January 2011 Maltego 3 User Guide - Transforms Version 3.0

Transcription

1 PATERVA Maltego transforms A reference guide RT 2011/01

2 Table of Contents 1 Introduction Search engine transforms General notes when using search engine transforms Problems with parsing results Infrastructure Internet Autonomous System (AS) To Netblocks in this AS [Robtex] NS (Name Server) To Domains [DNS] To IP Address [DNS] To Web site [Query port 80] Domain To MX (mail server) [DNS] To NS (name server) [DNS] To DNS Name [Attempt zone transfer] To DNS Name [Find common DNS names] To DNS Name [Name Schema] To Domain [Find other TLDs] To address [From whois info] To addresses [PGP] To addresses [using Search Engine] To Search Engine] To Entities (NER)[Alchemy and OpenCalais] via whois To Files (Interesting)[using Search Engine] To Files (Office)[using Search Engine] To Person [PGP] To Phone Numbers [using Search Engine] To Phone numbers [From whois info] To Website DNS [using Search Engine] To Website [Quick lookup] To Website [using Search Engine] Maltego Transforms a reference guide Page 2

3 3.4 An IP version 4 address To DNS Name [Other DNS names] To DNS Name [Reverse DNS] To Domain [Sharing this MX] To Domain [Sharing this NS] To address [From whois info] To Entities (NER)[Alchemy and OpenCalais] via whois To Geo location [whoisapi] To Netblock [Blocks delegated to this IP as NS] To Netblock [Natural boundaries] To Netblock [Using routing info] To Netblock [Using whois info] To Telephone Number [From whois info] To Website where IP appears [using Search Engine] MX record (mail exchange record) To Domain [DNS] To Domains [Sharing this MX] To IP Address [DNS] DNS name server record To Domain [DNS] To Domains [ Sharing this NS] To IP Address [DNS] To Netblock [Blocks delegated to this NS] Netblock To AS number To DNS Names in netblock [Reverse DNS] To Entities (NER)[Alchemy and OpenCalais via whois To Geo location URL To Addresses [Found on web page] To Entities (NER)[OpenCalais and Alchemy API] To Phone number [Found on this web page] To URL [incoming links found to this web page] To Website [Convert] Maltego Transforms a reference guide Page 3

4 3.8.6 To Website [Links on this web page] Website Mirror: addresses found Mirror: External links found To Domains [DNS] To IP Address [DNS] To URLs [show Search Engine results] To Website [Incoming links to site] To Website [Replace with thumbnail] To Website title Personal Document Parse meta information To URL [Show SE results] To Domain [DNS] To Addresses [PGP(signed)] To Addresses [PGP] To Addresses [using Search Engine] To Person [PGP] To Phone number [using Search Engine] To URLs [Show search engine results] To Website [using Search Engine] Verify address exists [SMTP] Person To Address [PGP] To Address [Verify common] To Address [using Search Engine] To Person [PGP(signed)] To Phone Number [using Search Engine] To Website [using Search Engine] Phone Number To Address [using Search Engine] To Phone Number [using Search Engine] Maltego Transforms a reference guide Page 4

5 4.4.3 To URL [Show Search Engine results] To Website [using Search Engine] Phrase To Addresses [using Search Engine] To Entities (NER)[Alchemy and OpenCalais] To Files (Interesting)[using Search Engine] To Files (Office)[using Search Engine] To Telephone numbers [using Search Engine] To Tweets [Search Twitter] To Website [using Search Engine] To related phrase Twit To Twitter Affiliation [Convert] To URL(s) [Found in these Tweets] Affiliation Twitter To AffTwitter [Get details of ID holder] To AffTwitter [This person received Tweets from?] To AffTwitter [This person wrote Tweets to?] To Person [Convert] To Tweets [That this person wrote] To Tweets [Written to this person] To followers of this person To friends of this person Maltego 3 Client Transforms - Overview Infrastructure Internet Autonomous System (AS) Domain Name System server name Internet Domain IP version 4 address Location on mother earth DNS mail exchange record DNS name server record Netblock URL Maltego Transforms a reference guide Page 5

6 Website Personal Document Person Phone Number Phrase Twit Affiliation Facebook Affiliation LinkedIn Affiliation Twitter Maltego Transforms a reference guide Page 6

7 1 Introduction This document serves as a reference guide of transforms that are currently in use in Maltego. The last section of this document gives a summary of all transforms. Maltego Transforms a reference guide Page 7

8 2 Search engine transforms There are couple of transforms that use search engines - all of them very similar. The basic recipe with these transforms is as follows: 1. Expand the question. The question is the input from the GUI - be that a person's name, a domain or an phone number. When looking at a person's name for instance the name 'Kosie Kramer' will be expanded to searches like '"Kosie Kramer"', '"K Kramer"', 'Kramer Kosie' etc. In the case of a telephone number the search will be expanded to include most telephone notations used. 2. Assign confidence levels. Because a search for '"Kosie Kramer"' is more likely to return good results - rather than a search for 'KramerK' the confidence level for the first search would be higher. The confidence levels are also used to assign preference to certain file types when doing searches on documents (these are configurable in the transform). In the same way a XLS file containing the word is likely more interesting than a PDF file. 3. Perform each search. The searches are performed and the snippets are obtained. It is important to note that only snippets are parsed. For parsing the entire page you need to dump to URL and process the URLs separately. Various search engines have various snippet lengths. 4. Parse for output entities. Depending on what output is required the snippets are parsed for entities - in some cases the web site's name is all that's required. 5. Calculate weight. The weigh is calculated from various factors - the confidence of the search, the frequency of the result, the importance of the web site where the result came from, and in some cases a correlation to the input. 6. Normalise. The weights are now normalised using a fairly interesting algorithm that involves the mean and standard deviation of the spread of weights. It is important to understand that a search result with a equal spread of weights are mostly useless. 2.1 General notes when using search engine transforms Maltego will sometimes give you results that seem plain wrong. You need to keep in mind that the application will get pretty desperate when it does not get results. So - when you are searching for a person called "Vaxynutus Grabounill" and that person simply left no marks on the Internet Maltego will eventually go after a search term "VG"- with a super low confidence - but you will still get some results. These results could seem completely off the mark, but should have very low weights. Always look at the weights. Many of the search engine transforms use pop-up transform settings for location and additional terms. If you are not getting the results you want you should try adding some terms here. You can read all about it in the User guide in the section about Transform properties. Maltego Transforms a reference guide Page 8

