Maltego 2 and beyond - Part 2
Now that you have had some time to play around with Community Edition or if you were lucky (or rich) enough, the Full version. We are going to start delving into the the pieces of Maltego and then in Part 5 we rip it apart and put it back together for PT-TAS (Penetration Testing - Transform Application Server). I am going to say “investigation” a lot in the coming paragraphs and parts of this article. what I mean when I use this word is everything from ego and tin-hat searches to the military grade or counterintelligence level searches. As stated before, Maltego Community Edition is free. Use it however and for whatever you want. If you think of a new and interesting way of using Maltego please send me an email and I will make it part of this series, or post it in the Maltego Forums. Paterva is always interested in hearing from the community, especially feature requests.
First lets outline whats to come:
Table of Contents:
- Part 1 - Introduction
- Part 2 - Entities and Transforms
- Part 3 - The Human Factor
- Part 4 - Server Time (CTAS, PTTAS, MALTAS, SQLTAS, SNTAS)
- Part 5 - Hacks, Tips, and Tricks
The reason I am not going into the installation or registration of Maltego is because 1. It’s already installed on Back|Track and 2. Because Paterva already has a great wiki article on the topic. So lets begin:
Entities are the basic nuts and bolts of your investigation. Entities spawn other entities through the use of transforms. But, what is an entity? Well at the time of this publishing it can be one of the following
AS (Autonomous System Number): This is a number assigned to a network that allows BGP (Border Gateway Protocol) to know where it’s neighbors are. (And there aren’t any exploits for BGP right?)
DNS Name: This is a human readable form of an IP. And, unlike my mother believes, a DNS name does NOT mean it’s a web site. For example hr2xp00209.contoso.com does not serve up a web site, well at least it shouldn’t. (And there are no exploits for DNS right? -PPT LINK-)
Domain: In the sense of a DNS domain. This can be localdomain.local contoso.com, or microshaft.com
IP Address: The 4 byte (or 16 byte with IPv6) set of numbers that computers understand better than DNS names
Netblock: A block of contiguous IP addresses that are “owned”
Website: (Myspace.com, DUH!)
Email Address:YourSuperCoolHackerHandle@h4x0rbl0gthatyouneverupdate.com (And then you sign that email address with your super secret family-only email address that you never use, with your PGP key)
Location:Area 51, Washington DC, The Moon
Person: A first and and last name (we will get into handles with “Phrase”, also, remember that PGP key you used, oh it has your full name on there)
Phone Number: This is a 7 digit or 10 digit number, returns a lot of false positives in my experiance, but has also pulled some great contact info for companies that weren’t available from their site. (i.e. someone posted their details in a group or forum asking for help)
The last entity is “Phrase”. I specifically isolated it because of its untapped power in Maltego. This is a Google hacker’s dream. This entity will send any Google hack (or regular search term/phrase) you have to a search engine (Out of the box it’s Yahoo) and then extracts as many of the above entities as it can. To couple the power of Google hacking with all of the information you have gathered, and if the old adage, “Knowledge is Power” is right. You now have at your disposal a nuclear arsenal worth of “power”. Add PT-TAS (which we will talk about later) and you might as well have an Ion Cannon for your investigation.
There are more transforms than I have space for and you really don’t need me to insult your intelligence any more than I already have with my list of entities. So, I am picking out a few of my favorites that might get you a tad bit worried enough to go out and download Maltego, just to see if they pop on you.
Email to PG****P: It takes an email address and then checks to see what other email addresses you have signed with your key and what the name associated with those email addresses are, along with the email address you searched for. Makes you kind of think of what other security tools can be turned back on themselves.
IP or Netblock to Wiki Edits: With this tool you can get a sense of what changes a company/person/organization makes to Wikipedia. I have had mixed results with how much information return this gets but, as you can see by this interesting graph. Three letter agencies like to make edits ;-)
Metadata Extration from Documents: The transform is an information gold mine. It could give you insight into the names of users, the domain’s naming convention, possibly even the internal domain name and version of software made that document.
Rapleaf and Spock Search (Social Networking search): If you don’t get anything right of the bat, try again later. These services index items on request so if you are the first one to query and email address or phrase, it might take 20 minutes to index and be ready with results. Also, have you ever added your friends to a social networking site via your address book or contacts list (IM/Webmail/Outlook)? Well what if your address book that you uploaded as a search included every email address or phrase that you have found in Maltego?
We have now gotten the basics and the building blocks, next we go into the Human Factor. Sort of like a OCD instructor I will be helping you to make leaps of faith based on logic that Maltego, or any automated system for that matter, just can’t do.