Quantcast
Channel: Maltego
Viewing all 97 articles
Browse latest View live

Victor Viktor / Next new feature for Maltego

November 8, 2012, 12:09 am
$
0
0
This week we created a new video - mostly just because we like making videos and having fun. It shows how to verify email addresses by hand and with Maltego. Sure, it only works on some mail servers, but it's a fun and useful trick when it works. 

The video has an extended intro that features Agent Smith and Agent Fox - two pretty incompetent law enforcement officers trying to compromise a target using a sexy waitress and two dodgy USB memory sticks. And hey - it's *supposed* to be goofy/cheesy and over the top. Click below to watch:



In other news we've also decided that proper graph sharing / collaboration will be the next feature we'll implement in Maltego. It means you'll have the ability to work on a single 'investigation'/graph with all of your friends across the Internet or LAN. The emphasis in the design was 1) strong crypto on the P2P traffic 2) ability to share graphs anonymously 3) ease of use. We think we got something that will satisfy all of the above - and best of all - it would not require you to host your own server! 

We'll keep you up to date with the progress.
Happy days!
RT
Search

Coolness coming in the next Maltego Radium update

November 15, 2012, 12:27 pm
$
0
0
Hi there,

We're planning to release another update to Radium before the end of the year. Also we're very much hoping to release a community edition of Radium at the same time. Send Redbull, cupcakes and vitamins and we might just make it!

One of the new features in the update is 'Find in Files'. It's pretty cool because it means if you have a group of analysts working together (and you are saving your files on a share somewhere (hey, we should try it with DropBox)) you can now easily search through all of the graphs and create a merged graph of everyone's work that matched your search terms. It will even try to open encrypted graphs with provided passwords!

Attached some boring looking screen shots. The feature works pretty well already:




In the last screenshot you'll see that we now provide you with the ability to add metadata to your graph which is useful when browsing FiF (Find in Files) search results.

And now for something completely different

Another feature we're adding (OK no - we really hacked it in there) is that transform writers can soon describe links (label, color, style, thickness) as well as have the ability to create notes and bookmarks using code. I say 'hacked' because we really have to do a proper implementation of protocol 3 to make it nice and clean - but in the meantime you'll soon be able to add it as the entity's properties like so:

<MaltegoMessage>
    <MaltegoTransformResponseMessage>
       <Entities>
          <Entity Type='Person'>
         <Value>Pietertjie Vermeulen</Value>
             <AdditionalFields>
                <Field Name='link#abc' DisplayName='Some link property'>link prop value</Field>
                <Field Name='link#maltego.link.label'>karnallie</Field>
                <Field Name='link#maltego.link.style'>1</Field>
                <Field Name='link#maltego.link.show-label'>1</Field>
                <Field Name='link#maltego.link.color'>0x00FF00</Field>
                <Field Name='link#maltego.link.thickness'>3</Field>
                <Field Name='notes#'>Die bliksem steel my ouma se koekies</Field>
                <Field Name='bookmark#'>1</Field>
             </AdditionalFields>
          </Entity>
       </Entities>
    </MaltegoTransformResponseMessage>
</MaltegoMessage>

Yes we know - you really want graph in / graph out but hey- it's a step in the right direction.

We'll keep you update on the progress - but if all goes according to plan we'll have it out before the end of the world.

Baby seals,
RT

Radium Update 2

November 29, 2012, 4:54 am
$
0
0
About 36 hours ago we 'pressed the button' on Radium Update 2. This update is distributed to Radium users via auto-update. We decided it would be fitting to make a short video of the highlights of this update (we like to call it 'service pack 2' - as it sounds very grown up).
Click below to view:


The reason we made the video is because:
1) We're pretty lazy - and it seems like a lot of work to write it all up.
2) People generally have more fun watching videos than reading documentation.
3) A big camera vendor sent us a bunch of equipment to evaluate. No not really. We wish. I wish.