9 2.2 Problems with parsing results Some entities are hard to parse. Telephone numbers are notoriously hard to parse. There is always a trade-off between missing numbers and parsing non-telephone numbers as phone numbers. With the current transforms we hope to have reached the optimal balance. Maltego Transforms a reference guide Page 9

10 January Infrastructure Maltego 3 User Guide - Transforms Version Internet Autonomous System (AS) To Netblocks in this AS [Robtex] This transform expands an ASNumber to one or more netblock Entity. This transform is very useful in the infrastructure re foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only has a single DNSName that points to a single netblock - the other netblocks have no DNS information (e.g. no forward DNS pointing to it, or reverse DNS entries in the block). Using this transform we can find the ASNumberEntity of the netblock. Once we have the AS number we can expand it to all the other netblocks that Org. X have. Maltego Transforms a reference guide Page 10

11 January NS (Name Server) Maltego 3 User Guide - Transforms Version To Domains [DNS] This transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like 'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and subtlds are really not that useful it is not returned To IP Address [DNS] This is a simple transform. It resolves a DNSName to an IPAddress. Enough said. Maltego Transforms a reference guide Page 11

12 3.2.3 To Web site [Query port 80] This transform basically converts DNSName to Website. Before simply changing the types the transform will query port 80 on the DNS Name and see if it can get a proper HTTP response. Currently only port 80 is tested. In upcoming versions port 443 will also be tested. The transform also populates the server type and the HTTP ports in the additional fields. Maltego Transforms a reference guide Page 12

13 January Domain Maltego 3 User Guide - Transforms Version To MX (mail server) [DNS] This transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger record and is returned as an MXrecord Entity. The IP address of this record gives a good indication of the network location of the target as most organizations keep their mail close to their network. This is normally used in the infrastructure foot printing of an organization. The IP Address of this record gives a good indication of the network location of the target as most organisations keep their mail close to their network. This is normally used in the infrastructure foot printing of an organisation. Maltego Transforms a reference guide Page 13

14 3.3.2 To NS (name server) [DNS] This transform determines if an NS record exists for the given Domain. The NS record is the name server record and is returned as an NSrecord Entity. This is normally used in the infrastructure foot printing of an organization. A note of caution - it is not uncommon for organizations to outsource their name servers to their ISP or to the registrar of their domain. Thus - in terms of finding the network (e.g. resolving this to an IP address) of the target this has limited value - human inspection is advised. Maltego Transforms a reference guide Page 14

15 3.3.3 To DNS Name [Attempt zone transfer] This transform attempts a zone transfer (AXFR) on the Domain. If possible it extracts the Cnames and A records from the zone as DNSName. If a zone transfer is possible then all the DNS names associated with the domain are returned, and there is no need to brute force it anymore. The results of a successful zone transfer normally results in a very happy analyst as resolving these DNS names to IPAddress gives a very good indication of the network location of the target. Maltego Transforms a reference guide Page 15

16 3.3.4 To DNS Name [Find common DNS names] This transform attempts to find DNS names for the specified Domain. This is done by testing a list of DNS Names and seeing if they exist. The list of names that are tested for can be configured inside the transform. The specified domain is appended to the name and tested. If it exists it is returned as a DNS Name. Maltego Transforms a reference guide Page 16

17 3.3.5 To DNS Name [Name Schema] The transform will try several word lists (think Lord of the Rings names, planet names, colours, TLDs etc.) as DNS names. If it finds a match in a specific word list it will try the entire word list. In this way it will try to determine the naming schema for the domain. Note that the transform can take a while to complete - especially when it finds a match in a long word list. The test depth per word list can be set in the transform. In the screen shot below we see how different TLDs exists inside the domain. Maltego Transforms a reference guide Page 17

18 3.3.6 To Domain [Find other TLDs] This transform will try to find domains with different TLDs by looking it up at ServerSniff ( If you provide the domain 'funstuff.com.my' the transform will attempt to find 'funstuff.co.uk' and 'funstuff.com'. This is useful when trying to find all the domains of an organization in the infrastructure foot printing phase. A note of caution - this transform is very heavy in terms of processing power. It is also relatively slow (appreciate the fact that there are many millions of domains). Also results are not guaranteed to include all known domains but it is a good trade off between speed/accuracy. Maltego Transforms a reference guide Page 18

19 3.3.7 To address [From whois info] This transform performs a recursive whois query on the supplied domain and parses the output for addresses. The whois information itself is stored as a property of the supplied domain ('Domain Whois'). You should always manually inspect this data to give context to results - or see if the parsing of the address failed. Maltego Transforms a reference guide Page 19

20 3.3.8 To addresses [PGP] This transform queries a public PGP key server and asks the question -"show me all the addresses that ends in the supplied domain name' - results are returned as address entities. Keep in mind that this information might be outdated. The transform is useful for finding addresses at a domain - an added bonus is that we know these people communicate encrypted to others To addresses [using Search Engine] This transform searches for the domain and shows related addresses. Maltego Transforms a reference guide Page 20

21 To [using Search Engine] This transform will search for addresses containing the domain name. Maltego Transforms a reference guide Page 21

22 To Entities (NER) [Alchemy and OpenCalais] via whois This transform performs NER (Named Entity Recognition) on the whois information extracted from the domain and proceeds to extract person names, companies/organizations, phone numbers and locations from the text. Please note that NER is not perfect - just go ask General Failure To Files (Interesting) [using Search Engine] This transform will search for the locations of interesting files hosted on web sites inside the domain. The priority for each file type can be configured as shown below: Properties Maltego Transforms a reference guide Page 22

