Ethical hacking: Passive information gathering with Maltego by Blackhat Pakistan 2023
Today we will learn about Ethical hacking: Passive information gathering with Maltego.
In this article we will deal with the passive collection of information. First, we’ll look at how we can use Maltego, a common information gathering tool, to conduct this form of research. Using Maltego’s hands-on guide, we’ll see how you can obtain IP addresses, subdomains and perform various levels of exploration to inform your intelligence gathering exercise.
What is information collection?
During penetration testing (the hacking process), you will need to follow a methodology that will guide your hacking. Gathering information is usually the first step. It is the process of obtaining information about a target before we can attack it.
Ethical hacking:Hackers can use two main types of information gathering:
Passive Information Gathering: This is where you get as much information as possible about the target without making any contact between yourself and the target. The chances of being discovered here are extremely low, as you will mostly be using information that is publicly available. There are many tools that can help you with this
Active Information Gathering: This is where you get as much information as possible and still make contact with the target. The chance of detection is much higher here than with passive information gathering. You need to be careful when using the tools here not to cause too much noise in the network to avoid detection by intrusion detection systems and SIEMs
The importance of gathering information is that it informs your attack. You need to have as much information as possible before you can start attacking your target. This is by far the most challenging step in performing penetration testing, as you will want to be aware of all the attack vectors that can be exploited before penetration testing can begin.
Also Read:UEFI Boot vs. the MBR/VBR Boot Process-byBlackhat Pakistan 2023
According to Christopher Truncer, a Red Teamer with Mandiant, “the main challenge is to identify relevant and reliable sources from … publicly available information.” This step is time consuming, but the reward is worth it.
How can information be collected?
Information gathering can reveal a great deal of useful information based on what type of information gathering is being done. You should try to get as much information about the target as possible. According to Mark Czumak, “…just because you’re interested in www.target.gov doesn’t mean you should limit your passive research activities to that address. If you do, you may miss some valuable information and/or vulnerabilities. Useful sources can be WHOIS, Google, Maltego, Intercepting Proxies, Web Spiders, Netcraft and sites like Pastebin.com.”
The types of information that may be discovered through passive information gathering include:
- Subdomains and public IP addresses
- Usernames and passwords
- Directory listing (directory indexes)
- Publicly available sensitive documents and files
- Leaked credentials
The types of information that may be discovered through active information collection include:
- Disk sharing
- Open the ports in the applications
- Application and platform versions
- API keys
- Technologies used
- Infrastructure details
- IP address ranges
Now that we understand what intelligence gathering is, let’s discuss how we can achieve this with Maltego.
What is Maltego?
Maltego is application software used for open-source intelligence and forensic analysis and is developed by Paterva. It focuses on providing a library of transformations for discovering data from open sources and visualizing this information in a graph format suitable for link analysis and data mining.
Imagine all the information that can be obtained from whois lookups, or the information that a DNS lookup tool can obtain from public DNS servers, or even the emails and hostnames that can be obtained from TheHarvester (using Google and Bing). Maltego does all this and more, using the same open source transformations, then presents it all in one application and in an easy-to-see graphical way.
Paterva provides two licenses that can be used, a commercial version and a free version. We will focus on the free version, otherwise known as the “Community Edition”. This version is pre-installed in Kali Linux
What features does Maltego offer?
Maltego CE, which we will discuss in order to keep things as universally applicable as possible, comes with some limited features. These features include:
- Ability to share real-time charts with multiple analysts in one session
- Ability to return up to a maximum of 12 entities per transform for CE
- Providing collection nodes that group common features
- Ability to export to various formats including jpeg, PDF and GraphML
Please note that the paid version will offer many more features than the above. Once you’ve been working with the free version for a while, you’ll have a better idea of whether you need additional features in the commercial version.
How do I get Maltego up and running to gather information?
To run Maltego on a Kali Linux terminal, type maltego and press “enter” as shown below: [CLICK IMAGES TO ENLARGE]
Once you have done that, choose “Maltego CE (Free)” as shown below, then click “Run”:
You will then be required to accept the license agreement. You can do this as shown below:
Press “Next,” then perform your login using the provided credentials below:
Username: [email protected] Password: Maltego210
This can be seen below:
After the login is successful, you will see the screen below:
Once you are done, the transforms will get updated and you will have a result similar to the one below:
Press “Next” and you will have a screen asking you to help Maltego by sending error reports. Press “Next” again and select your privacy mode. We selected “Normal” in order to have the richest Maltego experience. See the screenshot below:
You will then be presented with the screen below. You can either choose to open a blank graph, open an example graph or ignore the two and proceed.