One thing that Andrew forgot to mention in the video is that the MSL (Maltego Scripting Language) was also extended with some new pretty functions. The MSL doc (updated with a shiny new reference guide) is at http://www.paterva.com/MSL.pdf. Those of you that like writing your own Maltego Machines should definitely take a look.

The Radium community release is almost ready and if all goes well we'll be able to release it just before Christmas.

Enjoy responsibly,
RT

Useful Christmas gifts

December 18, 2012, 11:55 pm
$
0
0
It's that time of year again. When most people are not at work and those that are at work are trying to get all the things done they couldn't do in the 'normal' time of the year. We like to provide some rewards to those hard core 'at work over the festive season' people:

1) Like we did last year we are giving you discount on Maltego Radium and CaseFile. 33% off the normal price if you use the coupon 'Christmas2012'. The coupon is valid till the 25th of December. Or the end of the world, which ever happens first.

2) If all goes according to plan, we'll be releasing the community edition of Maltego Radium this week.

Wait...in 1) you're saying you can buy it cheaper and in 2) you're saying the community (free) version will soon be out? Is this not really bad marketing strategy? Indeed. But then again - it would be silly and cruel to delay either just because it might make us a few bucks. And now is not the time to be cruel. Perhaps it's the time to be silly - but in a good way....like.. like...

3) Like a silly picture - which - if you are not planning to use Maltego ever makes this blog post still worth reading:


More here once we're done with Radium Community.
Enjoy,
RT

Maltego Radium Community Edition Released!

December 20, 2012, 7:09 am
$
0
0
Hi there.

As promised, and on time, we are proud to release the community edition of Maltego Radium.

Some of the major features of Radium are:
  • Use of machines (transform sequences - use, edit and build your own!)
  • Incremental Auto update (You don't need to download a 80MB release ever again)
  • Full screen mode (think dashboard)
  • Massive memory and speed optimization
  • Sound (useful when you switch to something else and want know when your transforms are done)
  • Find in files (only added this some weeks ago to the Commercial edition!)
  • And much much more...(tm)
We have also upgraded the community server to leverage all the new cool goodies (like link style/color, notes on entities etc) that Maltego Radium offers.

To get the new Maltego Radium Community Edition simply download the community edition from our [website] - or click below:


The huge improvements that used to be only available to commercial users are now available for everyone! Having said that - results are still limited to 12. This also apply to machines - you can only have 12 entities in a pipeline.

We hope everyone has a great time using our new product!
RT


Manually linking one node to multiple others

December 28, 2012, 2:06 am
$
0
0
Someone asked support@paterva.com: "It is very tedious to put five thousand arrows of emails to a single identity. Is there any way to make this easier?" There is indeed an easier way and I thought I'd put the recipe out here on the blog:

Follow these easy steps to link many nodes to a single node:
  1. Select the many nodes.
  2. Move the mouse pointer so that it hovers over the single node, but don't select it.
  3. Left click on the single node AND hold the left click button in.
  4. Drag a line to any of the many nodes.
The single node will now be linked to the many nodes with multiple links, but the link direction must be inverted.

We now need to select all these links and invert their direction. To do this:
  1. Select the single node.
  2. On the ribbon go to Investigate -> Select links -> Outgoing. You can also do this by holding control and dragging a box around the links.
  3. On the ribbon - Investigate -> Reverse Links.
  4. Voila!
For those that need pictures - here they are:








CCC: China! C300!! Collaboration!!!

February 19, 2013, 10:01 am
$
0
0
It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina

China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:


Somehow related - the gov.cn zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the same as your grandma's internal IP range at home.


2. Almost all of the infrastructure is located in China (no surprise), but there were two or three IPs in the US (surprise). Initially we thought that was a bug in the IP2Location transform. So we checked it by hand. Sure enough - it's in the US.

