Thursday, September 21, 2017

Linking individuals to organizations using network footprinting and leaked data.

Every year we train on Maltego at BlackHat USA in Las Vegas. This year we decided to submit a talk to Defcon – the notorious hacker conference right after BlackHat. For various reasons our talk was not accepted (Maltego being a commercial tool was right up there). At the last minute a slot opened up and since we were backup speakers Andrew MacPherson presented our work on the Saturday.

If you didn’t see the talk this blog post will go into a bit more detail on what Andrew presented. The talk had two main sections – a) finding useful information pertaining to Industrial Control Service (ICS) devices and b) finding embarrassing information. In this blog post I am going to focus on the latter.

We recently saw a talk from someone on using Maltego for infrastructure footprinting. We’ve been doing footprints in Maltego for many years and the tool is well geared towards working with structured data contained in DNS and related services – so it was big ‘told you so’ / ‘glad you could make it’ kind of thing. To read our blog post on the subject – click [here].  In the good old days of black box penetration tests an analyst would first perform an in-depth footprint of an organization to learn what networks belonged to it – and what services were exposed on it. These days this ancient art is almost forgotten since spear-phishing simply works better and more reliably (and is less work!).

In recent years a lot of data leaks occurred. Think back to the famous Ashley Madison dump and the chilling effect it had on people all around the world. When we looked at the data we saw that it also contained the IP address where the user signed up from (and yes, we know that email addresses were unverified…but transactions...less so). Combined with a verified network footprint we could connect leaked profiles to organizations – even when the user signed up with a non-related email address.

This is fairly mundane – unless you’re looking at interesting networks. Consider the following:

We can clearly see that one netblock stands out – so let’s concentrate on those IP addresses. We start by taking the network to its individual IP addresses:

Just out of curiosity let’s run the transform that checks for Wikipedia edits (from the IP address) against all of the IPs:

Turns out there are 473 Wikipedia edits made from 6 IP Addresses in the range. Some edits are pretty interesting, some less so:

Above just a sample - feel free to replicate this work at your own leisure.

Those 6 IP addresses are what we’ll call exit nodes for the organization – meaning those are where their browsing traffic is likely to come from.  

Armed with this info we can go ask if anyone in the Ashley Madison database signed up from any of those IPs. And – someone actually did:

We blurred the personal info. Because we're nice.

This made us wonder– what if you could do it with ALL the leaks – e.g. where ever there are signup IPs or IPs used at login in a data breach? We spoke to our friends at SocialLinks and they were happy to build us a transform that did exactly that (at time of writing not public). We could now query multiple databases at once. When running it on the 6 IP addresses we have:

In total there are 43 instances of the organization’s IP addresses contained within leaks that were made public.

The implication of this research (if you want to call it that) is simple. Firstly - you may think your organization cannot be connected to your online profile because you’re not using a work email address – but if you’re doing it from a work computer your IP address is most likely a dead giveaway. 

Secondly – from an attacker’s side of things the following. Footprints are useful not only for attacking computers but as we've seen also in finding unlinked email addresses, contextual information, etc. In other words - for crafting proper email payloads to targets - fit for a high yield phishing attack. And you can email them at home. When their guard is down. In the dark. Sneaking from behind. ðŸ˜‰

Baby seals,

Monday, June 5, 2017

Maltego 4.0.seventeen. / dezessete / семнадцать / seitsemäntoista / de diecisiete / 17 / 17 / 17 / 17

Hi there all the people of the Internet.

We are happy to show you Maltego 4.0.17. We fixed many mistakes in this release. We now remember proxy settings (again/better). We fixed font scaling in the OAuth service window. Since Ubuntu decided ifconfig no more we worked our way around it. Furthermore - in the transform hub we fixed the refresh button for custom entries.

We also introduced search functionality in the context menu as well as permanent search functionality in the entity palette.

Woot - this is a win!

PS:Japeneseのこのブログ記事全体を翻訳しましたが、ポールはそれがトップ...過ぎていると言っていました。 だから私はそれを取り除いた。 あなたが彼を見る次回は、あなたは彼を蹴るべきです。 ごめんなさい!

Friday, March 17, 2017

Maltego 4.0.16 is out!

Hi there,

We just released Maltego 4.0.16. The delta between version 15 and 16 is mostly bug fixes. We've made Classic and XL available as [downloads] as well as creating update files for people running older versions of Maltego:

From today we're going to try and give you an idea of what features and fixes we've implemented. Some client have asked for it and we think that it's just proper to have some sort of changelog. So here goes!

