Monday, December 23, 2013

Christmas special. Another useful Paterva tradition.


It's that time of the year again. When going grocery shopping feels like scene from The Walking Dead. Human meat density coefficient just waaay to high. Going to the office feels like a scene from The Walking Dead (but another episode). Not fun either way.

Since we moved to Cape Town about 3 weeks ago we still don't have formal offices and as such I am working from home (Andrew is back up in Gauteng spending time with family). I suspect many of you are doing the same - still very much connected, online and reading those emails marked as 'I'll get back to that when I am not so busy'.  Pro tip - start with 'Sorry for not getting back to you earlier'. It's already weird. Just face it.

Every year we run a Christmas special. And it's really a special - not a silly 10% off. In 2011 it was 50% off. In 2012 it was 33% off. This year -2013 - it's 50% again. We're all for consistency.  That means you get the commercial version at $380. Remember - the community edition is still FREE. We know that at $380 it's hardly an impulse buy - so you want to get your boss/FD on the phone (if he is not relaxing next to a pool with a G&T) and convince him that this REALLY only happens once a year!

The special is aimed at the people that are still hard at work at this time of the year. It's your reward for being the backbone of the 'skeleton staff'.

Enjoy the festive season. Show restraint when it comes to family matters. Embrace social awkwardness. If you're reading this you're probably the weird uncle...

Oh. Ya. The coupon. It's "GiveMaltegoAsAGift". Try it as a gift. Your wife / husband / girlfriend / boyfriend / dog / cat / pet ferret will enjoy our technology!

Note: Offer runs from today to the 26th of Dec.

Friday, November 8, 2013

Maltego CaseFile v2 released!

Maltego CaseFile version 1 was really cute. You could draw pretty pictures with it and show it to your friends. We even made a Game of Thrones graph with it - because we had friends that did not read the books and only started watching it at Season 3. And we were tired of explaining all the intricate relationships to them.

We didn't give CaseFile a lot of attention. In a way it was like washing your elbows. You wash your face and under your arms and so on.. but you don't actively think about washing your elbows. It's not like you would tell your child "Hey Pietie - make sure you wash your elbows tonight OK?". And so it was with us and CaseFile.

We released Maltego Tungsten at BlackHat USA in August this year. For the next couple of months CaseFile would sit next the Tungsten on the website. It would look at Tungsten with envy. Tungsten was shiny and new. It had nice shoes and a pretty dress. It was all grown up. CaseFile was left behind and it seemed that nobody at Paterva cared. CaseFile cried a little bit.

But then something wonderful happened! The developers picked CaseFile up from the shelf. They dusted her off. They gave her new shoes and a pretty dress - as pretty as Tungsten's. They gave her a complete makeover and called her CaseFile version 2.0. They loved her again - they gave her a new splash page and made a cool new video with her name in lights and they talked about her all day long:

CaseFile was happy again. And you could be too.
Download a fresh copy now from our website (

Thursday, October 24, 2013

Andrew makes a blog entry! Also the story of KingPhisher!

Hi Interwebtonians,

It has been absolutely ages since I have written a blog post - and its not from the lack of prodding from Roelof. We have genuinely just been busy!

Predominately I want to show you some of the work we had to do for Blackhat 2013 - my first BH talk ever! My section of the work was what we ended up calling 'KingPhisher' as well as the multi-threaded Python script to crawl websites for some parts of 'Teeth' (Roelof's offensive Maltego transforms).

    Video: [HERE]
    Download: [HERE]

A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line -- we don't inspect every link on every mail and we doubt if you do too.

So with this in mind we decided to integrate the two sides - 1) targeted phishing attacks and 2) information gathering in Maltego.

The first _really_ exciting part for me is that we took the first steps towards protocol 3, what's known as graph in/graph out. In this case it was just sending the graph out, but it meant that we could finally receive context on the entities sent to transforms! It uses the new 'Send to URL' transform that POSTs the graph data in XML to a specific script (e.g. http://zer0cool.tld/graphin.php). This script then returns a URL to Maltego which in turn starts a browser with that page. What this gives you is the ability to do customised exporting of data for things like viewing graphs online, reporting or doing additional data mining based on context (NOTE: There is a limit of 50 entities for this 'transform').

