Maltego: Making sense of data
Information gathering has always been a crucial part of any penetration testing. The more information we have, the more likely we will be able to use that against the system to exploit it. Paterva, a South Africa-based company, is responsible for the development and release of Maltego. The first GUI version was launched way back in 2007. Since then, it has come a long way.
Maltego is essentially a data mining tools that creates directed graphs to be further analyzed. This tool helps connect the dots, which essentially means that it helps find common ground between different pieces of information that may be gotten from the internet.
What should you learn next?
Maltego can be used to find the relationships between the following:
-
People
- Names
- Email addresses
- Aliases
- Groups of people (social networks)
- Companies
- Organizations
- Web Sites
-
Internet Infrastructure
- Domains
- DNS Names
- Netblocks
- IP addresses
- Affiliations
- Documents and files
Maltego provides us with two types of products:
- Maltego Clients
- Maltego Servers
Maltego Servers
These are further divided into three categories:
- CTAS (Commercial Transform Application Server): CTAS is a copy of Paterva's public CTAS. However, this can be hosted internally within any organization.
- iTDS (internal Transform Distribution Server): iTDS has a web-based front-end that makes it easy to manage, share and distribute custom-built transforms from a common point.
- Comms Server (Communication Server): A comms server gives the user the ability to share graphs and have multiple people work on a single graph at the same time.
Maltego Clients
There are further divided into four categories:
-
Maltego XL: Maltego XL (eXtra Large) is the latest version that Paterva came out with. It has all the features present in Maltego Classic with the addition of working with larger graphs. Like Maltego Classic, Maltego XL, too allows us to map out the network and do a threat analysis which makes it easier for us to find the weak points. Few features are listed below:
- The ability to perform link analysis on up to 1,000,000 entities on a single graph.
- The capability to return up to 10,000 entities per transformation.
-
Graph export options include:
- Images – jpg, bmp, png, and gif
- Generate PDF reports
- GraphML
- Entity Lists
- Tabular formats – csv, xlx, and xlsx
-
Import Graphs
- Tabular formats – csv, xlx, and xlsx
- Copy and paste
-
Maltego Classic: It is the professional version that provides extended functionality when compares with the CE (Community Edition) tool. It requires a licence key to be used. Few features are listed below:
- The ability to perform link analysis on up to 10,000 entities on a single graph.
- The capability to return up to 10,000 entities per transform that is run
-
Graph export options include:
- Images – jpg, bmp, png, and gif
- Generate PDF reports
- GraphML
- Entity Lists
- Tabular formats – csv, xlx, and xlsx
-
Import Graphs
- Tabular formats – csv, xlx, and xlsx
- Copy and paste
-
Maltego CE (Community Edition): This version is available for free. However, a simple signup is required to use it. It provides us with the same feature set as the commercial version, however, with a few limitations. Few features are listed below:
- The ability to perform link analysis on up to 10,000 entities on a single graph.
- The capability to return up to 12 entities per transform that is run
- Ability to share graphs in real-time with multiple analysts in a single session
-
Graph export options include:
- Images – jpg, bmp, png, and gif
- Generate PDF reports
- GraphML
- Entity Lists
- Tabular formats – csv, xls, and xlsx
-
Import Graphs
- Tabular formats – csv, xls, and xlsx
- Copy and paste
-
Case File: Maltego released this version as many users where using the tool to build graphs with offline data that they had gathered from various sources.
- It can be used to determine the relationships and real world like links between hundreds of different types of information
- It can be used to plot relationships between pieces of information
Note: All version of Maltego are available for Windows, Linux, and MacOS and require JAVA to run.
In this article, we will be focusing on Maltego CE (Community Edition). Maltego CE can be downloaded from the following link: https://www.paterva.com/web7/downloads.php#tab-3. As stated earlier, a simple signup would be required for it to run. The signup process can be found at https://www.paterva.com/web7/community/community.php. Maltego provides us with some transforms which can be overwhelming at times. For this tutorial, we will focus on finding information on a particular company.
Start Maltego and select the option "Footprint L3."
Next, we need to enter the domain name of the company whose information we are trying to gather. In this case, it will be airocorp.com.
Once it begins its operations, it will ask to see whether the relevant information is being pickup or not. Such as for MX records:
NS servers:
Since this website is running on a shared server, any other site that may be hosted on it may also appear. Maltego, being the smart tool it shows it to us gives us the option of keeping them or removing them from our graph.
Maltego also picks up our sub-domains and gives us the ability to get an answer to question(s) such as finding the technologies being used for them:
Along with seeing if any other sites may have been hosted on the same IP address:
Once it is done running the machines, we finally have our graph ready to be analyzed:
To further perform any actions, on the left-hand side of the screen, we can see a view called "Run View" under which all Transformations (marked in blue) are present. Just below those, another option called "Machines" can be found. These are the same option that we were presented on at the beginning from which we selected "Footprint L3". We can select any node in the graph and run further transformations/machines on that particular node:
The graph will be more complicated as we try and analyze bigger targets. To help in this case, Maltego provides us with easy options to mark and differentiate the parents, children, siblings and make the different relationship between them which can be easily identified on the graph:
We can further export the graph into tables to further simply our analysis:
Conclusion
Maltego is a powerful tool and one of the best for information gathering. Although it is numerous features can be overwhelming at times, but once you get a grip on the tool, it will prove its worth.
What should you learn next?
References:
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Maltego: Making sense of data
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness