Maltego In The Enterprise J. David Bressler Senior Security Consultant © 2015 GuidePoint Security, LLC
Maltego In The Enterprise
J. David Bressler Senior Security Consultant
© 2015 GuidePoint Security, LLC
About Me
• Senior Security Consultant, GuidePoint Security • Application Security Team (AppSec and Mobile
AppSec focused) • I like to Make Things • I like to Break Things Contact Me • Twitter: @bostonlink • Github: https://github.com/bostonlink
© 2015 GuidePoint Security, LLC
What is Maltego?
• Created by Paterva (www.paterva.com) • Open Source Intelligence and Forensic
Application
• Reconnaissance and Information Gathering • Visualize Gathered Information
© 2015 GuidePoint Security, LLC
Maltego Functionality – Domain Information
© 2015 GuidePoint Security, LLC
Maltego Functionality – ISACA RI Twitter
© 2015 GuidePoint Security, LLC
Maltego Functionality – ISACA RI Tweets
© 2015 GuidePoint Security, LLC
Maltego Functionality – ISACA RI Followers
© 2015 GuidePoint Security, LLC
Maltego Licensing
• Two Versions of Maltego – Community Version (Free to the public)
• Not for commercial use! • Maximum of 12 results per transform • Paterva API keys expire every 3-4 days • Communication between client and server is not encrypted
– Commercial Version • Can be used for commercial use • No limit on number of returned entities per transform • Communication between client and server runs over SSL • Remote transforms run on a much more powerful server (eg.
faster) • Server is only shared by commercial users
© 2015 GuidePoint Security, LLC
Why Maltego In the Enterprise?
• Perform Open Source Intelligence Information Gathering and Analysis within one tool
• Integrate internal tools/APIs with custom transforms
• And More! It’s up to you so, think outside the box!
© 2015 GuidePoint Security, LLC
Maltego Entity
• An container within the graph that represents some data
• Holds information from manual input and/or transform output
• Examples: Internet AS, IP Address, Domain, Facebook, Twitter
© 2015 GuidePoint Security, LLC
Maltego Transforms
Local or remote scripts/programs that gathers information from specific sources and creates maltego entities as output.
© 2015 GuidePoint Security, LLC
Remote Transforms
© 2015 GuidePoint Security, LLC
Source: h*ps://www.paterva.com/web6/images/TDSImage.png
Local Transforms
© 2015 GuidePoint Security, LLC
Which Type of Transform Should I Use?
• Depends on your overall goal & architecture
• Internal systems and tools
– Local Transforms or Internal TDS Server
• External data sources
– Local or Remote Transforms
– Remote Transforms are preferred
© 2015 GuidePoint Security, LLC
Extending Maltego Overview
Source: http://paterva.com/web6/images/Maltego_Integration.png
© 2015 GuidePoint Security, LLC
Extending Maltego With Your Own Transforms
• Python Libraries/Frameworks: – The Canari Framework - Nadeem Douba – Maltego Transform-py - Andrew MacPherson
(Paterva) – PyMaltego - The Grugq
Source: http://paterva.com/web6/documentation/developer-local.php
© 2015 GuidePoint Security, LLC
The Canari Framework
• Created by Nadeem Douba (Sploitego) • Maltego Local Transform Development
framework • www.canariproject.com • forums.canariproject.com (Community)
© 2015 GuidePoint Security, LLC
The Canari Framework
• No need to focus on the XML output formatting • Focus on the data gathering and parsing logic • Gives you the easy ability to create packages,
create profiles to import into Maltego, and a lot more!
© 2015 GuidePoint Security, LLC
Why Integrate With Other Tools?
1. Because It’s AWESOME!
2. Shows the value and relationships of data from multiple sources
3. Visualize internal enterprise data
4. Analyze data from multiple data sources in a visual format
5. Ability to easily pivot from internal data to external data and identify relationships
© 2015 GuidePoint Security, LLC
Open Source Transform Packs
• Cuckoo For Canari – Integrates the Cuckoo Malware Analysis Sandbox API into
maltego entity output • Bitcoin-explorer
– Parses the Bitcoin Blockchain (blockexplorer.com) and creates Maltego graphs based on bitcoin wallet addresses and transactions
• NWMaltego – Integrates searching Netwitness network session metadata
into Maltego transforms • Nextego
– Integrates Rapid7's Nexpose vulnerability scanner and Maltego
© 2015 GuidePoint Security, LLC
Demo Time! (CuckooForCanari)
© 2015 GuidePoint Security, LLC
Putting It All Together
• Integration with multiple tools can paint a better picture for security teams
• Having the ability to visualize data from multiple sources in one window is VALUABLE
• Ability to do high-level analysis and identify relationships within graphs and across different data sets to come to a quicker conclusions
© 2015 GuidePoint Security, LLC
No One Likes Looking At This
© 2015 GuidePoint Security, LLC
Drives You To Look Like This
© 2015 GuidePoint Security, LLC