Thursday, December 13, 2007

Paterva's Maltego for Information Gathering

/
/
If you haven't heard of Paterva's Maltego (formally Evolution) then you've been missing out! HD Moore and Valsmith first mentioned it in their tactical exploitation talk at Blackhat Vegas and Defcon.

From the Paterva Homepage:
  • Maltego is a program that can be used to determine the relationships and real world links between:
    • People
    • Groups of people (social networks)
    • Companies
    • Organizations
    • Web sites
    • Internet infrastructure such as:
      • Domains
      • DNS names
      • Netblocks
      • IP addresses
    • Phrases
    • Affiliations
    • Documents and files
The documentation walks you through the initial setup and accepting of the transforms and getting API keys pretty well, so I wont cover it (go read you lazy bums). Once you get through that its time to use it.

Maltego comes with windows and linux binaries, so just run it ./maltego


Before you can start using Maltego you need to go to tools -->Manage transforms, then follow the wizard (read the documentation). you'll need to register on the Paterva site to get your API key and a couple other sites to get API keys from them.

Here is how Maltego looks after you start it up. To use it, you drag an icon from the infrastructure or personal section to the Maltego Graph (blue) section.

Using Person --> Chris Gates as the search

You can see in the Transform Execution section the results you got back from the various transforms and your graph being populated with the results

The Person --> Chris Gates output. it found several email addresses, forum posts, my Amazon profile, and other stuff that wasnt me (there are actually a ton of Chris Gates' out there).


We could have added a key word to really get better results for me specifically but given that we know the learnsecurityonline.com email is mine, lets use that for another search.

Let's check out doing Infrastructure --> Domain for learnsecurityonline.com


Not bad, I don't think the phone numbers are correct but the other results are relevant. We could have also used the whois transform and DNS bruteforce transform to enumerate some more hosts in the domain and to get the IP space.

That should be enough to get you started, i've been having fun picking random security bloggers I dont know to see what i can dig up about them, very fun. While I don't have a screenshot, the metadata search is awesome when Maltego finds "office" type documents and can be useful to reinforce you are on the track with your search.

Links!
Paterva: http://www.paterva.com
Maltego Downloads: http://www.paterva.com/web2/maltego/maltego-gui-1.0-download.html
Maltego Documentation: http://www.paterva.com/web2/maltego/maltego-docs.html

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)
/
/
, , ,
CG

2 comments:

E. Hulse said...

Sweet, I had forgotten all about this Util... Thanks

December 14, 2007 at 9:40 AM
Anonymous said...

Nice article. Since I dont feel like doing my day job, I think I'll have a play with Maltego.

December 17, 2007 at 5:32 AM

Post a Comment

Subscribe to: Post Comments (Atom)

Copyright 2023 © Carnal0wnage Blog