23 To Files (Office) [using Search Engine] This transform will search for the locations of interesting documents (think Office[tm]) hosted on web sites located on the domain. The priority for each file type can be configured as shown below: Maltego Transforms a reference guide Page 23

24 To Person [PGP] This transform contacts a public PGP key server and returns Person Entities with addresses that are located within the given domain. This transforms queries one of the public PGP key server and ask the question 'who do you have in your database with addresses that ends in the supplied domain?'. Results are returned as Person entities. The key servers limit the results - if there are too many results the server returns no results. This transform is useful when enumerating people working at a company. Keep in mind that the information might be outdated. Maltego Transforms a reference guide Page 24

25 To Phone Numbers [using Search Engine] This transform will search for the given domain on search engines and shows the related phone numbers. Maltego Transforms a reference guide Page 25

26 To Phone numbers [From whois info] This transform performs a recursive whois query on the supplied domain and parses the output for phone numbers. The idea with the transform is to provide the phone number of the owner of the domain. The whois information itself is stored as a property of the domain ('Domain Whois'). You should always manually inspect this data to give context to results - or see if the parsing of the phone number failed (it is difficult to correctly parse all forms of phone numbers) To Website DNS [using Search Engine] This transform will query search engines for websites and return them as website entities. Maltego Transforms a reference guide Page 26

27 To Website [Quick lookup] This transform will do a quick look up to see if the DNS entry exists. This transform is useful when dealing with a large amount of domain and you only need to quickly see which of them have web sites (e.g. not try to find all possible DNS names) To Website [using Search Engine] This transform will search for the domain name and then show the web sites where the domain name occurs. Maltego Transforms a reference guide Page 27

28 Maltego Transforms a reference guide Page 28

29 January An IP version 4 address Maltego 3 User Guide - Transforms Version To DNS Name [Other DNS names] This transform queries two different 'historical' DNS databases to see what other DNS names are associated with the IP Address. These databases are populated using various techniques. The transform is useful to find co-hosted sites - e.g. the website (or MX, NS) of companya could resolve to and co-hosted on that IP address are and/or companyab.com. m. In certain cases you will find that the forward DNS entries for the resultant DNS names are is now pointing to other IP addresses (other than the supplied one). This simply means that changes have been made to DNS, and that the provider's database is keeping the old information. Sometimes this is useful (as you can see that a change was made), sometimes it is annoying. Maltego Transforms a reference guide Page 29

30 3.4.2 To DNS Name [Reverse DNS] This transform uses stock standard reverse DNS to determine the DNS name associated with the IP Address. Note that not all IP addresses will reverse resolve. It is the responsibility of the owner of the netblock where the IP resides (or whoever this task was delegated to) to populate the records. Also note that reverse DNS entries do not have to match forward DNS - e.g. can resolve to but does not have to resolve to To Domain [Sharing this MX] This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other domains as an MX record. This type of 'reverse MX lookup' cannot be performed using standard DNS queries and is very useful to find other domains associated with the IP number. In most cases one would work from the actual DNS name of the MX record, but if you only have the IP address available there is no standard way of knowing if the IP address is an MX for a domain or not. This transform gives you the ability to do this. Maltego Transforms a reference guide Page 30

31 3.4.4 To Domain [Sharing this NS] This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other domains as an NS record. This type of 'reverse NS lookup' cannot be performed using standard DNS queries and is very useful to find other domains associated with the IP number. In most cases one would work from the actual DNS name of the NS record, but if you only have the IP address available there is no standard way of knowing if the IP address is an NS for a domain or not. This transform gives you the ability to do this. Unlike the 'reverse MX lookup' the 'reverse NS lookup' does not always imply that the domains found have a close relationship with the IP address as many companies and organizations outsource their DNS service. Maltego Transforms a reference guide Page 31

32 3.4.5 To address [From whois info] This transform performs a recursive whois query on the IP address (obviously not the domain!) and parses the output for addresses. The idea with the transform is to provide the address of the owner of the network where this IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the whois information might not reflect this. This can easily lead to false positives. The whois information itself is stored as a property of the IP address entity ('IP whois'). You should always manually inspect this data to give context to results To Entities (NER) [Alchemy and OpenCalais] via whois This transform obtains whois information of IP number and then parses it for entities using NER. Maltego Transforms a reference guide Page 32

33 3.4.7 To Geo location [whoisapi] This transform uses an API of Name Intelligence to provide the geographical location of the IP address. The location has 3 levels of detail - these are comma separated. The first is the country, the second is the region and the last is the city. Keep in mind that this level of detail is not always available. In fact - the API does not guarantee that it will return any result - it's a case of best effort. We have also seen that this data can be extremely misleading - where the location of the registrant (rather than the resource) was returned. For bulk look ups you should consider getting your own API key. Maltego Transforms a reference guide Page 33

34 3.4.8 To Netblock [Blocks delegated to this IP as NS] This transform queries Robtex's database to determine which networks have their reverse DNS delegated to this IP address. This is a very useful transform in the infrastructure foot printing process. Keep in mind that the IP address needs to that of a name server (that handles the reverse zones). In many cases this transforms provides better information than simply looking at routing or whois information. This is because organizations might have a full class B network but are only using three or four class C networks within the bigger block. In many of these cases they will only have reverse DNS information populated for these smaller blocks - and you can find these smaller blocks using this transform To Netblock [Natural boundaries] This transform returns a netblock (IP range) by simply looking at the natural network boundary of the IP address. The size of the network is determined by a transform setting ('Block size'). The size is set by default to meaning that the corresponding class C network will be returned. This size can be set to any power of two - e.g. 1,2,4,8,16,32,64,128,256 etc. As this transform is not doing any lookups it is very fast and by setting the block size small (making some assumptions) you can quickly get a rough idea of networks involved. The transform can be set to ask for the network size by marking the property as a pop up: Maltego Transforms a reference guide Page 34