Of course this is where we stopped because we are civilized, suit-wearing responsible adults. But someone (you know who you are) did not. They proceeded to nmap all of these in Maltego. And then mailed us the graph (while it's interesting, we did not ask for this). It even prompted Roelof to Tweet the following:


Of course the graph is interesting. It shows that, if you were to do a conventional infrastructure over-the-Internet attack [that's like...so 90s - Ed], it looks like there's a nice cosy attack surface  [it's a giant honeypot - Ed]. In the graph below we ONLY look at port 23 (telnet) and 22 (SSH):


Why is this picture so blurry? Ag no man - don't be silly! We're pretty sure the Americans/pick a 1st world country are not sitting on their hands either and have pictures just like this on their pretty 4K projectors. In fact - we would just love to see the (translated!) Chinese intelligence reports on US based attacks...

[C]anon [C]300

Canon South Africa was nice enough to let us use their spare C300 for a week. A week! It meant we had to do a lot of videos in a short space of time. We ended up doing three. One we are keeping for the BlackHat CFP prize. The other two we put out on the Interwebs. The first one is just a recap of navigation in Maltego. We did this as our nerves were getting pretty thin with people navigating Maltego with scroll bars. The video was shot at a dairy that's across the street from our office (no really). What made the video really interesting was the fact that a black swan chased Andrew around. Here is a still of Andrew gracefully defending himself with a metal table. For more - click on the video below:


The second video was a lot more serious. Andrew wore a suit. OK, he didn't but the video was a lot darker and moody. We looked at how you could use Maltego with Machines that run perpetually to create a type of intelligence dashboard. Furthermore we showed how you can easily create alerts in Maltego - in our case when two people phoned that same 3rd party. Here's a still from the video:


Why does Andrew start with 'Hi James'? It's a tricky question. Ask him next time you see him. It's a nice video and although we released it on a Friday afternoon we almost have a thousand views on it today.

Thanks to Canon for letting us use their C300! Now we just need to convince the guys at RED to do the same...

[C]ollaboration

Last Friday we went to the developer's cave to get a demo of collaboration. It's VERY freaky to see how a Maltego graph updates on a untouched computer. It's also quite fabulous and it's going to change everything. Oh, and we also support real time chat right inside the client. Best part - NO SERVER required. Unless of course you're paranoid and don't believe us that the messages are 256 bit AES encrypted with an user chosen passphrase. Then you are welcome to buy your own comms server.

As soon as we have something that is barely stable we'll show you. It's SOOOO cool!! [OK we can all see you're really excited about it, but please contain yourself - Ed]

[C]heers!
 RT




Pretty pictures: Appendix D (Mandiant) in Maltego

February 22, 2013, 1:23 am
$
0
0
Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:



Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.



We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.
RT
Search

Maltego Tungsten...

February 28, 2013, 8:29 am
$
0
0
Video of alpha release -- soon...

RT

TRX - Framework for writing Python transforms with the TDS

April 8, 2013, 5:29 am
$
0
0
Hi there people from the Interwebs,

We wrote a 'framework' for writing Python transforms with the Maltego TDS. It's called TRX and it's pretty light, easy to use and very hip. It should see you writing kick ass transforms in no time - a complete transform could look as simple as this:

def trx_DNS2IP(m):
  TRX = MaltegoTransform()
  DNSName=None
  try:
    DNSName = socket.gethostbyname(m.Value)
    TRX.addEntity("maltego.IPv4Address",DNSName)
  except socket.error as msg:
    TRX.addUIMessage("Problem:"+str(msg),UIM_PARTIAL)
  return TRX.returnOutput() 

The document nicely explains the differences between local transforms and TDS transforms and also includes a complete entity reference guide as well as addressing the confusion between V2 and V3 entities - a must read for any transform developer. The document also takes a look at the future of the TDS.

Here is the index of the document - click to read.

Finally the framework / source code can be found [here]. We recommend that you print out the guide and keep it next to your bed. Or in the bathroom - where ever you are going to have the most free time.

