What is Maltego
Maltego is a comprehensive data mining tool that allows for data visualization and data information analysis.
Background
 |
| Figure 1. Transform hub |
Have you ever desired to impress people and show off your inner-hacker without doing anything illegal? With Maltego, you can easily get more information about a website such as subdomains, emails, names, social media accounts, domain owner details, and detailed DNS information. Overall, Maltego specializes in passive and active enumeration, which is a way to do preliminary scanning of a target to identify potential weaknesses. Thus, it is one of the fundamental cornerstones of cybersecurity, for both hackers and professional penetration testers.
Are you convinced you need to use Maltego? Well, now it is time to identify which version of Maltego one ought to utilize. Maltego offers a free and paid version, and the version you pick depends upon your one’s needs. Maltego’s Community Edition allows 12 entities per execution of machine script while the professional paid version allows 10,000 entities. Additionally, the paid version provides access to additional powerful transforms. As shown in figure 1, downloading additional canonical transforms is as easy as the push of a button.
What are transforms and why would one want more transforms? A transform is a script that makes it easy to gather more information about a particular node that has been selected in Maltego. Essentially, transforms are what make Maltego an easy alternative for terminal virgins as well as useful for professionals looking to not think or quickly acquire information on a target.
Data Mining
Maltego provides innovative data analysis along with its features to enumerate collected data. With its elaborate library of plugins and tools this application is able to analyze online and offline information. A primary feature that distinguishes Maltego from other analysis tools is that it sustains features to compete automated queries and scripting commands. This allows for a more efficient and rapid data collection process by facilitating expedited collection in preparation for digital forensics and data mining.
Acquiring Emails
 |
| Figure 2. Easily running transformations |
Getting emails from a domain is easy to do in Maltego. One needs to simply add the domain and right click the domain target then press “DNS from Domain” as illustrated in figure 2. As shown in figure 3, the free version will return up to 12 public email addresses if available if you are using a machine script to run the transformation. Why would this be useful information? The email addresses can be used to identify vulnerable accounts using https://haveibeenpwned.com. Additionally, the email addresses could be used to mass-blast one’s resume to the company highlighting the numerous reasons their organization will fail without you.
 |
| Figure 3. Getting emails easily |
Getting emails from a domain is easy to do in Maltego. One needs to simply add the domain and right click the domain target then press “DNS from Domain” as illustrated in figure 2. As shown in figure 3, the free version will return up to 12 public email addresses if available if you are using a machine script to run the transformation. Why would this be useful information? The email addresses can be used to identify vulnerable accounts using https://haveibeenpwned.com. Additionally, the email addresses could be used to mass-blast one’s resume to the company highlighting the numerous reasons their organization will fail without you.
Acquiring, EVERYTHING
 |
| Figure 4. Run all view |
 |
| Figure 5. All the associated nodes |
However, running each individual transform can take a considerable amount of time when one is attempting to quickly acquire information on a target, especially when one has downloaded the additional transforms. Thus, one can run all of the transforms at once. This can be done by clicking “>>” under the “Run View”, as shown in figure 4. An example of all the information it will quickly return is shown in figure 5.
Large Footprint Activities
 |
| Figure 7. Script API |
 |
| Figure 6. Large footprint activities screen |
The previous transforms that were run were passive in the sense that the actions performed by the transform scripts are nothing unusual. These actions should be performed first, but still with care for certain websites that might have a lower threshold for what is considered “usual” activity on their network. For example, the FBI or the United Nations may be less forgiving of even passive scanning if certain subdomains are scanned. As displayed in figure 6, Maltego allows some forms of active scanning, which one must be careful of using. Maltego calls it a “footprint” rather than active scanning, but it does slightly inform you with a pop-up box that one ought to “use with care”.
Maltego offers four levels of footprints: L1, L2, L3, and XXL. L1 simply runs through each node from top to bottom. L2, in addition to L1, will look for additional domains related to the shared name servers and mail servers. An L3 scan will do everything from L2, but will also look for reverse and historical DNS records. Finally, the XXL footprint searches for everything that it can possibly have access to. Additionally, one can see the code that the transform will run by pressing the configure button next to it. As displayed in Figure 6, the code for the transform will be displayed.
Acquiring Information From Target
 |
| Figure 8. Phishing website target |
 |
| Figure 9. Finding the IP address |
What kind of information can we get from just a url? It turns out that you can learn a lot about a website with a url and maltego. Using the paterva transformation, you can get such things as; city and country, ip addresses, phone numbers, MX and NS addresses, and other open source information.
First we start with a url. For this section a phishing website is used as our subject.
As shown in figure 8, the url is to a website that tries to imitate the bank of america log in screen. Using the paterva transformation, To website, you can convert the URL entity to a website entity. With the website entity selected, you can then convert it to a domain and ip address which allows you to run multiple different, and more interesting, transforms.
 |
| Figure 10. Finding server location |
From here you can click on the ip address and run all the transforms that relate to ip owner transformations, as displayed in figure 9.
Finally, you can see that the ip address associated with the fishing website is located in Bremen, Germany, as demonstrated in figure 10.
Legality
Hopefully, you have not attempted to scan websites yet without considering the legality of your actions. First, this article is in no way legal advice, and one ought to learn one’s laws for your given country concerning passive and active scanning. After this thought, at least in the United States, as of September 17, 2019, there is no federal or local law that prohibits certain features of active scanning. Specifically, according the nmap (https://nmap.org/book/legal-issues.html), “no United States federal laws explicitly criminalize port scanning”, which is a large part of active scanning. Additionally, the same is true for vulnerability scans, and could be said for virtually every other type of active scan.
However, this does not mean that active scanning is not without its repercussions. One can get sued and end up in a criminal or civil court. Furthermore, an ISP can shutdown your internet if they get too many complaints. Although, according to Nmap, “legal cases involving port scanning are rare, they do happen”. The same can likely be said for many other types of active scanning, unless one tries to scan high-level target organizations. Overall, our recommendation is to not do active scanning without written permission.
Conclusion
Maltego allows you to get a quick and easy look at any network by using its customizable transformations and machines. This allows you to display complex connections between entities in a user friendly graph, while still retaining the ability to do in-depth reconnaissance and penetration testing, all from an easily navigable GUI.