  • Numerous fixes for using Maltego with a proxy server. Specifically surrounding authenticated proxies.
  • Start-up stability issues addressed.
  • Support for POSTs in OAuth integration. There are a couple of other issues we've addressed in OAuth and there's a few we're still going to address in future releases. But it's a lot better!
  • Fair amount of cosmetics, spelling mistakes fixed.
  • Refresh button on transform hub items (sure all devs will love us for this!).
  • Factory reset now..uhmm... works...better.
  • Fixes viewlets that's been with us since - forever.

Hope this helps giving you an idea of what the devs have been up to.
Baby seals / enjoy the weekend!

Thursday, March 2, 2017

Maltego documentation is amazing! AMAZINGGG!

It's been said before that Paterva's documentation is not up to scratch and often out-dated. Lies! Lies! And damn lies!! However untrue this might have been I am here today to tell that we have sat down and put some real effort into updating all our documentation for the Maltego client, all our server guides as well as our developer guides. This shiny beacon of Maltego documentation goodness can now be found on the [Maltego Documentation Portal].

All the existing developer portal content has been migrated to this website and can be found under the Developer Portal heading in the navigation bar. We will also be discontinuing the existing Developer Forum on the 'dev portal'. If you've searched our documentation and you still have questions we recommend that you mails friendly questions to

That's all for now.


Wednesday, March 1, 2017

Bing v2 API is dead, long live v5? Also CTAS updates.

As some of you might have notice Microsoft is in the final throes of shutting down Bing API v2 and replacing it with v5 (v3 and v4...well...who knows). The new API is part of [Microsoft Cognitive Services]. MCS have some pretty cool APIs and as soon as they're priced right we might start putting more of them into Maltego. We've put this in here specifically for MS people. You know who you are. We've spoken to you. We know where you live....;)

Currently Maltego uses Bing for all the Search Engine transforms - these all end with '_SE'.

The migration to v5 was not always easy. The question enumerator in the server code had to be changed (a lot). Some options are not supported in v5. There are only 25 results per page. One of the biggest impacts the new API has is that its pricing model is significantly higher than the previous version. Microsoft was pretty helpful in the migration process but less helpful when we complained about the new prices. This means we *might* need to cut down this service for our community edition users - but let's see how it goes.

We will be changing our public servers to v5 when Microsoft literally pull the plug on v2. For our clients that have their own private CTAS servers - you can easily change over to the v5 API by simply applying a patch. Do the following:

Browse to the CTAS web interface. Click on 'Update Server' at the top. Click on 'Update Server Automatically' and .. wait. Soon the server will begin with the updating process. There is no need to reboot the server.

Once you server is up to date it will be using Bing v5 API and your Bing API v2 key will no longer be valid. You may want to read how to enter the Bing v5 API key on your server in our fantastic new CTAS guide here:

If you run into any trouble please drop us a friendly note at Enjoy!!

Thursday, February 23, 2017

We loaded new certs on our servers

Just a really quick note to say that - yes - it's us and not some nasty MITM - we've changed certificates on our servers. So when you see this...

...then you know what it's about. After our 4.0.5 update we're a little paranoid with checking certificates! You should check that the Modulus is the same, it's signed by Entrust and the Serial number match. If so you can happily click on 'Trust' and be on your merry way.

If you don't see this or the details are different it means you're not speaking to our servers...and you should be worried.

Happy days,

Tuesday, February 14, 2017

Maltego 4.0.15 is here!

We're happy to announce that Maltego 4.0.15 (for XL and Classic) has just been released. With it comes a whole host of bug fixes, improvements and new features.

What's new:
  • New tabular import wizard
    • Much (much!) quicker to import large amounts of data
    • Connectivity matrix helps you connect the dots
    • Auto-detection of columns and column entity types saves you time
    • Import multiple files at once - underrated feature of the month!
  • List view - back by popular demand!
  • Recent entities section in entities pallet so you don't need to search for them
  • Leaf selection (we should have had this in V1)
  • 100+ small bug fixes so things just works better.

Tabular Importer

Connectivity Matrix

The new connectivity matrix allows you to easily define the relationships between the imported entities.

Column Entity Types

You can now specify the entity type in the data headers.
E.g. A column with the heading "maltego.Person" will automatically be recognized as a Person entity, without having to do the mapping manually.

Import Multiple Files at Once

If you have your data split over multiple files, you can configure your column mapping once, and import all the files at once. Please note that the file layouts must all be identical.

List View

The List View can be used as an alternative to the entity view as a way to view a graph in a tabular format. The entity selection behavior and functionality is identical between the entity view and the list view. Changing from "Entity Selection" to "Link Selection" will display all the graph links of entities.

Leaf Selection

The new "Select Leaves" button allows you to quickly select entities that have no outgoing links and a single incoming link (so strictly speaking it's not a "real" leaf node... but we like it like that!).

To update your Maltego client click on the Application Button (left top), Tools -> Check for Updates:
This will update your Maltego to 4.0.15. We hope you're having fun with our latest update!