A Beginner’s Guide to OSINT Investigation with Maltego

Maltego Disclaimer: The company clarifies that their software may not be used for unlawful actions: “You are not limited in how you can use the software but you can’t use it for unlawful actions (including collecting email addresses for sending spam). Same goes for the data or graphs you generate using it." They also add: “You cannot blame us in any way if something goes wrong with this software. If you use this software and you get into trouble in any way then it’s your problem.

What is Maltego and why use it for OSINT?

Maltego is a data mining tool that mines a variety of open-source data resources and uses that data to create graphs for analyzing connections. The graphs allow you to easily make connections between information such as name, email organizational structure, domains, documents, etc. Maltego uses Java so it can run on Windows, Mac, and Linux and is available in many OSINT Linux distros like Buscador or Kali. Basically, it will parse a large amount of information and search various open-source websites for you and then toss out a pretty looking graph that will help you put the pieces together. Maltego can be used as a resource at any point during the investigation however if your target is a domain it makes sense to start mapping the network with Maltego from the start.

Which Maltego version should I download?

There are several versions of Maltego available:

Maltego XL- Premium version for large data

Maltego Classic- Pay version which includes all APIs (transforms)

Maltego CE- Free Version with limited APIs (transforms)

Casefile- For examining links in offline data

The main difference between Maltego Classic, Maltego XL and Maltego CE are the number of entities that can be returned from a single transform and the maximum number of entities that can be on a single graph.

Installing Maltego

Buscador: If you have Maltego via Buscador it will initially present as the Casefile version. You will need to go to the Paterva site and create an account. Once your account is created you will receive a key which will turn your Casefile into CE.

Kali: Maltego comes pre-installed on Kali. You will need to go to the Paterva site and create an account. Once your account is created you will receive a key which will allow you to use the Community Edition.

Fresh Install: If you are doing a fresh install on Win, Mac, or Linux here is a step-by-step guide provided by Paterva.

What is all this API/Transform nonsense?

Screenshot of Transforms in the Windows version

An API is an Application Programming Interface and in very simple terms it is what connects other software like Shodan and Threatminer with Maltego. Maltego calls these connections “Transforms" and if you are running Maltego CE you will find that some transforms are free while others are pay. The downside of running the free version of Maltego is that not all of the transforms come pre-installed, therefore, to use them you will need to sign up on each website to get the API code to activate the corresponding transform. Depending on your needs, you can focus on specific transforms made for OSINT, Threat Intel, Organization mapping, etc. which will limit the amount of legwork you need to do for activation.

How to perform simple network recon

Starting with a domain name we can begin to map out the structure of an organization including other sites they own. It is surprising how much information can be found by using nothing more than a domain name.

Click the new graph button in the upper left corner and a blank new graph pane will open.

From the Entity Palette on the left, scroll until you find Domain and then drag it into your blank graph pane.

Double click on the domain icon and change the name to the domain you want to investigate, I chose hbo.com.

Right-click on the domain icon, this opens the Run Transforms box. Here you could be very specific about what you want to search for by scrolling through the palette and selecting but we are going to go crazy and just choose Run All Transforms by selecting the little fast forward arrows beside it.

As soon as Run Transform is selected, Maltego begins its work by graphing out the structure of the network. Note: on the left side of the graph pane there are several options for viewing the graph in different layouts.

You can see in the image below that all sorts of information pops up including DNS servers, related sites, related emails, email servers

You can use these connections to make even more detailed connections like names associated with emails and phone numbers.