Today we are reviewing an awesome OSINT tool called Maltego. This tool has been used by information security experts (OSINT specifically) for ages and i’ve used it for some time so i assumed it would be useful if i made a video on it.
Two parts are here: video transcript part and the python code part:
VIDEO TRANSCRIPT
This tool is used by OSINT professionals and hackers
around the world and it gained popularity as well as
status in the community. Im not going to cover installation as i consider that
to be unnecesary since its easy and described on the
webpage.
First thing we see is the interface which looks a
little scary and complicated but don’t worry it’s
easy to use.
Lets describe its parts
On the left we have news, you can ignore that
since we dont need it right now
On the top there is a toolbar which we’ll come to
later in the video
In the middle we have Maltego
Transforms hub – where we can install additions
So lets call them extensions. I’ve installed
Standard machines by maltego for myself and i
recommend it for you too, its absolutely free
If we uncheck the Free tick you can see there is
a bunch more transforms we could use
Imagine transforms as special functions that
extract data.
On the top left the only thing we should care about
is the Menu button showing you settings and similar,
as well as the New project button which runs maltego
workspace
In the workspace we can see a bit of a confusing
interface. But dont worry. On the left we have the
ENTITY pallete, these are things we can add and put
some data in them and then maltego can run transforms
based on that data if we rightclick on the thing we added
from the graph
As you can see i added a person and you can see all
sorts of transforms that are available for this type
“PERSON” – for example from name to an email address.
On the side we have the detail view which will allow us to see the
information, the type and where it came from – which we dont have right
now because we manually added this name
On the right we have the property view where we can
change information and see additional stuff
thats not visible in the graph
We can change this information if we like.
Right above property view is the
We can also add more stuff so i can show you how the
OVERVIEW works. On the top right you can see the nodes and you can
use your mouse to move around.
There is also different types of layouts that rearange your data.
For now this might seem unnecesary but when you see the amount of nodes
Maltego will provide just on running all transforms on ONE entity – you
will understand why we need this
Also another important thing to mention is the OUTPUT field right here
It shows us the description of the transforms running – as well as additional
information. Once we make our own transforms it will output data here,
or on the screen depending on how you make your transforms.
I’ve made one transform for this video which is an example of a
dataset searcher, or multiple-datasets searcher using python
which outputs information here
But we’ll get to that later
Now lets look at the toolbar
First we have zoom options for our graph
Then we have a really important button called entity selection that
when clicked changes to “link selection”
Let me show you an example of linking
Lets manually add a person as well as their alias
Now we can link those together and add a label on it
If you watched Mr.Robot let me know in the comments –
i love the show
You can already see how information gathering and OSINT
could be powerfully represented here – its insane and very useful
Also Make sure Link selection is selected and link these together.
Also dont forget to switch back to ENTITY selection so you dont get confused
if you keep seeing arrows when you click on an entity – it happened
to me a bunch of times
Next intresting thing we have here is the PRIVACY MODE
But sadly it isnt perfect so dont feel safe using the stealth mode, even
maltego doenst recommend it as a perfectly safe thing
Next we have the view where we can make our graph look different
At the left part its showing us the same thing that the little toolbar
is showing us here
Next we have entities – an example of an entity being a person or an email
or a phone number, here you can add new entities and manage existing ones
If we look at the settings of the twitter’s entity
you can see we can change some information, icons and additional properties
that will be visible in the property view
Also display settings on the graph vieww
Next we have collections, but this isnt something that interests us
right now, you can use the tutorial if you are curious
(Basically you can group stuff with this)
Next we have the transforms tab which gives you options of adding new
transforms as well as modifying existing ones
If we look into the transform manager and look up
PROFILER you can see i added my own transform
This is just a python script that prints out text
a very simple example thats used to represent a python dataset searcher
As you can see it needs the program to run the script with, in our case
its python3 – then the script name and the directory where the script is.
Since the script just prints out stuff and takes in arguments using
sys argv – this will work. I’ll show you later how.
Next we have the machines, used for automatization and running a bit more
complex tasks at once – you can see i have some of them installed and if we
take a look into the code of one of them you will see
the introduction with display name and similar
and the start function where every RUN runs a specific transform
Next we have collaboration tab which isnt interesting to us right now
import and export tab for importing data and exporting it
And lastly the windows tab which allows us to enable
windows we accidently disabled and navigate easier
As you can see if i close the output section i can turn
it back on by clicking here.