Please note I have added this transform to a set so that I dont need to go find it.
(Sets can be managed under the manage tab->Manage transforms)
The first section tackled was the Maltego side of things which has been done before. You can give it a go yourself within the tool or watch our videos. Having context on the graph means you can do something like Person->Email->social network membership. It means you know a) the a persons name, b) you know their email address and you know they use it for social networking and c) you know what their social network profile is. From the social network you can mine for particular types of information that you can leverage for the phishing attack.

In the above example we see that relates to my Facebook account and that I use for my Twitter account with an Alias 'AndrewMohawk'.

This takes us to the second part - the KingPhisher web application. This web application is made up of the following sections:
  • The 'receiver' accepts the POST of the graph from Maltego and stores it in a local sqlite database, then returns a URL to Maltego which is automatically opened.
  • The 'wizard'/interface. This is the wizard/interface that will be used to craft templates based on information available in the graph.
  • The 'sender'. This is merely a PHP SMTP script that you can move around to send the actual mail. It ensures you can keep the wizard/main interface separate from the machine you send mail from.
  • The 'catchers'. These are fake websites used to attempt to capture credentials (where needed).

The receiver parses all the XML and works out what is connected into 'trees' that compromise of a parent and N children - where at least one of the entities, either parent or child - is an email address.

Two 'trees' shown from the previous graph

The Wizard will look at the 'trees' and figure out which templates are available for use. As an example, if a tree has a Facebook profile we can use a Facebook template as well as generic ones that don't require additional context and if it had a Twitter account we could use a template relating to Twitter as well as the generic templates.

Once you have selected a particular tree and a template you can then configure it. Each template has one standard configuration option that determines how the link would behave. The options are:
  1. Clean redirect - simply changes the link to a location you have selected.
  2. Bounce redirect - changes the link to a KingPhisher 'catcher' which once browsed to will redirect the target to a user selectable location. It will also capture and store the user agent and IP address.
  3. Collect - This will redirect to a catcher that will look like a legitimate website. It also captures the user agent and IP address as well as any credentials entered into the fake website.  In future these sites could/should be made a little more intelligent by only serving sites if the target is coming from the correct IP range or serving different websites based on the user agent. 
The wizard screens are shown below:

The templates available to this email address based on the context

The template settings for the Twitter template where the "fromProfile" field
has been entered by the attacker

The rendered version of the template ready to be sent out

Once the templates have been selected and configured they can be viewed and saved. When everything is fine tuned the emails can be sent out to the targets. The sending process is routed via the 'sender' script which can either live on the same machine as the interface/wizard or anywhere else on the Internet.

Getting templates into the actual mailboxes without them hitting spam filters proved particularly difficult as there were 3 main things that common email providers seemed to look for:
  1. SPF/DKIM for the domain you were using for the spoof address - this means no email from *, * etc.
  2. The DOM markup of each template (if it was too similar to the original one it was flagged) -- so no stealing of templates.
  3. Particular phrases within templates - this was probably the trickiest to get around as often it was strings like company address or name. It took a few runs to get it right!

Once we had got around these (you can see the email addresses and templates we use in the code) the mails were delivered to the inboxes of our targets (in this case my Gmail account):

The newly received Twitter email

The opened email in my mailbox (not flagged as spam and from "Twitter")

The fake Twitter site

After this process has been completed the attackers can then sit back and enjoy watching their Maltego machine run. The machine will query the KingPhisher server for campaigns (emails sent out), then retrieve those email addresses and any additional information (UA/IP for 'bounce' type links and the posted fields/other collected data for the 'collect' type links).

The sequence of transforms in the machine are shown below:

At this stage the user has not entered any details into the fake site,
merely opened it and his/her UA and IP are collect

The users details entered into the fake site.

To get KingPhisher you can go to and download the ZIP package. Inside the ZIP are a number of documents relating to installation as well extending the interface, creating templates and so on. Have fun!

So long and thanks for all the shoes!

