Introduction

We covered an introduction to Maltego for reconnaissance, information gathering and threat intelligence. We covered how to work with entities and transforms in addition to installing and configuring transforms.

We ran a few transforms to retrieve DNS, email address and IP address information. This was part of TryHackMe red team pathway.. This video was part of TryHackMe Red Team Recon which is under the Red Team Track.

Maltego OSINT Framework | Open Source Intelligence Tools and Techniques

Maltego is an application that blends mind-mapping with OSINT. In general, you would start with a domain name, company name, person’s name, email address, etc. Then you can let this piece of information go through various transforms.

The information collected in Maltego can be used for later stages. For instance, company information, contact names, and email addresses collected can be used to create very legitimate-looking phishing emails.

Think of each block on a Maltego graph as an entity. An entity can have values to describe it. In Maltego’s terminology, a transform is a piece of code that would query an API to retrieve information related to a specific entity.

It is crucial to mention that some of the transforms available in Maltego might actively connect to the target system. Therefore, it is better to know how the transform works before using it if you want to limit yourself to passive reconnaissance.

Getting Maltego Up and Running

First, I learned how to install and launch Maltego.

  • To install it if it wasn’t already on my system, I’d use the command: sudo maltego. The system would prompt me to install any missing packages.
  • To run Maltego, I’d use the same command: sudo maltego.
  • Upon the initial launch, I was presented with a few setup steps:
    • I chose the Maltego Community Edition, which is the free version.
    • I had to agree to the terms and then either log in or register for an account. I opted to use a throwaway email for this.
    • After logging in, Maltego began installing “transforms,” which are the core components that gather information.
    • I skipped some of the initial browser and privacy settings to get straight to work, choosing to open a blank graph.

Understanding Maltego’s Core Concepts

To effectively use Maltego, I realized it’s crucial to grasp a few key concepts:

  • Entities: These are the targets of my investigation. Think of them as the “nouns” in my reconnaissance efforts—things like a domain name, an email address, or a company name. I found various types of entities categorized on the left side of the interface, such as “Infrastructure.”
  • Transforms: These are the “verbs” of Maltego. They are the tools or operations I run against entities to gather more information. A cool aspect is that the results of a transform often become new entities themselves, allowing me to chain operations and deepen my investigation.
  • Transform Hub: This is where I could explore all the available transforms. I could filter them by various criteria like whether they were free, required an API key, or belonged to a specific category.

Practical Walkthrough with Maltego

I then walked through a practical example to see Maltego in action.

  1. Starting with an Entity:
    • I began by dragging a “Domain” entity onto the graph.
    • Then, I double-clicked it to input a specific domain name, like my own.
  2. Running Transforms on a Domain:
    • I learned that I could run transforms by either right-clicking the entity or selecting it and choosing from the “Transforms” list on the left.
    • Each transform had a clear description of its function.
    • I ran a DNS transform, which revealed a name server and a cloud DNS entity related to my domain.
    • Next, I tried an MX records transform, which showed me the mail exchange records.
    • I even attempted to extract email addresses, and one transform successfully found an administrative email linked to the domain registrar.
    • Important Note: I quickly realized that some transforms might require a different license or an API key, especially if they connect to premium services. The Community Edition definitely has its limitations. Also, it’s vital to remember that some transforms can shift from passive reconnaissance (gathering publicly available info) to active reconnaissance (directly interacting with the target), which has different implications.
  3. Exploring Different Entity Types:
    • Company Name: I created a “Company” entity and named it “TryHackMe.” I then tried to run a “to URLs” transform on it.
    • IP Address:
      • To get an IP address, I first used the command line: ping tryhackme.
      • Then, I created an IP address entity in Maltego using this IP.
      • Running a “to DNS names” transform on the IP address was quite insightful; it revealed several domain names and subdomains associated with it, such as blocked.tryhackme and docs.tryhackme.
      • From one of these newly discovered domain entities (e.g., tryhackme.com), I ran a “to IP address” transform, which showed me its associated IP addresses.
      • I also tried to get location information (e.g., “to Location,” “to GPS”) for some IP addresses, but this didn’t always yield results, depending on the database being queried and the target’s privacy settings.

Key Takeaways and Features I Noticed

  • I observed that the list of available transforms dynamically changes based on the type of entity I select, which is a very helpful feature.
  • Maltego isn’t just for basic reconnaissance; it’s also incredibly useful for threat intelligence. I saw entities like “Malware Family” and transforms related to social media investigations and analyzing historical content.
  • The Transform Manager is a neat feature that allowed me to see all installed transforms, delete them, or even create my own custom transforms by defining a display name, description, and the command line they would execute.
  • The Investigations Tab lets me start a new investigation, which essentially opens a fresh graph.
  • I also noted that entities can be imported and exported, and I could manage various options like the default web browser used by Maltego.

Overall, I found Maltego to be an excellent tool for visually mapping out reconnaissance data, and it really highlighted how information gathering success can depend on the target’s privacy settings and the databases Maltego queries.

TryHackMe Red Team Recon Room Answers

What is the name of the transform that queries NIST’s National Vulnerability Database?
 

What is the name of the project that offers a transform based on ATT&CK?

 

Video Walkthrough

 
 
About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles