What is Maltego and why use it for OSINT?
Maltego is a data mining tool that mines a variety of open-source data resources and uses that data to create graphs for analyzing connections. The graphs allow you to easily make connections between information such as name, email organizational structure, domains, documents, etc. Maltego uses Java so it can run on Windows, Mac, and Linux and is available in many OSINT Linux distros like Parrot OS or Kali. Basically, it will parse a large amount of information and search various open-source websites for you and then toss out a pretty looking graph that will help you put the pieces together. Maltego can be used as a resource at any point during the investigation however if your target is a domain it makes sense to start mapping the network with Maltego from the start.
It uses seed servers by sending client data in the XML format over a secure HTTPS connection. Once processed at the server side, the requested results are returned to the Maltego client.
Gathering of all publicly available information using search engines and manual techniques is cumbersome and time consuming. It largely automates the information gathering process, thus saving a lot of time for the attacker. The graphical display of information mined by the software aids the thinking process of the attacker in determining interconnected links between each entity.
What does Maltego do ?
It is a program that can be used to determine the relationships and real world links between:
– Groups of people (social networks)
– Web sites
– Internet infrastructure such as:
- DNS names
- IP addresses
– Documents and files
- These entities are linked using open source intelligence.
- It is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
- It provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
- Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
- It is unique because it uses a powerful, flexible framework that makes customizing possible. As such, It can be adapted to your own, unique requirements.
There are several versions of Maltego available:
• Maltego XL- Premium version for large data
• Maltego Classic- Pay version which includes all APIs (transforms)
• Maltego CE- Free Version with limited APIs (transforms)
• Casefile- For examining links in offline data
The main difference between Maltego Classic, Maltego XL and Maltego CE are the number of entities that can be returned from a single transform and the maximum number of entities that can be on a single graph.
It comes pre-installed on most of the OSINT distro. You will need to go to the Maltego site and create an account. Once your account is created you will receive a key that will allow you to use the Community Edition.
If you are doing a fresh install on Win, Mac, or Linux here is a step-by-step guide.
How to perform simple network recon
Starting with a domain name we can begin to map out the structure of an organization including other sites they own. It is surprising how much information can be found by using nothing more than a domain name.
Click the new graph button in the upper left corner and a blank new graph pane will open.
From the Entity Palette on the left, search or scroll until you find Domain and then drag it into your blank graph pane.
Double click on the domain icon and change the name to the domain you want to investigate.
Right-click on the domain icon, this opens the Run Transforms box. Here you could be very specific about what you want to search for by scrolling through the palette and selecting but we are going to go crazy and just choose Run All Transforms by selecting the little fast forward arrows beside it.
As soon as Run Transform is selected, Maltego begins its work by graphing out the structure of the network. Note: on the left side of the graph pane there are several options for viewing the graph in different layouts.
AS you can see that all sorts of information pops up including DNS servers, related sites, related emails, email servers…
You can use these connections to make even more detailed connections like names associated with emails and phone numbers by Right-clicking on the icon and run All Transforms.
How to run an email address in Maltego
Create a new graph the same way we did in the previous step. This time, select Email Address in the Entity Palette and drag it over to the empty graph.
Double-click on the email address icon and change the text to the email address you want to search.
Right-click on the email address icon and run All Transforms by selecting the fast forward arrows.
After the transforms run, a graph will pop up displaying all the connections to the address.
This tool should not be used for unlawful actions.