Uploaded by iii

lab 3 using maltago on kali linux

advertisement
A Guide to OSINT Investigation
with Maltego
Attribution graph between a domain and its owners
from https://www.paterva.com
Maltego Disclaimer: The company clarifies that their software
may not be used for unlawful actions: “You are not limited in
how you can use the software but you can’t use it for unlawful
actions (including collecting email addresses for sending spam).
Same goes for the data or graphs you generate using it.” They
also add: “You cannot blame us in any way if something goes
wrong with this software. If you use this software and you get
into trouble in any way then it’s your problem.”
What is Maltego and why use it for
OSINT?
Maltego is a data mining tool that mines a variety of open-source
data resources and uses that data to create graphs for analyzing
connections. The graphs allow you to easily make connections
between information such as name, email organizational
structure, domains, documents, etc. Maltego uses Java so it can
run on Windows, Mac, and Linux and is available in many OSINT
Linux distros like Buscador or Kali. Basically, it will parse a large
amount of information and search various open-source websites
for you and then toss out a pretty looking graph that will help you
put the pieces together. Maltego can be used as a resource at any
point during the investigation however if your target is a domain it
makes sense to start mapping the network with Maltego from the
start.
Which Maltego version should I
download?
There are several versions of Maltego available:
• Maltego XL- Premium version for large data
• Maltego Classic- Pay version which includes all APIs
(transforms)
• Maltego CE- Free Version with limited APIs (transforms)
• Casefile- For examining links in offline data
The main difference between Maltego Classic, Maltego XL and
Maltego CE are the number of entities that can be returned from
a single transform and the maximum number of entities that can
be on a single graph.
For our purposes here I will be using Maltego CE which is a free
version with limited Transforms. Maltego comes pre-installed in
the Buscador Linux distribution which is typically a favorite of
Open-Source Intelligence investigators.
https://docs.maltego.com
Installing Maltego
Buscador: If you have Maltego via Buscador it will initially
present as the Casefile version. You will need to go to
the Maltego site and create an account. Once your account is
created you will receive a key which will turn your Casefile into CE.
Kali: Maltego comes pre-installed on Kali. You will need to go to
the Maltego site and create an account. Once your account is
created you will receive a key that will allow you to use the
Community Edition.
Fresh Install: If you are doing a fresh install on Win, Mac, or
Linux here is a step-by-step guide provided by Paterva.
What is all this API/Transform
nonsense?
Screenshot of Transforms in the Windows version
An API is an Application Programming Interface and in very
simple terms it is what connects other software like Shodan and
Threatminer with Maltego. Maltego calls these connections
“Transforms” and if you are running Maltego CE you will find that
some transforms are free while others are pay. The downside of
running the free version of Maltego is that not all of the transforms
come pre-installed, therefore, to use them you will need to sign up
on each website to get the API code to activate the corresponding
transform. Depending on your needs, you can focus on specific
transforms made for OSINT, Threat Intel, Organization mapping,
etc. which will limit the amount of legwork you need to do for
activation.
How to perform simple network
recon
Starting with a domain name we can begin to map out the
structure of an organization including other sites they own. It is
surprising how much information can be found by using nothing
more than a domain name.
Click the new graph button in the upper left corner and a blank
new graph pane will open.
new graph
From the Entity Palette on the left, scroll until you
find Domain and then drag it into your blank graph pane.
Find Domain in the Entity Palette
Double click on the domain icon and change the name to the
domain you want to investigate, I chose hbo.com.
Right-click on the domain icon, this opens the Run
Transforms box. Here you could be very specific about what you
want to search for by scrolling through the palette and selecting
but we are going to go crazy and just choose Run All
Transforms by selecting the little fast forward arrows beside it.
Run All Transforms on the domain
As soon as Run Transform is selected, Maltego begins its work
by graphing out the structure of the network. Note: on the left
side of the graph pane there are several options for viewing the
graph in different layouts.
Screenshot of hbo.com domain
You can see in the image below that all sorts of information pops
up including DNS servers, related sites, related emails, email
servers…
Image showing network
You can use these connections to make even more detailed
connections like names associated with emails and phone
numbers.
Let’s take a closer look at one of the people that showed up
connected to hbo.com “Thomas Peterson.” Right-click on
Thomas’s icon and run All Transforms.
When the transforms finish running, we will have an added graph
of all of Thomas Peterson’s associated emails.
Thomas Peterson’s emails
Sometimes this can lead to some strange findings. I have stumbled
upon a lot of funny/hidden emails while doing similar searches.
Image of Thomas Peterson’s email associations
How to run an email address in
Maltego
I was curious about Thomas’s Rick Grimes Tormail address so I
decided to take a closer look.
Create a new graph the same way we did in the previous step.
This time, select Email Address in the Entity Palette and drag
it over to the empty graph.
Double-click on the email address icon and change the text to
the email address you want to search. In this case, I used
“realrickgrimes@tormail.org”
Right-click on the email address icon and run All
Transforms by selecting the fast forward arrows.
Screenshot of running transforms on an email address
After the transforms run, a graph will pop up displaying all the
connections to the address. You can see here that
realrickgrimes@tormail.org connects to a person “Rick Grimes”
who then connects to several other emails. I was intrigued by
Rick’s connection with carl.grimes1995@gmail.com so I decided to
run another all transforms on that email.
Running all transforms on the email address
Carl.grimes1995@gmail.com led me to several more interesting
people like Carl Grimes and Steve Brule. I feel a bit like I am
getting sucked into a black hole of Walking Dead references so I
run a Transform on Steve Brule.
Steve Brule leads me to steve@checkitout.com and
steve@brule.com as well as the site checkitout.com.
I tried visiting the site but it wasn’t active so I did a quick WhoIs
search. The WhoIs search came back registered to CSC Global
which runs a digital brand services and domain management
company.
The previous registrant was the Hearst Corporation
At this point, instead of continuing down the Steve Brule rabbit
hole, I am going to assume the Hearst organization and now CSC
is holding the domain either to protect it from misuse or to resell it
at some point.
As you can see, there are a million fun things you can do with just
a simple domain and email search within Maltego! Test drive
Maltego yourself by searching your own email address or web
address and see what connections you can make. Take it one step
further and try searching for your phone number to see how it can
be linked to you.
Check out my tutorial for Lampyre if you are looking for another
Windows-based solution for email address recon and graphing.
Download