Now let’s add a Domain by dragging it
We can change it in the property view into my website
next let me show you how transforms work
Right click on it and run all transforms
Click okay to this prompt
And you can see that the output is showing results,
and so is the graph. We just got A BUNCH of information
based on the domain.
So if we look into the output you can see the progress and the
path Maltego took in his transforms to get to our information
We can see DNS, name server, wayback machine (it shows previous versions of the site),
other websites, location and a bunch more information.
If i click on datpackage.com – on the right you can see where the data was extracted from
as well as the full URL – this could be useful for looking at previous versions
of the site from wayback machine’s repositories.
Add a person entity and let’s change its name to a popular person from Croatia
If we run transforms on this person we will find a bunch of information.
Some of this information is useless to us because it isnt directly linked to the person we are
looking for and we can eliminate the unnecesary stuff by deleting it.
This is often done in investigations since system can’t perfectly know
what info belongs to who.
Another thing we can do is when we find the number of a random person
we can extract additional information from it – like a location of the cell tower,
Country, communications provider its using and similar
In this example the number will be from Croatia, using VIPnet Comms provider
This is detected by 385 for Croatia and 92 for the Comms provider.
Also yes this number is random
Next cool thing you might find useful is the fact that maltego predicts the data type
So if i give it this data just by copy pasting it inside
it will predict what’s a person, what’s a phone number and what’s a website
It can, ofcourse, do the same with bigger datasets so you can import a bunch of stuff
Now lets take a look at this person i added : Ivan Horvat
(i picked the most common first and last name from Croatia for this)
and let’s double click on the person
Here we can add photos – i dont have a photo of a male right now
but i do have a photo of a female, randomly generated by AI using
the site thispersondoesntexist
We will ofcourse delete this since Ivan is a guy but we can also rename him
Im gonna leave it like it was since my custom made local transform is gonna
respond to this once we run the transform
Dont worry ill show you how to add your own transform
So lets run my local transform and as you can immidiately see
we have results found
It looks like Ivan was born in Berlin in 1990 and he worked
at Malwaresoft
Now let me show you how to add your own transform
Its really easy i promise, all you need is some basic coding
If i go to transforms manager you’ll see my profiler here
You can see Maltego asked me for 3 things:
command line – which is python3
command param – which is the name of the script
and the working directory – where your python script is
This is basically all you need – that and the title of the
transform
Make sure that these are correct tho
Im gonna show you what the script that i was talking about looks like
So lets look into it
As you can see im taking in system arguments in the pattern
Python – name of the script – argument one, which is name – argument
which is last name
Then we are fixing up the string and splitting it by “person.fullname”
and then just using the first part which has the name and last name
This is because Maltego doesnt just provide the name and last name from the
graph – it also sends additional data. Usually this would be handled using
maltego’s module for python. But now we are looking at a simpler solution
Also the one that doesnt include XML as a return value and doesnt print
out anything on the graph so we can look trough useful information in
the output area
Then we have to clear up some extra spaces cause my IF statement is
oversimplified
And printing out the status so we know if the system args went in
right
and lastly we are looking up that query
For that we are using our function which has a list which specifies
more information about these people
So all we do is look up if the person is mentioned in any of the
list’s entries.
So if we look up ivan horvat we will get his info, and if we look up maja
horvat we will get her info
So anyway to add your new transform just make a python script similar to
mine – you can ofcourse add way more datasets and checks, just keep the
sys args and the print
also sanitize maltego’s input like i did with person.fullname thing
And then just fill out this information that Maltego asks you when
you click NEW LOCAL TRANSFORM
Our entity type can be anything here so im gonna just put Maltego A.S.
Then you get the screen i mentioned earlier where you provide python3
in the first one, script name in the second one and the working dir
So Anyways thats it for today, I hope you learned something useful
and i hope you like maltego – i like it and i’ve been using it –
If you have any questions let me know in the comments
And thank you so much for watching and have a nice day.
PYTHON CODE:
#!/usr/bin/python3
import sys
person = sys.argv[1] + " " + sys.argv[2]
person = person.lower()
person = person.split("person.fullname")
person = person[0]
#remove extra spaces"
person = person.replace(" ","")
person = person.strip()
print("Looking up ", person, "\n")
def lookup(person):
people = ["ivan horvat, Berlin, 1990, Male, Worked at Microsoft", "maja horvat, Zagreb, 1991, Female, Worked at Apple"]
for k in people:
if person in k:
returndata ="Personal data found: " + k
return returndata
data = lookup(person)
print(data)
So that would be all for today!
☕ Thank you so much for watching and have a nice day! ☕