complete Reconnaissance with Output File

dmitry -w -s -e -p -f -v example.com -o target_profile.txt

Aggressive Enumeration

dmitry -w -s -e -p -f -v example.com -o target_report.txt 2>&1

Multiple Targets in Sequence

for domain in example.com example.net example.org; do
  dmitry -w -s -e -p -f -v $domain -o ${domain}_report.txt
done

Combination	Purpose
`-w -s`	WHOIS + Subdomain enumeration
`-s -e`	Subdomain + Email discovery
`-p -f`	Port scanning + OS fingerprinting
`-w -s -e -p -f`	Complete reconnaissance profile

Output File Management

Append to Existing File

dmitry -w -s -e -p -f example.com >> reconnaissance.txt

Create Timestamped Report

dmitry -w -s -e -p -f -v example.com -o dmitry_$(date +%Y%m%d_%H%M%S).txt

Organize Results by Target

mkdir -p dmitry_results
dmitry -w -s -e -p -f -v example.com -o dmitry_results/example.com_report.txt

Parse Output for Processing

dmitry -s example.com | tee subdomains.txt | sort | uniq

Practical Workflow Examples

Preliminary Target Assessment

# Quick WHOIS and subdomain check
dmitry -w -s example.com

Detailed Reconnaissance Phase

# Complete information gathering
dmitry -w -s -e -p -f -v example.com -o target_complete_recon.txt

Multi-Target Campaign

# Create target list and run dmitry on each
cat targets.txt | while read target; do
  echo "[*] Gathering information on $target..."
  dmitry -w -s -e -p -f -v $target -o results/${target}_full.txt
  sleep 2  # Rate limiting
done

Email List Generation

# Extract all emails for phishing awareness training
dmitry -e example.com | sort | uniq > employee_emails.txt

Common Flags Reference

Flag	Description
`-w`	WHOIS lookup
`-s`	Subdomain enumeration
`-e`	Email harvesting
`-p`	TCP port scanning
`-f`	OS fingerprinting
`-v`	Verbose output
`-o filename`	Output to file
`-i`	Display IP address of target
`-t num`	Specify timeout value (seconds)
`-h`	Help menu
`-v`	Version information

Advanced Usage

Baseline Information Gathering

dmitry -w example.com
# Review WHOIS registrant data
# Identify administrative contacts
# Note DNS server information

Service Discovery

dmitry -p example.com
# Map open ports
# Identify running services
# Note version information

dmitry -e example.com
# Compile email addresses
# Identify department patterns
# Note naming conventions

Output Interpretation

WHOIS Information

Registrar: Organization handling domain registration
Registrant: Domain owner details
Administrative Contact: Primary domain administrator
Name Servers: DNS infrastructure
Registration/Expiration: Domain timeline

Subdomain Results

Valid Subdomains: Confirmed subdomains with DNS records
Potential Hosts: Possible subdomains requiring verification
Service Subdomains: Mail servers, FTP, web services

Email Addresses

Domain-based: Emails from primary domain
Subdomain-based: Emails from identified subdomains
Admin Addresses: Standard administrative emails (admin@, info@)

Port Scan Results

Open Ports: Service ports accepting connections
Filtered Ports: Ports behind firewall/filtering
Closed Ports: Ports with active rejections
Service Names: Identified services on ports

OS Fingerprinting

Operating System: Identified OS and version
System Uptime: Estimated system runtime
Running Services: Detected services and versions

Tips and Best Practices

Rate Limiting: Add delays between scans to avoid detection and server overload
Legal Compliance: Ensure proper authorization before scanning
Result Organization: Use timestamped output files for tracking changes
Target Validation: Verify DNS resolution before running scans
Information Correlation: Cross-reference results across all modules for accuracy
Iterative Scanning: Perform repeated scans to discover new subdomains and services
Note Taking: Document all findings for later analysis and correlation

Troubleshooting

Connection Timeout

dmitry -t 30 example.com  # Increase timeout to 30 seconds

DNS Resolution Failures

dmitry -i example.com  # Display IP address information
nslookup example.com   # Verify DNS resolution

No Results Returned

dmitry -v example.com  # Use verbose mode for debugging
# Verify target is accessible and valid
# Check network connectivity

Rate Limiting Issues

# Add delays between commands
for domain in $(cat domains.txt); do
  dmitry -w -s $domain
  sleep 5
done

nmap — Advanced port scanning and OS detection
whois — Standalone WHOIS query tool
dig/nslookup — DNS query utilities
theHarvester — Email and subdomain harvesting
Shodan — Internet-wide device search engine

DMitry

Overview

Installation

Debian/Ubuntu

From Source

Verify Installation

Basic Syntax

WHOIS Lookups

Basic WHOIS Query

Save WHOIS Results

WHOIS with Verbose Output

Subdomain Enumeration

Basic Subdomain Search

Subdomain Search with Verbose Output

Save Subdomain Results

Multiple Subdomain Searches

Email Harvesting

Basic Email Harvesting

Email Harvesting with Verbose Output

Save Email Results

Filter Email Results

TCP Port Scanning

Basic Port Scan

Full TCP Port Scan

Port Scan with Service Detection

Scan Specific Port Range

Common Ports Quick Scan

OS Fingerprinting

Basic OS Fingerprinting

OS Fingerprinting with Verbose Output

Save Fingerprinting Results

Combined Operations

Full Target Profile

Full Profile with Verbose Output

Complete Reconnaissance with Output File

Aggressive Enumeration

Multiple Targets in Sequence

Output File Management

Append to Existing File

Create Timestamped Report

Organize Results by Target

Parse Output for Processing

Practical Workflow Examples

Preliminary Target Assessment

Detailed Reconnaissance Phase

Multi-Target Campaign

Email List Generation

Common Flags Reference

Advanced Usage

Baseline Information Gathering

Service Discovery

Social Engineering Preparation

Output Interpretation

WHOIS Information

Subdomain Results

Email Addresses

Port Scan Results

OS Fingerprinting

Tips and Best Practices

Troubleshooting

Connection Timeout

DNS Resolution Failures

No Results Returned

Rate Limiting Issues

Related Tools