The Web Local
 

 

 

Maltego Client

 

Maltego is a one-stop resource for carrying out foot-printing and passive analysis. It has come a long way since its early days as a web-based search utility.  The web-based utility was superseded by a standalone java-based client (still available) and from May 2008 a commercial version of this excellent tool was released with some great nifty add-ons to make this one of the most extensible, innovative and frankly awesome tool that a tester MUST know about and be able to use effectively.

 

It can be utilised in searching for the following (entities):

 

 

Searches are carried out by using what are called transforms whereby the entity (for example a domain) can have multiple queries made against it for example the MX Record transform which determines if an MX record exists for your target Domain. When found this record can be the subject of a another transform (sub-query) to resolve its IP Address which could be further queried to determine a shared DNS records (and the list goes on and on and ....).  In this way a huge relationship-based diagram can be built up. 

 

It is available from here.

 

The Commercial version of Maltego has been totally re-written and now comes with the following add-ons/ extra tools: 

 

  • Dedicated update server.
  • Import facility for reviewing previous searches.
  • Export facility (CSV format - Allows the ability to Integrate into user defined databases).
  • Disparate views and layouts of results (akin to those offered by the i2 Analysts casebook) i.e.
    • Hierarchical
    • Block
    • Centrality
    • Organic

    Some or all of these are available depending on which view option (Mining, Edge-weighted or Centrality is selected).

  • More entities and 20 brand new transforms.
  • Search/Find facility.
  • Ability to carry out multiple searches via different tabs.
  • Dedicated clear-all, zoom buttons for notebook users.
  • Integrated online help (wiki based) and user guide. http://ctas.paterva.com/view/Main_Page
  • Pre-populated and configured transforms (incorporating personal API key).
  • Platform independent installer.
  • Proxy Support.
  • Print facility.
  • Extensive support package.
  • Free Upgrades.

 

Installation:

 

Download the jar or exe file (dependant on platform) from Paterva

Follow the on-screen instructions. An extremely comprehensive guide is also available here.

 

Pre-requisites and Execution:

 

Java 1.6

(If required) Technorati API key

Join at http://technorati.com/account/signup/

Obtain key from: http://www.technorati.com/developers/apikey.html

 

Linux Note: - If you have multiple versions of java installed make sure you amend the maltego.conf file to point to the 1.6 branch i.e.

 

# default location of JDK/JRE, can be overridden by using --jdkhome <dir> switch
jdkhome="/usr/java/jre1.6.0_05/" (for Sun Java Runtime Environment 1.6 update 5)

 

alternatively execute the program with the following command-line parameters maltego --jdkhome /path_to_java_1.6_install/

 

Note: - All start menu shortcuts or Linux launchers will need their prospective commands altered accordingly also should you wish to use them.

 

Usage:

 

I recently attended Infosec at Olympia in London and one of the speakers on the Hackers Panel was Roberto Preatoni, founder of Zone-h.org.  Wanting to find out more contact details for zone-h and a bit more about the people that work there I set Maltego to work.  My goal was to find as many personalities related to the site as possible and alternative email personas that I could use in a possible targeted spearphishing campaign to enable possible access to the site or there home machines - (There switched on so they wouldn't fall for it anyhow and I did have to pick on someone :-) )

 

 

The maltego transform relating to this basic search is available from here.  Multiple entities were resolved some of which had ties to the same email address alluding to the fact that they have an alternative e-presence so to speak i.e. Roberto Preatoni is also SyS64738.

 

I could have gone a lot further and tried to enumerate other user details but in this case it was not my intended goal.  I could have also enumerated details about the domain, related servers, documents and associated metadata etc.

 

Other views and layouts are also available to work with, a sample of which is below which are also very useful for adding weight to important personas/ hosts enumerated by various searches:

 

 

It is possible to gather more information about each entity returned by using the Details Pane, which also lists what transform was carried out and the date:

 

 

There are so many ways this tool can be used and data extracted and this page is only a taster of the capabilities of this tool available - a full userguide can be obtained from here.

 

Summary:

 

This tool now has a very rounded and commercial feel to it.  It has been extremely professionally done with excellent support for bug submissions and a highly comprehensive on-line wiki resource.  I prefer to work in data mining view as I am used to this option, the other views can, however, add weight to particular entities which is useful, especially when  viewing large graphs and submissions allowing you to zoom in to interesting entities and links and carry out more detailed enumeration (transforms). Great tool!

 

Suggestions:

 

Most transforms are grouped together and give you the option to search singularly or search using that a particular group.  There is also an option displaying All transforms for a particular entity which combines all available transforms from all grouped sections, there is currently no option to select All in this group which for some would be a nice feature.

 

A facility to allow you to record what transforms have been carried out on which entity would also be a bonus and act as a checklist for the tester.

 

 

 

IT Security News:

 

Pen Testing Framework:

 

Latest Tool Reviews: