Information Gathering Using Maltego
The first phase in security assessment is to focus on collecting as much information as possible about a target application.
According to OWASP, information gathering is a necessary step of a penetration test.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
The more information, the higher the success rate. There are basically two types of information gathering: active and passive. Passive information gathering is where the attackers won't be contacting the target directly and will be trying to gather information that is available on the Internet; whereas in active information gathering, the attacker will be directly contacting the target and will be trying to gather information.
Information gathering is generally done on infrastructure and on people. In infrastructure recon, the attackers generally try to find the information about the host i.e., the mail exchanger record, name server record , shared resources, etc.,. For information gathering on people, the attackers try to gather information like email addresses, their public profiles, files publicly uploaded, etc., that can be used for performing a brute force, social engineering or Spear phishing.
About OSINT:
OSINT stands for Open Source Intelligence. In OSINT method, the information is basically found publicly and that information can be used to further analysis. The relationship between the various forms of information gathered from the Internet can be extremely valuable from the attacker's point of view. In this method, there is no direct contact with the victim's servers or only standard traffic is directed toward the victim.
Maltego is an example which uses OSINT to gather information.Maltego, is an open source intelligence and forensics application and shows how information is connected to each other. Another advantage of this tool is that the relationship between various types of information can give a better picture on how they are interlinked and can also help in identifying unknown relationship.
What information can be found using Maltego:
With Maltego, we can find the relationships, which (people) are linked to, including their social profile, mutual friends, companies that are related to the information gathered, and websites.
If we want to gather information related to any infrastructure, we can gather relationship between domains, DNS names, and net blocks.
Architecture of Maltego:
Image from paterva.com
The Maltego client sends the request to seed servers in XML format over HTTPS. The request from the seed server is given to the TAS servers which are passed on to the service providers. The request results are given back to the Maltego client. The advantage is that we can have our own TAS servers for more privacy. Currently Maltego has two types of server modules: professional and basic. The major differences between the two servers are the modules available. The professional server comes with CTAS, SQLTAS and the PTTAS and the basic server comes with CTAS.
CTAS – Commercial TAS contains the transforms available in public server. This is similar to basic server.
SQLTAS – TAS can access the SQL database using this module. It can also can perform various SQL queries and will return the results. The supported types are MySQL, MSSQL, DB2, Oracle and Postgres.
PTTAS- Pentesting TAS module that allows you to perform various pentesting related tasks from within Maltego like the port scan, banner grabbing, etc.
Starting Maltego
First go to Applications-->Backtrack-->Information Gathering-->Network Analysis-->DNS Analysis-->Maltego
The first time you login it will ask you to register your product. If you already have an account just enter your email ID and password. Once you validate your login it will update the transforms.
Once the transforms are updated, click the 'Investigate' tab and select the desired option from the palette. There are two main categories in the palette: Infrastructure and Personal. We can also import other entities to the palette. An example is the SHODAN entity. SHODAN is a search engine which can be used to find specific information like server, routers, switches, etc .,with the help of their banner.
Infrastructure Reconnaissance:
Maltego helps to gather a lot of information about the infrastructure. In order to start gathering information, select the desired entity from the palette. In this example, we are going to scan a domain. Select the domain option from the palette and drag the option to the workspace. Enter the target domain. Now right-click on the entity and you should be getting an window that says "Run Transform" with additional relevant options.
Run the required transform and find out information like the MX, NS and IP address. We can then use transforms like 'IPAddressToNetblock' to break a large netblock into smaller networks for better understanding.
Also we can find the shared domains. We can determine information like IP addresses for domains and other internal networks, the netblocks which are used by the target, etc.
Infrastructure Info gathering
Personal Reconnaissance:
Maltego helps you find information about a person, like their email address, social profiles, mutual friends, various files shared on various URLs, etc. Select the desired option from the palette. Here I am going to select the option 'Person' and will enter the name of the person I will be trying to gather information about.
Right-click on the 'Person' option and select the desired transforms. First let's find the email address related to the person and try to gather more information. With Maltego, we can find their SNS information from Facebook, Flickr, etc.
Person Info Gathering
Various entities in Facebook were detected by using the transform "toFacebookaffiliation." This method generally looks for a Facebook affiliation that matches closely to a person's name based on the first and last name and weighs each result accordingly. With Maltego we can also find mutual friends of two targeted persons in order to gather more information.
Similarly, we can find if the user has uploaded any files in pastebin or any other public URLs. Having all this information can be useful for performing a social engineering-based attack.
FOCA:
Foca is another network infrastructure mapping tool which can discover information related to network infrastructure and also analyze metadata from various file formats like MS office, PDF files, etc. It can also enumerate users, folders, emails, software used to create the file, and the operating system.
Download link:
http://www.informatica64.com/foca.aspx
Register your email id in order to download the tool.
Various Steps involved:
Step 1: First go to Project –> New Project and start a new project where you have to enter the project name and the target.
Step 2: Once the target is selected and saved, the next step is searching for the files using various search engines like Google, Bing and Exalead by clicking "Search All". We can also search files using our custom search.
Note: Exalead is a another type of search engine.
Step 3: Various files will be shown in FOCA. Download the files once the scan is completed in order to analyze the metadata. While gathering the files from the Internet, FOCA also analyzes the target's network and gives out information like network, domain, roles and vulnerabilities. We get information like the name of the user, share path, their operating system, software used and other various useful data from the metadata analyzed. Information like the software used to create the document can be used for performing a client-based exploitation.
Both tools are best for gathering information about any target and gives a better picture about the target.
Another thing both tools have in common is that they use the functionality of SHODAN. The SHODAN transform for Maltego can be downloaded from the below link.
http://maltego.SHODANhq.com/downloads/entities.mtz
SHODAN is useful for performing the initial stages of information gathering. Enter the target IP or the website URL into SHODAN. This can provide a lot of information, like the technology used by the domain, server versions, etc.,
Having the maximum amount of information about your target is always good as it helps us to understand more about the target, their network infrastructure, and the people connected to the target. The more information, the higher the success rate for the attack. If you are good at social engineering then perform the attack on the users found from Maltego and FOCA, i.e., a client based attack or binding malicious content to a document or any other files related to that particular author and asking them to check it for corrections, thus infecting the author.
Foca also has an online service for finding the generic metadata, but it has a lot of limitations and does not provide much information. The url is http://www.informatica64.com/foca/.
References
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- Information Gathering Using Maltego
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness