Maltego
Maltego is an open-source intelligence tool (OSINT) for graphical link analysis used in information gathering. In fact, you can gather information on just about anything – people, chemical weapons, IP addresses, terrorists, bank account numbers, etc.… Maltego uses transforms to fetch the information required. The Transform Hub is a large number of websites where data is fetched (e.g., Shodan, VirusTotal, etc…). You have to manually install each transform in most cases as they don’t come pre-installed. Further, transforms are pieces of code that take an input and chucks out a visual output that is related to the input in a particular manner. The data mined is then rendered visually on a blank canvas. Maltego contains hundreds of transforms. And as such, you can sift through data in real-time. Maltego Community Edition (MCE) is a free option for the paid version. However, the free edition is very restrictive and doesn’t have the full potential or features that the paid version offers. Further, Maltego is available for Linux, MacOS, and Windows.
Installing Maltego
Maltego can be downloaded and installed from www.maltego.com/downloads.
Next, create an account and follow the installation instructions.
Adding Transforms
As we said earlier, transforms are not installed by default and therefore must be manually selected and installed.
To add a transform (and mind you, you may wish to add many transforms):
- Go to the transform tab and click on it, then click “Transform Hub”
- I’m interested in the free ones, so let me specify that by clicking the “free” option underpricing. Suppose that I want to install the CaseFile Entities transform. Hover the mouse over the transform and when you see the “install” button, click on it. The latter should install it.
Creating The Graph
The graph is the masterpiece of Maltego. The first step in creating a graph is selecting an entity (ex: a person, a domain name, etc…).
- Click on the square box with a plus sign (top left corner) to start a new graph.
- Right beneath the square box with a plus sign is the Entity Palette. Choose the entity you want from it, and drag it to the “New Graph” sheet.
In my case, I’m going to investigate “linuxhint.com” – a domain. But please note that it doesn’t have to be a domain! It can be anything you want, just scroll through the entity palette and find what you’re trying to look up.
Click on the box in the circle of the entity. In my case, by default, it says paterva.com. I’m going to click on it and change it to linuxhint.com.
To see the types of scans you can perform, you have to click the entity right.
New users almost always click on “All Transforms”; however, you shouldn’t do that. You’ll end up with a mess that you cannot analyze. Instead, you should click on one transform at a time. You can run multiple scans, no problem, but one by one. First, do a transform, then analyze the results. Then, do another transform, analyze the results, and so on.
In my case, I will use the transform “To website”. This makes finding things about the website easier.
As you may notice, it created a new diagram.
I then asked it to do another transform: “to IP address”.
The latter tells me that there are two IP addresses associated with linuxhint.com. I know from Nikto that the real IP address is 172.67.209.252. So let’s proceed with that IP address.
Next, I’m going to use the “To location” transform to find where LinuxHint is located. I get that it’s located in the United States.
Here, you can keep going and going; this is called information gathering. You can gather a lot of information about Linuxhint.com.
1. Now suppose that I wished to access WHOIS information. I will use the transform called “WHOISXML information” (–> to WHOIS record).
The play button will run all the transforms within if you click the play button. But like I said, this is more messy and harder to analyze the results.
And please remember that you can click on any of the generated results to apply a transform. Transforms are not restricted to the first entity but are applicable anywhere, anytime. Just remember that the graph can get messy very fast, and as such, it’s your job to ensure that you apply the appropriate transforms.
But, more information about Linuxhint.com can be found using the WHOIS records. For this, select the result obtained when the transform was applied; it should add this panel:
According to this, the registrant’s postal code is 85284 and lives in Tempe, Arizona, United States. There’s even a phone number and a fax number. And the information keeps ongoing.
And mind you, this is just the WHOIS record. In fact, what Maltego does is to facilitate the search process. Instead of going and searching website after website, here, you apply the transform, and it retrieves the information and displays it for you.
Deleting Results
Now, suppose that you applied a transform that you didn’t want in the first place; you can undo it using Ctrl+Z or else delete the results altogether. You don’t have to start over; rather, you just select the results that you want to delete and press the delete button. The latter will delete the selected results from your graph.
Information gathering is one of the most important steps, and Maltego is one of the best tools to analyze just about anything. You can choose to analyze the available data on people, domains, cryptocurrencies, weapons, etc… Maltego is a massive program, and although the best features are only available in the paid version, you can get quite a bit out of the free version. All in all, Maltego is worth a try!
Happy Coding!
