BlackHat EU (2010)
BlackHat EU (2010)
� What’s up with version 2?
� What to expect for v3
� Cool stuff we’ve been working on server side◦ NER
◦ Facebook (POC)◦ Facebook (POC)
� Demos
� Started with POC for CanSecWest 2007
� V0: May 2007 (called Evolution)◦ Non commercial
� V1: May 2008 ◦ Non commercial◦ Non commercial
� V2: May 2009 (called Maltego)◦ 32K lines of code (client only)
◦ Commercial and community editions
� V3: Who knows when◦ 77K lines of code and growing...
� Usage in a week◦ Downloads: 550
◦ Splash Page: around 4300
◦ Transforms: 58 000
� A copy is downloaded every 3 hours
� A client is started every 2.3 minutes
� A transform is run every 11 seconds
� Commercial clients:◦ MajorMajorMajorMajor OS developer, book store, router developer, registrar, buy & sell portal, search engine provider, social network
◦ 3 and 4 letter agencies from all over (.gov and .mil)
◦ Banks ++
◦ Many dodgy people with Gmail accounts....
� Unique community clients since 2008-08-17: ◦ 27 059
� Since May 2009 there has been no incremental release of Maltego.
� We’ve been working for a year on v3...
� ...”and it’s not over yet!”.
� Release will be done – when the release is ... DONE (time/features/budget)
� Community version will follow soon after that.
� Maltego.blogspot.com – all about progress on v3.
� Look & feel◦ Dynamic graphing
� Entities ++◦ Custom entities◦ Manual linking◦ Book marking / annotations◦ Entity display/edit/more◦ Entity display/edit/more
� Navigation ++◦ EWV fully interactive◦ Transform settings on the fly◦ Detailed view
� Transform control◦ Graph in / out from transforms◦ LRTs
� What is NER?◦ Takes text and marks entities like person names / companies / phone numbers
� Demo:◦ OpenCalais / AlchemyAPI◦ OpenCalais / AlchemyAPI
� Using it in Maltego:◦ Phrase ->◦ Website ->◦ URL ->◦ Entities
� Phrases can get interesting...we can combine with operators like:operators like:◦ Filetype:◦ Site:◦ Etc..
� Can answer the question:
“Who/what/where is connected to phrase X?”
� DISCLAIMER !!
� Maltego shows relationships – getting data as needed from open online sources.
� Mine email addresses at domain (eg people working there)working there)
� Look them up on Facebook based on email address
� Looking sphere of influence amongst friends◦ The Kevin Bacon game
� Any good developer will look for an API.
� Facebook has one!
� Limitations:◦ Runs in the context of the ‘logged in’ user
◦ Cannot search on email address◦ Cannot search on email address
◦ Authentication /session info is needed
� Scraping is against Facebook’s TOU.
� They take it serious!
� Scraping is not cool because:◦ They change their site regularly
◦ If you want to hide via TOR the pages looks different◦ If you want to hide via TOR the pages looks different
◦ FB discourage it by setting cookies for 2038
� Breaks the Mechanize library
◦ Authentication – you need to keep the cookies alive
◦ Cannot log in every time – FB checks for frequency of logins
� Where possible, use FQL (Facebook query language) or the API
� Use mobile sites – like iPhone Touch interface, m.facebook◦ Less complex results◦ Less complex results
◦ Less likely to change
� Use the AJAX call◦ Data comes in cleaner, easier to parse
� Don’t rely on tags, use regex where possible◦ Eg id=/d{3,15}/&
� Cron – keeping cookie alive◦ Runs every 5 minutes, ‘clicks’ on well known links on Touch FB site◦ If it gets 302 it re-logins
� Email to Facebook profile transform◦ Uses cron cookies, run query at iPhone site◦ Uses cron cookies, run query at iPhone site◦ Call /s.php?k=100000020&q=emailaddress on Touch◦ The historical k parameter means we can search for email addresses on mobile!◦ Returns the Facebook unique ID – pick it up with a regex◦ Get detail on the ID using standard FQL
� Get friends◦ With the ID known, exploits the typeahead_friendsAJAX bug.
� Typeahead_friends.php bug:1. Can make AJAX call un-authenticated!
(typeahead_friends.php?u=ID&__a=1)(typeahead_friends.php?u=ID&__a=1)� We don’t need to worry about cookies from cron
2. Get ALL friends of any user� Even if they are hidden
� Recently FB close hole 2, but we can still make AJAX call and get friends if profile settings allows it
� Person name to Facebook profile◦ Can use standard FQL
◦ Get a list of all matching ID
◦ Foreach ID (do FQL lookup)
◦ ‘Page’ through results◦ ‘Page’ through results