35 To Netblock [Using routing info] This transform will determine what network (range of IP addresses) the IP number resides in by looking at routing information on the Internet. This does not mean that the entire resulting network belongs to the owner of the IP address (keep in mind that in many cases it might be hosted environment). See also the other ToNetblock transform for making more precise estimations of network sizes and/or owners. Maltego Transforms a reference guide Page 35

36 To Netblock [Using whois info] This transform determines the associated network (IP range) of an IP address by doing a recursive whois lookup and parsing the resultant information. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the whois information might not reflect this. This can easily lead to false positives. The whois information itself is stored as a property of the IP address entity ('IP whois'). You should always manually inspect this data to give context to results. Maltego Transforms a reference guide Page 36

37 To Telephone Number [From whois info] This transform performs a recursive whois query on the IP address and parses the output for telephone numbers. The idea with the transform is to provide the phone number of the owner of the network where this IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the whois information might not reflect this. This transform is useful when you have a list of networks and want to see which ones belong to the same organization. The whois information itself is stored as a property of the IP address entity ('IP whois'). You should always manually inspect this data to give context to results To Website where IP appears [using Search Engine] This transform will search for the IP Address and show the sites where it occurs. Maltego Transforms a reference guide Page 37

38 Maltego Transforms a reference guide Page 38

39 January MX record (mail ( exchange record) Maltego 3 User Guide - Transforms Version To Domain [DNS] This transform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs are really not that useful it is not returned To Domains [Sharing this MX] This transform is used on a MX record. It determines which other domains use this DNS Name as an MX record. This is very useful in the infrastructure footprint of an organization as it can reveal other domains that the organization uses. If company X's Domain all have MX records pointing to a single DNS name this transform can find all (or most) of these domains. Maltego Transforms a reference guide Page 39

40 3.5.3 To IP Address [DNS] This transform resolves a MX record to an IP address using plain old DNS. Maltego Transforms a reference guide Page 40

41 January DNS name server record Maltego 3 User Guide - Transforms Version To Domain [DNS] This transform extracts the domain from a NS record entity. The domain in a DNS Name like 'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs are really not that useful it is not returned To Domains [ Sharing this NS] This transform runs on an NS record. It determines which other domains use this DNS Name as a name server. This is very useful in the infrastructure footprint of an organisation as it can reveal other domains that the organisation uses. If company X's Domains all have NS records pointing to a single DNS name this transform Maltego Transforms a reference guide Page 41

42 can find all (or most) of these domains. A word of caution - if the target is hosting its name servers at an ISP then you will end up with a list of domains that hosted by the ISP - normally not the most exciting result To IP Address [DNS] This transform resolves a NS record to an IP address using plain old DNS To Netblock [Blocks delegated to this NS] This transform works on NSrecord s. It determines if the particular name server has any Netblock reverse DNS delegated to it. This is useful for finding Netblock of an organization. What's interesting about the results of this Maltego Transforms a reference guide Page 42

43 January 2011 Maltego 3 User Guide - Transforms Version 3.0 transform is that an organization might have a class B network (a fairly large netblock), but, in reality are only using a couple of class Cs (smaller netblocks) within that block. In many cases they will only populate the reverse DNS of these smaller blocks and delegate it to their name servers. The transform will show these smaller blocks. 3.7 Netblock To AS number This transform determines the Autonomous System (AS) number of the supplied network. This is useful for determining if two (or more) networks are related. If two networks are in the same AS (e.g. have the same AS number) we can say they are at least loosely routed to the same destination. If the networks belong to an organization (as opposed to belonging to an ISP that is splitting the network into smaller networks and leasing them to clients) we get a good indication that both networks belong to the same organization. Maltego Transforms a reference guide Page 43

44 3.7.2 To DNS Names in netblock [Reverse DNS] This transform will ask for all historical DNS records on file for the supplied network. It gets a bit messy - what happens when you have a class B network? As such the providers have limitations. Robtex won t return reverse DNS entries for networks larger than 2048 IPs (that's 4 class Cs) and Serversniff won't be impressed if you run a block larger than a class B. Keep in mind that you need to adjust your slider accordingly (if your slider is on the first notch and you reverse a class C you'll only get 12 entries back). Also - note that this information comes from a database - so it might not always be up to date. The transform can take a while to run - so be patient. It still beats doing it manually... Maltego Transforms a reference guide Page 44

45 3.7.3 To Entities (NER) [Alchemy and OpenCalais via whois This transform obtains whois information of netblock (well the first IP in the block), then parses it for entities using NER To Geo location This transform takes the first IP number in the range and performs the 'IP address to Geo location' on it. The transform uses an API of Name Intelligence to provide the geographical location of the IP address. The location has 3 levels of detail - these are comma separated. The first is the country, the second is the region and the last is the city. Keep in mind that this level of detail is not always available. In fact - the API does not guarantee that it will return any result - it's a case of best effort. We have also seen that this data can be extremely misleading - where the location of the registrant (rather than the resource) was returned. For bulk lookups you should consider getting your own API key. Maltego Transforms a reference guide Page 45

46 January 2011 Maltego 3 User Guide - Transforms Version URL To Addresses [Found on web page] This transform will connect to the website where e the URL (web page) is hosted, download the particular page / URL and parse it for addresses. Results are returned as address entities. The transform is useful when you are looking for results on a specific page, not an entire site. Maltego Transforms a reference guide Page 46

47 3.8.2 To Entities (NER) [OpenCalais and Alchemy API] This transform performs NER (Named Entity Recognition) on the URL and extracts person names, companies/organizations, phone numbers and locations from the text. If the URL points to a document, it will try to convert to text and perform NER on the resultant text. Entities extracted are: location, person s name, organization or company. Maltego Transforms a reference guide Page 47

48 3.8.3 To Phone number [Found on this web page] This transform will connect to the website where the URL (web page) is hosted, download the particular page / URL and parse it for phone numbers. Results are returned as phone number entities. The transform is useful when you are looking for results on a specific page, not an entire site. Maltego Transforms a reference guide Page 48

