Thursday, December 13, 2007

Paterva's Maltego for Information Gathering

If you haven't heard of Paterva's Maltego (formally Evolution) then you've been missing out! HD Moore and Valsmith first mentioned it in their tactical exploitation talk at Blackhat Vegas and Defcon.

From the Paterva Homepage:
  • Maltego is a program that can be used to determine the relationships and real world links between:
    • People
    • Groups of people (social networks)
    • Companies
    • Organizations
    • Web sites
    • Internet infrastructure such as:
      • Domains
      • DNS names
      • Netblocks
      • IP addresses
    • Phrases
    • Affiliations
    • Documents and files
The documentation walks you through the initial setup and accepting of the transforms and getting API keys pretty well, so I wont cover it (go read you lazy bums). Once you get through that its time to use it.

Maltego comes with windows and linux binaries, so just run it ./maltego

Before you can start using Maltego you need to go to tools -->Manage transforms, then follow the wizard (read the documentation). you'll need to register on the Paterva site to get your API key and a couple other sites to get API keys from them.

Here is how Maltego looks after you start it up. To use it, you drag an icon from the infrastructure or personal section to the Maltego Graph (blue) section.

Using Person --> Chris Gates as the search

You can see in the Transform Execution section the results you got back from the various transforms and your graph being populated with the results

The Person --> Chris Gates output. it found several email addresses, forum posts, my Amazon profile, and other stuff that wasnt me (there are actually a ton of Chris Gates' out there).

We could have added a key word to really get better results for me specifically but given that we know the email is mine, lets use that for another search.

Let's check out doing Infrastructure --> Domain for

Not bad, I don't think the phone numbers are correct but the other results are relevant. We could have also used the whois transform and DNS bruteforce transform to enumerate some more hosts in the domain and to get the IP space.

That should be enough to get you started, i've been having fun picking random security bloggers I dont know to see what i can dig up about them, very fun. While I don't have a screenshot, the metadata search is awesome when Maltego finds "office" type documents and can be useful to reinforce you are on the track with your search.

Maltego Downloads:
Maltego Documentation:

Presentations on Maltego:
CansecWest07 Presentation [PPT] (1.8MB)
FIRST 2007 Presentation [PPT] (4.5MB)


Eric said...

Sweet, I had forgotten all about this Util... Thanks

mszafran said...

Nice article. Since I dont feel like doing my day job, I think I'll have a play with Maltego.