What are transformations and how can I run them within Maltego?
Transformations are pieces of code that retrieve related information for a given input. The retrieved input is then formatted and returned as entities to Maltego. Transformations are extensible. This means that other transformations can run on their output.
To perform the transformation, simply drag an item from the leftmost palette onto the newly launched Maltego tab. An item can be any of the many subcategories on the left, eg infrastructure, personal, location and so on.
Once the item is dropped into the workspace, you can simply change the value/name by double-clicking on it and typing the desired value – say, changing the domain to the target domain.
In the “Infrastructure” section, we select “Domain” and add the resource to infosecinstitute.com, replacing paterva.com. Check out the screenshot below:
To run a transform, simply right-click anywhere inside the current workspace and pick a transform of your choice. Maltego will do that and reply with a graphical display on the findings as well as the relationships. We right-clicked on our domain and selected “all transforms.” This is shown below:
The screenshot below shows us selecting “To DNS Name – MX”. This transform returns all the mail servers as discovered by Maltego.
As can be seen below, Maltego returns all the discovered mail servers.
We can determine sub-domains belonging to infosecinstitute.com by using the “Robtex” database. We do this by selecting the “To DNS Name [Robtex]”. The following shows the discovered sub-domains:
We can also enumerate IP addresses using the “Shodan” transformation. Shodan is an open source intelligence gathering website where information about people and devices (such as cameras, servers, and printers) can be obtained. We can get this transformation from the “Home” tab and “Transform Hub”. Before we can use this transformation, we need to include our Shodan API key.
Once we’ve done that we can go to “All Transformations” after adding our domain and then go to “ToDNSNname [Shodan]”. From there we can get the DNS names we didn’t list before. We can also go to “ToIPV4Address with hostname [Shodan]”. Here we can get IP addresses using Shodan but via Maltego.
The screenshot below shows the detected IP addresses and the new subdomain not previously discovered above.
What are machines and how can I operate them within Maltego?
Engines are scripts (or macros) that run multiple transformations with different filters. Machines are able to complete tasks such as forwarding domain traces. It is possible to create your own scripts using your own scripting language. This is covered by the Paterva developer portal. Available machines that you can operate include:
- Company Stalker: This machine will try to get email addresses from a given domain, check social networks for possible relationships and extract metadata and then document it
- Wikipedia Edits: This engine searches Wikipedia for all available edits in a given domain. We ran the engine against our domain and were able to get the following graph. Note that even though no Wikipedia edits have been made, Maltego still lists a lot of similar information as seen on the company’s stalker level
- Machine Traces: Traces can be made from L1 to L2 and L3. Footprint L1 is rather basic and quite fast, with L3 being the most resource intensive footprint level. The screenshot below shows the graph we were able to get when we ran the L3 machine against the infosecinstitute.com domain.
Notice that at this level, we are able to obtain much more information than at any other level above.
What are the other applications of Maltego?
We have now looked at the basic and most common uses of Maltega. However, it can also be used to conduct research on:
- Provided infrastructure such as IPv4 addresses, DNS names, banners, NS records, network blocks and web pages
- Provided locations such as circular areas and GPS coordinates
- Malware information provided, such as hashes
- Provided network ports within the network (sometimes combined with banners)
- Personal information provided, such as photos, email addresses, phone numbers and aliases
- Provided tweets that reveal as much information about them as possible
It is possible to get very deep information when using Maltego. However, you should keep in mind that some transformations and machines are very resource intensive and could cause your system to freeze.
In this article, we looked at how Maltego can be used to gather information about domains as targets. From one domain, we have seen that it is possible to obtain multiple subdomains that can be used in an attack or pentest. We also discussed the different machines that Maltego comes with. We also saw that you can purchase transformations or install them for free.
Maltego is one of the most popular and powerful passive data collection tools available today. We encourage you to test the other features it provides to appreciate its power. Have fun doing it and happy hacking!
- A Guide to Open Source Intelligence Gathering (OSINT), Medium
- Machines Tab, Maltego
- What is a transform?, Maltego
- What are the features of Maltego CE?, Maltego
- Passive Intelligence Gathering and Analytics – It’s all Just Metadata!, Troopers
- Passive Reconnaissance, Security Sift