Thursday, October 17, 2013

New version of CaseFile, Tungsten updates, prices

Hello people of the Interweb. We have some news for you.

CaseFile v2
We're happy to announce that very soon, we'll have a new CaseFile version coming out. It will contain all the graph sharing goodness you've come to expect of Maltego Tungsten, but in a CaseFile package. This means teams of analysts working with offline data can share graphs in realtime and even chat with each other.

CaseFile is like Maltego - but without transforms. We've realized that not all analysts need transforms - why do you have to pay for it? CaseFile used to be a glorified sketching application (selling at $200) with seamless compatibility with Maltego. Now, with real time graph sharing it's a lot more. We will be releasing CaseFile v2 very soon. Hereby a splash screen candidate of v2:

Tungsten update
We've created a new update for Tungsten - it solves a couple of pesky bugs we've had in the past, plus allows for better compatibility with XMPP servers (your own, public, or dedicated Paterva Comms servers). This hotfix will be released soon.

Changes in pricing
Maltego has been priced at $650 for the last 450 years. With inflation and all of the new goodness in Tungsten we've reluctantly decided to increase the price to $760. I wanted to do this on the 13th of October but Andrew shouted at me and said that we haven't given our users fair warning. Thus - the increase will (for real) happen on the 25th of October. You've been warned! The renewal rate of $320 will not be changed and as always, users with valid licenses will get any upgrades free of charge.

Koebaai julle, koebaai.

Saturday, August 17, 2013

Vegas feedback, Tungsten release, Teeth install, KingPhisher etc etc.

After what seems to be a lifetime we're back safe and sound in South Africa. It's been a long trip - after Blackhat/Defcon we traveled a little further north west to conduct (another) four day training course.

Blackhat training
We trained two courses at Blackhat - back to back. In total - 42 students. It was fun. We mostly had skilled students and it's always great to see their 'AHA!' moments - when all the pieces come together and they understand our vision.

A pivotal moment for me personally was when I complained that my feet hurt on day 3 of BH training and the training room cleaner (an elderly man that's been in the war in Sarajevo) told me 'you're getting paid for this yes?'.  He survived a war and was cleaning rooms in a hotel in Las Vegas at minimum wage and I was complaining that my feet hurt. Perspective++.

Blackhat talk
The day after training we had our talk. All the demos worked (a special thanks to the networking guys for those 2x Ethernet drops installed overnight!). But I was not super happy with the talk. It could have gone a lot better. Our feedback was good and I think people enjoyed it. Perhaps I had too high expectations. See confetti/dancing girls/trumpets later...

Tungsten release
We had a lot on our plate for Blackhat. We trained two courses, we did a talk and had to develop a lot of new tech for the talk (more on that later). But the main event - we released a major new version of Maltego called Tungsten. We normally release the commercial version first and then the community edition but we knew it was not going to fly at Blackhat. We had to have the community (free) edition ready too. And since we were showing our tech inside of Kali Linux - we had to have that version ready too.

Two major trees - commercial and community, times three for Windows (JRE32/JRE64/plain), three for Linux(RPM/DEB/ZIP) and one for OSX. And the Kali release. That's (2 x (3 + 3 + 1 )) + 1 = 15 builds.... at 74MB a pop - all uploaded and ready before we hit the plane to Vegas.

The talk was at 15h30 on the Wednesday. The Offensive Security guys had the Kali release and they were ready to 'push the button' on it *during the talk*. All was set. But then - on Wednesday morning (after the speaker's party the night before) I was awaken by a Skype chat message from Dookie saying 'Good morning - I think there's something wrong with the Kali release'. It was 9 AM and we did not have a Kali release. Got on the phone to SA, interrupted dinners, gym sessions. Our team and the their team got together in the space of 15 minutes and by 11 AM we mostly fixed the problem (OpenJDK issued a patch for OpenJDK6 on Debian two days earlier and it was breaking our ribbon). Everyone was so committed to make this work!