49 3.8.4 To URL [incoming links found to this web page] This transform finds the incoming URLs to an URL by looking on a search engine. Maltego Transforms a reference guide Page 49

50 3.8.5 To Website [Convert] This transform simply extracts that website's name from the URL. This is useful when you have a lot of URLs (that came from other transforms) and need to see which URLs are on the same site To Website [Links on this web page] This transform will connect to the website where the URL (web page) is hosted, download the particular page / URL and look for links from that page. Results are returned as websites entities with embedded URLs. The transform is useful when you are looking for links on a specific page, not an entire site. Maltego Transforms a reference guide Page 50

51 January 2011 Maltego 3 User Guide - Transforms Version Website Mirror: addresses found This transform will make a (partial) mirror of the web site and extract all addresses found on the site. The slider plays a big role in this transform as it set the time-out for the mirroring process. The higher (to the right) the slider is set, the deeper the mirroring process will go, and hopefully, the more results you'll get. The process runs via a caching server (that is local on the box) which means that you won t be doing the data transfer to the site twice (if you run the transform again) - expect of course if the first round did not manage to get the entire site. Also keep in mind that not all sites are mirror friendly. Flash based sites will give problems Maltego Transforms a reference guide Page 51

52 as will sites with exotic JavaScript menus and redirects. addresses that are obfuscated using nonstandard techniques will also not be picked up Mirror: External links found This transform will make a (partial) mirror of the web site and extract all external links found on the site - these will be returned as website entities. The slider plays a big role in this transform as it set the time-out for the mirroring process. The higher (to the right) the slider is set, the deeper the mirroring process will go, and hopefully, the more results you'll get. The process runs via a caching server (that is local on the box) which means that you won t be doing the data transfer to the site twice (if you run the transform again) - expect of course if the first round did not manage to get the entire site. Also keep in mind that not all sites are mirror friendly. Flash based sites will give problems as will sites with exotic JavaScript menus and redirects To Domains [DNS] This transform will return the domain of the supplied website. The transform will also return any sub domains - all the way to the sub TLD. This means that if a web site with the name is supplied the transform will return the domains duh.moo.co.za and moo.co.za, but not co.za (sub TLD) or za (TLD). Maltego Transforms a reference guide Page 52

53 3.9.4 To IP Address [DNS] This is a very simple transform - it simply resolves the website's IP address To URLs [show Search Engine results] When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This transform generates separate URL type entities from each result. This allows you to now perform transforms on each URL - like mining for address, links or phone numbers. Maltego Transforms a reference guide Page 53

54 3.9.6 To Website [Incoming links to site] The transforms queries search engines to determine what sites links to the supplied website. This is useful in combination with 'To websites using Mirror' - which will give an idea of what goes into a site (e.g. links to the site) and what comes out of a site (e.g. links from the site). Maltego Transforms a reference guide Page 54

55 3.9.7 To Website [Replace with thumbnail] This transform will ask Thumbshot.org if it has a small image (thumbnail) of the site's front page and if so it will change the entity's icon to it. This is useful when working with huge amounts of web sites that appear to have the same branding - it gives the user the ability to quickly visually see which sites are branded in a similar manner To Website title This transform will return the title of the site's front page as a web title entity. It will do it's best to follow JavaScript redirects, 302 redirects and others until it ends on a page with a title. Of course it cannot extract titles for ALL websites - some do not have titles, are Flash based or performs some exotic Javascripting. The transform is useful when dealing with loads of web sites that appear to belong to the same organization. Running this transform and looking at web site titles that match (or simply using Find and looking for keywords) makes it easy to find and group sites. Maltego Transforms a reference guide Page 55

56 Maltego Transforms a reference guide Page 56

57 January Personal 4.1 Document Maltego 3 User Guide - Transforms Version Parse meta information This transform downloads the document at the specified URL and extracts the meta information from it. Maltego tries to map the meta data to Person, Phrase and Address, but in some cases the information is not correctly populated within the document itself. Visual inspection of the resultant entities are advised. The following fields are extracted from the document: Company->Phrase Creator->Phrase Keywords->Phrase Author->Person LastSavedBy->Person Author -> address Author DisplayName-> address Maltego Transforms a reference guide Page 57

58 4.1.2 To URL [Show SE results] When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This transform generates separate URL type entities from each result. This allows you to now perform transforms on each URL - like mining for address, links or phone numbers. Maltego Transforms a reference guide Page 58

59 January Maltego 3 User Guide - Transforms Version To Domain [DNS] This transform will simply return the domain of the address - e.g. if the input is kosie@kramer.com it will return kramer.com. This is useful when you have a lot of addresses and what to see which ones are located in the same domain To Addresses [PGP (signed)] This transform contacts a public PGP keyserver and retrieves the addresses of signers for the given address. Maltego Transforms a reference guide Page 59

60 4.2.3 To Addresses [PGP] This transform will query one of the public PGP key server and will return other addresses that uses the same public key. This is very useful to find alternative addresses for an individual. Keep in mind that this information might be outdated To Addresses [using Search Engine] This transform will search for the address and show related addresses. Maltego Transforms a reference guide Page 60

61 4.2.5 To Person [PGP] Most addresses map 1:1 to a person. Unlike the ' address from Name using PGP' this transforms gives you a clear indication of who the address belongs to. The transform queries a public PGP key server to obtain this information To Phone number [using Search Engine] This transform will search for the given address and show the related telephone numbers. Maltego Transforms a reference guide Page 61

62 4.2.7 To URLs [Show search engine results] When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This transform generates separate URL type entities from each result. This allows you to now perform transforms on each URL - like mining for address, links or phone numbers To Website [using Search Engine] This transform will search for the address and shows the sites where it occurs. Maltego Transforms a reference guide Page 62

