Monday, May 9, 2011

Information Gathering with Maltego CE

We’ve been delving rather deeply into reconnaissance tools lately and I wanted to cover at least one last one before moving on to the next phase of a pen test, “Scanning”.

Maltego CE (CE for Community Edition, this means “free”) is an absolutely fantastic tool for performing reconnaissance work on any object you can think of: person, organization, etc.


 INSTALLING MALTEGO COMMUNITY EDITION



First, you need to download and install Maltego from the www.paterva.com web site. Now, if you’re running Windows, then you’ll have two choices: pick the “EXE+java” option if you don’t already have a Java Runtime Environment (JRE) installed on your machine. If you do, pick the “EXE” (only) option. You can determine if you already have a JRE installed by opening a command prompt and you get a response back when you type “java” and hit “Enter”.


If you’re running Ubuntu or Backtrack, you’ll want to install the “deb” version onto your machine (Ubuntu/Debian and Backtrack all install .deb files). Same checks above apply for Linux to determine if you have Java already installed.




Next, fire up Maltego and login to the Community Server.





Step 1. You’ll be prompted to login to the Community Server. Create an account or login with one you’ve already created.

Step 2. Then, you will be presented with a blank canvas for you to start mining data with. Maltego is not the most intuitive interface but once you learn how it works, it becomes rather easy to navigate, so let’s go over the basics here and you’ll soon be mastering it on your own.


INTRODUCTORY DATA MINING WITH MALTEGO

For our first example, let’s say we wanted to find the phone number of an employee of a certain company. First, we’ve got to become familiar with Maltego’s palette of “entities” we can use to search for information on the Internet. This palette is located on the left side of the screen and is divided up into 2 sections: “Infrastructure” up top and “Personal” down bottom. These are all the different types of entities we can have Maltego go mining data for.

So, if we wanted to find EMPLOYEE INFORMATION for a particular domain, we’d start with the “domain” entity under the “Infrastructure” section of the Palette to start searching data. Why? Because we’re going to use this entity to specify the web domain (usually of the target company) we’d like to find Employee Information about.

MINING DATA FOR EMPLOYEE INFORMATION

Step 1. Click on the “Domain” entity and drag it to the canvas in the middle of the screen. You will be presented with a Domain entity on the canvas, prepopulated with “paterva.com” in it. However, this is a default entity and you will need to fill in some information for Maltego to start mining data. Click on the entity to highlight it.

You will see it change from this:


To this:



Now, you need to modify the “Domain Name” property of this object to make sure you are searching for employees/MX Records/etc for YOUR TARGET web site. So, on the very right-hand side of the screen, towards the bottom, you will see the “Property View” box. In it, you will find the “Domain Name” property of the “Domain” entity you created. Click in the value side (where you see “paterva.com”) and change it to your target.


For our example, we’ll stick to a public-facing, public service web site, like “state.nj.us”.


Step 2. Now, right-click on the domain entity and follow the menu system thusly:

Run Transforms à All Transforms à To Email Addresses [Using Search Engine]

This will now start searching the Internet for any and all email addresses that are associated with that domain. From here, once enumerated, you can run transforms on the email entities to dig even further and find more information.
For example,

Step 3. Right-click on an email address that Maltego found and follow the menu system thusly:

Run Transforms à All Transforms à To Phone Number [Using Search Engine]

Important Note:
Once I ran this transform on my sample data, Maltego’s mining of search engine data turned up a wrong number associated with my email. HOWEVER, by reviewing the “Detail View” snippet on the right-side of the screen, I was able to call up the specific web page, review it and find the exact number I did, in fact, want to use. So, you can’t always trust initial data from tools such as these. However, if used judiciously, you can get the targeted information you want.


ENUMERATING MAIL SERVERS WITH MALTEGO

Now, let’s look up some information that would be important to us when running a pen test or security assessment: We’ll look up their mail servers (MX records in DNS) and their name servers (DNS).

Right-click on the “Domain” entity on the canvas and navigate the menus like so:

Run Transform à DNS from Domain à To DNS Name – MX (mail server)


Maltego will begin to search their DNS records for the mail servers that are designated for this domain. After it has completed its survey, you should be presented with something that looks like this:


Once you’ve collected that information, you can run transforms on those entities as well. For instance, you can click, drag and highlight all those mail servers and then right-click and navigate the menu system like so:
Run Transform à Resolve to IP à To IP Address [DNS]



You will then be presented with information like the following:


Congratulations! You now have assets that you can use in your next phase of testing: “Scanning”.

ENUMERATING NETBLOCKS AND IP ADDRESSES WITH MALTEGO

Let’s take a look at the target’s name servers and see what kind of information we can glean from them (through reconnaissance)  that we can use in “Scanning”.

Some more information that would be important to us would be the IP blocks (or blocks of network addresses ) that the target manages. Getting those IP’s would be useful, if we are not provided them prior to our engagement. 

Right-click on the “Domain” entity on the canvas and navigate the menus like so:

Run Transform à DNS from Domain à To DNS Name – NS (name server)

After Maltego runs and collects the information for you, it presents it to the users thusly:


Once you have the nameservers on the canvas, you can then run transforms on them to collect information (data mine). For instance, one really useful transform you can run on the name servers is collecting the netblocks that have been delegated to those name servers.

To collect information like this, highlight the nameservers, right-click and navigate the menus to:

Run Transform
à Info from NS à To Netblock 



This will display the blocks of IP addresses delegated to those nameservers. If these blocks are too big, you can run another transform on them to cut down on the amount of information displayed. The menu navigation to do this is:

Run Transform à All Transforms à Netblock to Netblock

You will be promted for a size to display. I usually pick something fairly middle-of-the-road, like “125” or “250” and that will bring things down to a manageable form.

Once you have a good-sized chunk of data (Netblocks), you can run the “To IP Address” transform on it to convert those blocks of IP Addresses down to single IP’s. This will make it easier for you to dig for other information on those IPs.

Running that transform on the Netblocks results in something that will look like this:


Congratulations! You’ve now gone and enumerated all the IP’s in that space.
Now you can use that to translate it to machine and owner information.

CONCLUSION
Maltego is much more powerful than this, however, and can take a few weeks to really master its intricacies. I highly recommend that you practice using this tool to perfect (and streamline) your reconnaissance skills.






5 comments:

  1. Very cool stuff you are showing us. I am enjoying your blog. Hope you can get back to it soon.

    ReplyDelete
  2. I usually hate posts on specific tools, but this was a really nice one.

    ReplyDelete
  3. i installed this software but my palette folder is empty there is no tool inside it.. How do you get those tools..? Also i am not able to connect and login.. It says connection timed out.. Can you help me please..

    ReplyDelete

  4. Thanks for sharing such informative post on web hosting. Keep updating.
    Snap on keywords to know more.
    Web Hosting India | Domain Name Registration India | Web Hosting Companies in India

    ReplyDelete