Just before we walked into our speaking room we moved the files to make the Tungsten release live. During the talk I looked for Dookie (OffSec) in the audience - he was standing at the back. I said '..and you can get this now on Kali', looked at him and he nodded. Tungsten was live! But somehow it was an anticlimax.  Our team worked on the release for more than 6 months. It was reduced to a 5 minute demo and one sentence - 'you can get it now'. Someone in the audience mumbled 'Cool...'. I was thinking 'fscking understatement of the year'. Perhaps I expected dancing girls, trumpets and confetti.

In time we'll do a proper Tungsten video to show just how 'cool' it really is. Perhaps we'll include dancing girls/trumpets and confetti.

Part of our talk was about Teeth and KingPhisher - two tools that give more offensive type of capabilities to Maltego. We released the tech free of charge - and it can work in both the commercial and community editions of Maltego. To get it simply do the following from a Kali terminal:

apt-get update
apt-get install maltego-teeth
apt-get install maltego    (this to upgrade Tungsten)

Start Maltego, click on the globle (top left) -> Import -> Import configuration and select the file /opt/Teeth/etc/Maltego_config.mtz

You're good to go! We've even made some videos on Teeth and KP (click on images to view):

And there is more - we also wrote a paper called 'Maltego Tungsten as a collaborative attack platform'. It's a fun read - not academic at all and you can find it [HERE].

Finally - the KingPhisher app (as well as some stuff Andrew coded for Drozer) can be found [HERE]

Final words...
Normal programming will now resume. And remember - enjoy your new shiny toys responsibly!


Monday, June 24, 2013

UK based Magicians / Illusionist

A quick post.

I love to watch Derren Brown's shows. I wondered if he was on social media in a private capacity so started mapping relationships between people he works with. In the process I saw a large cloud forming around UK based illusionists, mentalists and 'magicians' and decided to focus on them.

If you ever seen a closed hyper connected community of people - here is the map:

Tuesday, April 23, 2013

BlackHat 2013, Tungsten preview, Trees

Hi all,

We decided to do a quick recap of what's happening around the Paterva office the last couple of weeks. 'Why?' you ask. Well - we recently had some visitors to our offices - they only followed our blog and not our Twitter account (@paterva if you wondered) and they were clearly uninformed about what we're up to.

Blackhat 2013

We recently showed Maltego to a group of hard core pen testers. Initially they were quite doubtful about how useful Maltego could be for them ('yes it makes pretty pictures - so what') - but after about 45 minutes we won them over and by the end of the day they bought licenses for the entire team and were making plans to integrate Maltego with their own tools. It yet again illustrated to us that it's not the tools you have but how well you know and use them. This is why we train at BlackHat USA in Las Vegas. At the end of every class students walk out saying 'We never knew you could do this with Maltego' and 'We never knew it was this powerful'. Sure - this is marketing speak - but it's also the absolute truth. Bottom line - if you work in security or cyber intelligence - come to our course or send your team to our course. We guarantee it will be worth it. For more info on what we teach, course structure and fees - [click here].

Seeing that we're in full disclosure mode - we also submitted a talk for the briefings. The talk is all about creating a collaborative attack platform. In other words - it will show how can a team of attackers or analysts can use Maltego at the same time. Expect a bunch of interesting transforms... If we get accepted we hope to show something truly amazing (and hopefully super scary). Also if all goes well we'll also release Maltego Tungsten at the conference. 

Maltego Tungsten - preview

With over 600 subscribers and more than 100 thousand views our [YouTube channel] (or AndrewTV as some calls it), has become quite popular. Our latest video - it's really short (about 2 minutes) - gives a sneak peek at how collaboration is going to work in Maltego Tungsten. Click on the image below to take a look. We're pretty damn excited about it!

It's also the first time we've used multiple cameras, a jib and a boom mic. Although the video seems straight forward it was pretty challenging. We now have over 20 Maltego videos on our channel - most of them tutorials.


The last little bit of sad news is that our landlord decided to cut down some of the trees around the office. It does mean that the grass will now actually grow (and won't just be moss and gravel) and that we'll have a bit of natural light in the office, but still - we're sad to see them go. Counting the growth rings on the remaining trunks they were 25, 30 and 45 years old. Somehow it just seems wrong.