63 4.2.9 Verify address exists [SMTP] Verify address must first be activated in Transform Manager by accepting disclaimer. This transform verifies that an address really exists. It's one of the more interesting transforms. It works as follows - as a start the transform finds the right MX (mail server) record for the domain. It then connects to port 25 (SMTP) of the host. The transforms starts the normal SMTP conversation - it issues a HELO (paterva.com) and a MAIL FROM (harmlessverificationofaddress@paterva.com) SMTP commands. Before testing for the supplied address it issues a RCPT TO with an address that does not exist (it tests for thisisreallynothere@domain). If the error message indicates that the address is not there the transform knows that it can test for the supplied address. If no error is returned during this 'baseline' test the transform returns 'Inconclusive'. The transform does not return new entities as a result - it returns the same entity but it adds a label to the supplied address indicating if it could verify it. Note that not all mail servers allow you to verify addresses in this way. Because this transform transacts with the mail server (and this is not considered very passive) this transform contains a disclaimer that explains the situation. Maltego Transforms a reference guide Page 63

64 January 2011 Maltego 3 User Guide - Transforms Version Person To Address [PGP] This transform queries a public PGP key server to see if the person's name exists in the key database. It returns entries as address entities. Some things to keep in mind - if the name is very common (John Smith) you are going to get a lot of false positives. Also - the information kept in the database might be out of date. This transform is useful to get long forgotten addresses for people with an unique name / surname combination. Maltego Transforms a reference guide Page 64

65 4.3.2 To Address [Verify common] This transform will test on common free mail provider for combinations of the person's name. This transform only works with mail servers that will report failed recipients with a 550 code and verified recipients with a 250 code. Not all mail servers do this - as example Yahoo does not! Also note that this transform makes a TCP connection to the given entity's MX record! This transforms uses the techniques used in the AddressTo Address Verify transform. Since this gives us the ability to verify if an address exists we can expand the idea to test for combinations of first name / last name on popular providers - like Gmail and Hotmail. The providers (domains) where the transform test is configurable - e.g. you can add/remove domains be changing the 'Domains to check' additional transform setting. There is one difficulty here - not all mail servers falls for the verification trick. As such you cannot randomly add domains here - be sure to test if addresses can be verified using the verification transform first. Maltego Transforms a reference guide Page 65

66 4.3.3 To Address [using Search Engine] This transform searches for the person's most likely address. Maltego Transforms a reference guide Page 66

67 4.3.4 To Person [PGP (signed)] This transform queries a public PGP key server and asks the question 'show me the names of persons that the owner of the supplied address have signed'. This is useful for determining trust relationships between people. The transform shows you these people communicated encrypted (or at least exchanged keys). Keep in mind that the information in the database could be outdated To Phone Number [using Search Engine] This transform searches for the person's associated telephone numbers. Maltego Transforms a reference guide Page 67

68 4.3.6 To Website [using Search Engine] This transform shows sites where various permutations of the person's name was found. You ll see a pop up asking for a Domain or TLD and an additional search term. Maltego Transforms a reference guide Page 68

69 Maltego Transforms a reference guide Page 69

70 January Phone Number Maltego 3 User Guide - Transforms Version To Address [using Search Engine] This transform searches for the telephone number and returns related addresses To Phone Number [using Search Engine] This transform searches for the telephone number and returns related addresses. Maltego Transforms a reference guide Page 70

71 4.4.3 To URL [Show Search Engine results] This transform just dumps the URLs collected from the search engine. When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This transform generates separate URL type entities from each result. This allows you to now perform transforms on each URL - like mining for address, links or phone numbers. Maltego Transforms a reference guide Page 71

72 January 2011 Maltego 3 User Guide - Transforms To Website [using Search Engine] This transform searches for the telephone number and returns related sites. Version Phrase To Addresses [using Search Engine] This transform will search for the phrase and show related addresses. Maltego Transforms a reference guide Page 72

73 4.5.2 To Entities (NER) [Alchemy and OpenCalais] The transform actually packages a set of smaller transforms - all in one. It searches for the entered keyphrase, extracts all URLs from the results, then 'visits' each page and performs NER (Named Entity Recognition) on each page. For this reason the transform can take quite a while to finish and is very resource intensive. The result is the top list of people, places, addresses, company/organization names (as phrases) associated Maltego Transforms a reference guide Page 73

74 with the phrase To Files (Interesting) [using Search Engine] This transform will search for the given phrase and show interesting files containing the term. As with the Domain to Files transform the priority of file types can be configured. Maltego Transforms a reference guide Page 74

75 4.5.4 To Files (Office) [using Search Engine] This transform will search for the given phrase and show documents (Office[tm]) containing the term. As with the Domain to Files transform the priority of file types can be configured. Maltego Transforms a reference guide Page 75

76 4.5.5 To Telephone numbers [using Search Engine] This transform will search for the phrase and shows the related telephone numbers. Maltego Transforms a reference guide Page 76

77 4.5.6 To Tweets [Search Twitter] This transform will search Twitter for the supplied phrase. The transform returns Tweets that contains the phrase. From these entities you can dig deeper - e.g. looking who wrote it, and what URLs it contains. To search for more than one word put the phrase in quotes. E.g "economic gardening". Maltego Transforms a reference guide Page 77

78 4.5.7 To Website [using Search Engine] This transform will search for the given phrase and show the sites where the phrase occurs. This is basically the same as searching for the phrase on a search engine. Maltego Transforms a reference guide Page 78

79 4.5.8 To related phrase This transform will search for the phrase on the configured search engine and return a list of keywords found. The keywords are related to the search term. You can use the transform to get a quick idea of what the search term is about - like scanning the first couple of pages of a search engine result by hand. The '!Q&D!' part of the transform description is really for 'Quick and Dirty' - meaning that no scientific approach was used to get the results (it's more a try, try, try again approach). The transform was actually experimental at first, but since it sometimes gives interesting results we kept it in. Maltego Transforms a reference guide Page 79

80 January Twit Maltego 3 User Guide - Transforms Version To Twitter Affiliation [Convert] This transform will convert a Twit to a Twitter Affiliation entity by simply converting it To URL(s) [Found in these Tweets] This transform will try to mine URL from Tweets, also expanding the tiny URLs where possible. Maltego Transforms a reference guide Page 80