Paterva will be secretly planting 5 more trees in the garden.
сажать деревья! сажать деревья!! сажать деревья!!!

That's about it for now!

Monday, April 8, 2013

TRX - Framework for writing Python transforms with the TDS

Hi there people from the Interwebs,

We wrote a 'framework' for writing Python transforms with the Maltego TDS. It's called TRX and it's pretty light, easy to use and very hip. It should see you writing kick ass transforms in no time - a complete transform could look as simple as this:

def trx_DNS2IP(m):
  TRX = MaltegoTransform()
    DNSName = socket.gethostbyname(m.Value)
  except socket.error as msg:
  return TRX.returnOutput() 

The document nicely explains the differences between local transforms and TDS transforms and also includes a complete entity reference guide as well as addressing the confusion between V2 and V3 entities - a must read for any transform developer. The document also takes a look at the future of the TDS.

Here is the index of the document - click to read.

Finally the framework / source code can be found [here]. We recommend that you print out the guide and keep it next to your bed. Or in the bathroom - where ever you are going to have the most free time.



Thursday, February 28, 2013

Maltego Tungsten...

Video of alpha release -- soon...


Friday, February 22, 2013

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to

Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.

We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.

Tuesday, February 19, 2013

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.


China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:

Somehow related - the zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the same as your grandma's internal IP range at home.

2. Almost all of the infrastructure is located in China (no surprise), but there were two or three IPs in the US (surprise). Initially we thought that was a bug in the IP2Location transform. So we checked it by hand. Sure enough - it's in the US.

Of course this is where we stopped because we are civilized, suit-wearing responsible adults. But someone (you know who you are) did not. They proceeded to nmap all of these in Maltego. And then mailed us the graph (while it's interesting, we did not ask for this). It even prompted Roelof to Tweet the following:

Of course the graph is interesting. It shows that, if you were to do a conventional infrastructure over-the-Internet attack [that's 90s - Ed], it looks like there's a nice cosy attack surface  [it's a giant honeypot - Ed]. In the graph below we ONLY look at port 23 (telnet) and 22 (SSH):

Why is this picture so blurry? Ag no man - don't be silly! We're pretty sure the Americans/pick a 1st world country are not sitting on their hands either and have pictures just like this on their pretty 4K projectors. In fact - we would just love to see the (translated!) Chinese intelligence reports on US based attacks...

[C]anon [C]300

Canon South Africa was nice enough to let us use their spare C300 for a week. A week! It meant we had to do a lot of videos in a short space of time. We ended up doing three. One we are keeping for the BlackHat CFP prize. The other two we put out on the Interwebs. The first one is just a recap of navigation in Maltego. We did this as our nerves were getting pretty thin with people navigating Maltego with scroll bars. The video was shot at a dairy that's across the street from our office (no really). What made the video really interesting was the fact that a black swan chased Andrew around. Here is a still of Andrew gracefully defending himself with a metal table. For more - click on the video below:

The second video was a lot more serious. Andrew wore a suit. OK, he didn't but the video was a lot darker and moody. We looked at how you could use Maltego with Machines that run perpetually to create a type of intelligence dashboard. Furthermore we showed how you can easily create alerts in Maltego - in our case when two people phoned that same 3rd party. Here's a still from the video:

Why does Andrew start with 'Hi James'? It's a tricky question. Ask him next time you see him. It's a nice video and although we released it on a Friday afternoon we almost have a thousand views on it today.

Thanks to Canon for letting us use their C300! Now we just need to convince the guys at RED to do the same...


Last Friday we went to the developer's cave to get a demo of collaboration. It's VERY freaky to see how a Maltego graph updates on a untouched computer. It's also quite fabulous and it's going to change everything. Oh, and we also support real time chat right inside the client. Best part - NO SERVER required. Unless of course you're paranoid and don't believe us that the messages are 256 bit AES encrypted with an user chosen passphrase. Then you are welcome to buy your own comms server.

As soon as we have something that is barely stable we'll show you. It's SOOOO cool!! [OK we can all see you're really excited about it, but please contain yourself - Ed]