81 Maltego Transforms a reference guide Page 81

82 January Affiliation Twitter Maltego 3 User Guide - Transforms Version To AffTwitter [Get details of ID holder] This transform will find detail about the Twitter entity To AffTwitter ftwitter [This person received Tweets from?] This transform will find people that wrote Tweets TO the selected person. Maltego Transforms a reference guide Page 82

83 4.7.3 To AffTwitter [This person wrote Tweets to?] This transform people that the selected person wrote Tweets TO. Maltego Transforms a reference guide Page 83

84 4.7.4 To Person [Convert] This transform will convert the Affiliation to a person, with the alias in the 'additional' field To Tweets [That this person wrote] This transform will find more Twitter posts from the same user. Maltego Transforms a reference guide Page 84

85 4.7.6 To Tweets [Written to this person] This transform will find Tweets from other people to the selected author To followers of this person This transform will find followers of the selected person. Maltego Transforms a reference guide Page 85

86 4.7.8 To friends of this person This transform will find friends of the selected person. Maltego Transforms a reference guide Page 86

87 Maltego Transforms a reference guide Page 87

88 5 Maltego 3 Client Transforms - Overview Along with the standard entities there are various transforms that can be used and that come preconfigured with Maltego. This section provides an overview of these standard transforms. 5.1 Infrastructure Internet Autonomous System (AS) 1. ASNumberToNetblocks_Robtex. This transform shows which routes are located within an AS number by looking it up on RobTex ( Domain Name System server name 1. DNSNameToDomain_DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and SLD. 2. DNSNameTOIPAddress_DNS. This transform resolves a DNS name to an IP address using plain old DNS. 3. DNSNameTOWebsite_QueryPorts. This transform determines if a DNS Name is a Web Site by checking for responsive HTTP(s) ports. This version only checks port 80. Maltego Transforms a reference guide Page 88

89 5.1.3 Internet Domain 1. DomainToMXrecord_DNS. This transform will find the MX records (mail servers) of a domain. 2. DomainToNSrecord_DNS. This transform will find the NS records (name servers) of a domain. 3. DomainToDNSName_ZT. This transform will attempt to perform a zone transfer a returns A and Cname records - done via Serversniff ( 4. DomainToDNSName_DNSBrute. This transform will try to discover various common DNS Names in a domain. 5. DomainToDNSName NameSchema. This transform will attempt to determine the naming schema of the domain - e.g. Lords of the Rings, Planets, Trees etc. 6. DomainToDomain_TLD. This transform will try to find domains with different TLDs by looking it up at ServerSniff ( 7. DomainTo Address Whois. This transform obtains whois information of the IP number, then parses it for addresses. 8. DomainTo Address PGP. This transform contacts a public PGP keyserver and retrieves addresses containing the given domain. 9. Search Engine. This transform searches for the domain and shows related addresses. 10. Search Engine. This transform will search for addresses containing the domain name. 1. DomainToEntities Whois NER. This transform obtains whois information of the domain then parses it for entities using NER. 2. Search Engine. This transform will search for the locations of interesting files hosted on web sites inside the domain. 3. Search Engine. This transform will search for the locations of interesting documents (think Office[tm]) hosted on web sites inside the domain. 4. DomainToPerson PGP. This transform contacts a public PGP key server and returns Person Entities with addresses that are located within the given domain. 5. Search Engine. This transform will search for the given domain and shows the related phone numbers. 6. DomainToPhone Whois. This transforms obtains whois information of the given domain, then parses it for telephone numbers. 7. Search Engine. This transform will query a search engine for websites and return them as website entities. Maltego Transforms a reference guide Page 89

90 8. DomainToWebsite DNS. This transform will quickly see if there is a entry. Useful when used in bulk. 9. Search Engine. This transform will search for the domain name and then show the web sites where the domain name occurs IP version 4 address 1. IPAddressToDNSName SharedIP. This transform performs a reverse lookup on an IPAddress (typically belonging to a web site) by looking it up on ServerSniff and Robtex. 2. IPAddressToDNSName DNS. This transform reverse resolves an IP address to a DNS name using plain old DNS. 3. IPAddressToDomain SharedMX. This transform performs lookups on both ServerSniff and RobTex to see which domains share the same IP number as a MX record. 4. IPAddressToDomain SharedNS. This transform performs lookups on both ServerSniff and RobTex to see which domains share the same IP number as a NS record. 5. IPAddressTo Address Whois. This transform obtains whois information of IP number, then parses it for addresses. 6. IPAddressToEntities Whois NER. This transform obtains whois information of IP number, then parses it for entities using NER. 7. IPAddressToLocation WhoisAPI. This transforms comes preconfigured with an API key which has limited use per day. Please consider getting your own API key at 8. IPAddressToNetblock NS4block. This transform will contact Robtex and determine if the IP number has any reverse DNS netblocks has been delegated to it. 9. IPAddressToNetblock Cuts. This transform will carve a netblock from an IP - counting a certain number of IPs up and down. 10. IPAddressToNetblock SS. This transform determines the network block that an IP address belong to by looking ar routing tables at ServerSniff. 1. IPAddressToNetblock Whois. This transform will get the netblock via the whois service (ARIN/APNIC/LACNIC/AFRINIC/RIPE). 2. IPAddressToPhone Whois. Transforms obtains whois information of IP number, then parses it for telephone numbers. 3. Search Engine. This transform will search for the IP Address and show the sites where it occurs. Maltego Transforms a reference guide Page 90

91 5.1.5 Location on mother earth There are no transforms included by default that can be run on a location. Some transforms may however return a location as a result DNS mail exchange record 1. MXrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and SLD. 2. MXrecordToDomain SharedMX. This transform determines which other domains uses the same DNS name as MX record by looking it up on ServerSniff and RobTex. 3. MXrecordToIPAddress_DNS. This transform resolves a MX record to an IP address using plain old DNS DNS name server record Maltego Transforms a reference guide Page 91

92 1. NSrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and SLD. 2. NSrecordToDomain SharedNS. NS record by looking it up on ServerSniff and RobTex. As byproduct you'll also get netblocks for which this nameserver is primary server - where applicable. 3. NSrecordToIPAddress_DNS. This transform resolves a NS record to an IP address using plain old DNS. 4. NSrecordToNetblock_NS4block.This transform will contact Robtex and determine if the NS record has any (reverse) DNS netblocks delegated to it Netblock 1. NetblockToAS SS. This transforms determines the AS number of the netblock by looking it up at ServerSniff. 2. NetblockToDNSName SS. This transform contacts ServerSniff and Robtex and asks it for DNS Names it found in the given netblock. 3. NetblockToEntities NER Whois. This transform obtains whois information of netblock (well the first IP in the block), then parses it for entities using NER. 4. NetblockToLocation SS.This transforms determines the country location of the netblock URL 1. URLTo Parse. This transform finds the addresses on the URL. 2. URLToPerson NLP. This transform uses Natural Language Processing (NLP/NER) to extract entities. 3. URLToPhoneNumber Parse. This transform finds the phone numbers on the URL 4. URLToURL IncomingLinks. This transform finds the incoming URLs to an URL by looking on a search engine. 5. URLToWebsite Convert. This transform converts an URL to a website. 6. URLToWebsite Parse. This transform looks for outgoing links on the URL and show them as websites. Maltego Transforms a reference guide Page 92

93 Website 1. WebsiteTo Address Mirror. This transform uses Gary's Ruby website mirror to spider the site and extract addresses. 2. WebsiteToWebsite Mirror. This transform uses Gary's Ruby website mirror to spider the site and extract links. 3. WebsiteToDomain DNS. This transform extracts all the domains from a website - it excludes TLDs and SLD. 4. WebsiteToIPAddress DNS.This transform resolves a Website to an IP address using plain old DNS. 5. WebsiteToURL Expand. This transform just dumps the URLs collected from a search engine. 6. WebsiteToWebsite Incominglinks.This transform finds the incoming links to a website by looking for incoming links on a search engine. 7. WebsiteToWebsite Thumb. This transform gets a thumbnail of the website using Thumbshot.org 8. WebsiteToWebTitle Mech. This transform will attempt to get the title of the website. It tries to follow all redirects. 5.2 Personal Document 1. DocumentToPerson _Meta. This transform extracts the meta information from the document and then parses it for username (persons) and/or addresses. 2. DocumentToURL Dump. This transform just dumps the URL of the Document for further use. Maltego Transforms a reference guide Page 93

94 AddressToDomain DNS. This transform will remove the part in front of sign of the given address. 2. AddressTo Address SignedPGP. This transform contacts a public PGP keyserver and retrieves the addresses of signers for the given address. 3. AddressTo Address SamePGP. This transform contacts a public PGP keyserver and retrieves alternative addresses for the given address. 4. Search Engine. This transform will search for the address and show related addresses. 5. AddressToPerson Same PGP. This transform contacts a public PGP keyserver and retrieves the person's name for the given address. 6. Search Engine. This transform will search for the given address and show the related telephone numbers. 7. AddressToAff Rapleaf. (Removed). 8. AddressToURL Expand. This transform just dumps the URLs collected from the search engine. 9. Search Engine. This transform will search for the address and shows the sites where it occurs AddressTo Address Verify. This transform simply connects to the relevant mail server and checks to see if the address exists. The results are passed back in the same entity - as a label Person 1. PersonToAff Spock. (Removed) 2. PersonTo Address SamePGP. This transform contacts a public PGP keyserver and retrieves the person's address - if it exists. 3. PersonTo Address Common. This transform will test on common free mail provider for combinations of the person's name. This transform only works with mail servers that will report failed recipients with a 550 code and verified recipients with a 250 code. Not all mail servers do this - as example Yahoo does not! Also note that this transform makes a TCP connection to the given entity's MX record! Maltego Transforms a reference guide Page 94

95 4. Search Engine. This transform searches for the person's most likely address. 5. PersonToPerson PGP. This transform contacts a public PGP keyserver and returns the names of people that signed the given person's key. 6. Search Engine. This transform searches for the person's associated telephone numbers. 7. Search Engine. This transform shows sites where various permutations of the person's name was found Phone Number 1. Search Engine. This transform searches for the telephone number and returns related addresses. 2. Search Engine. This transform searches for the telephone number and returns related phone numbers. 3. PhoneNumberToURL Expand. This transform just dumps the URLs collected from the search engine. 4. Search Engine. This transform searches for the telephone number and returns related sites Phrase 1. Search Engine. This transform will search for the phrase and show related addresses. 2. PhraseToPhrase OpenCalais. Looking for entities in the actual document. 3. Search Engine. This transform will search for the given phrase and show interesting files containing the term. 4. Search Engine. This transform will search for the given phrase and show documents (Office[tm]) containing the term. 5. (Removed). 6. Search Engine. This transform will search for the phrase and shows the related telelphone numbers. 7. PhraseToTwit Search. This transform will search Twitter for a phrase and shows relevant entries. 8. Search Engine. This transform will search for the given phrase and show the sites where the phrase occurs. 9. PhraseToPhrase RT. Looking for key phrases. Maltego Transforms a reference guide Page 95

96 5.2.6 Twit 1. TwitToPerson Parse. This transform will convert a Twit to a Twitter Affiliation entity by simply converting it. 2. TwitToURL Expand. TThis transform will try to mine URL from Tweets, also expanding the tiny URLs Affiliation Facebook There are no transforms included by default that can be run on Affiliation - Facebook. Some transforms may however return an Affiliation - Facebook as a result Affiliation LinkedIn There are no transforms included by default that can be run on Affiliation - LinkedIn. Some transforms may however return an Affiliation - LinkedIn as a result. Maltego Transforms a reference guide Page 96