Enjoy!

RT

BlackHat 2013, Tungsten preview, Trees

April 23, 2013, 7:32 am
$
0
0
Hi all,

We decided to do a quick recap of what's happening around the Paterva office the last couple of weeks. 'Why?' you ask. Well - we recently had some visitors to our offices - they only followed our blog and not our Twitter account (@paterva if you wondered) and they were clearly uninformed about what we're up to.


Blackhat 2013

We recently showed Maltego to a group of hard core pen testers. Initially they were quite doubtful about how useful Maltego could be for them ('yes it makes pretty pictures - so what') - but after about 45 minutes we won them over and by the end of the day they bought licenses for the entire team and were making plans to integrate Maltego with their own tools. It yet again illustrated to us that it's not the tools you have but how well you know and use them. This is why we train at BlackHat USA in Las Vegas. At the end of every class students walk out saying 'We never knew you could do this with Maltego' and 'We never knew it was this powerful'. Sure - this is marketing speak - but it's also the absolute truth. Bottom line - if you work in security or cyber intelligence - come to our course or send your team to our course. We guarantee it will be worth it. For more info on what we teach, course structure and fees - [click here].


Seeing that we're in full disclosure mode - we also submitted a talk for the briefings. The talk is all about creating a collaborative attack platform. In other words - it will show how can a team of attackers or analysts can use Maltego at the same time. Expect a bunch of interesting transforms... If we get accepted we hope to show something truly amazing (and hopefully super scary). Also if all goes well we'll also release Maltego Tungsten at the conference. 

Maltego Tungsten - preview

With over 600 subscribers and more than 100 thousand views our [YouTube channel] (or AndrewTV as some calls it), has become quite popular. Our latest video - it's really short (about 2 minutes) - gives a sneak peek at how collaboration is going to work in Maltego Tungsten. Click on the image below to take a look. We're pretty damn excited about it!



It's also the first time we've used multiple cameras, a jib and a boom mic. Although the video seems straight forward it was pretty challenging. We now have over 20 Maltego videos on our channel - most of them tutorials.

Trees

The last little bit of sad news is that our landlord decided to cut down some of the trees around the office. It does mean that the grass will now actually grow (and won't just be moss and gravel) and that we'll have a bit of natural light in the office, but still - we're sad to see them go. Counting the growth rings on the remaining trunks they were 25, 30 and 45 years old. Somehow it just seems wrong.

Paterva will be secretly planting 5 more trees in the garden.
сажать деревья! сажать деревья!! сажать деревья!!!

That's about it for now!
RT

UK based Magicians / Illusionist

June 24, 2013, 3:49 am
$
0
0
A quick post.

I love to watch Derren Brown's shows. I wondered if he was on social media in a private capacity so started mapping relationships between people he works with. In the process I saw a large cloud forming around UK based illusionists, mentalists and 'magicians' and decided to focus on them.

If you ever seen a closed hyper connected community of people - here is the map:


Vegas feedback, Tungsten release, Teeth install, KingPhisher etc etc.

August 17, 2013, 3:25 am
$
0
0
After what seems to be a lifetime we're back safe and sound in South Africa. It's been a long trip - after Blackhat/Defcon we traveled a little further north west to conduct (another) four day training course.



Blackhat training
We trained two courses at Blackhat - back to back. In total - 42 students. It was fun. We mostly had skilled students and it's always great to see their 'AHA!' moments - when all the pieces come together and they understand our vision.

A pivotal moment for me personally was when I complained that my feet hurt on day 3 of BH training and the training room cleaner (an elderly man that's been in the war in Sarajevo) told me 'you're getting paid for this yes?'.  He survived a war and was cleaning rooms in a hotel in Las Vegas at minimum wage and I was complaining that my feet hurt. Perspective++.


Blackhat talk
The day after training we had our talk. All the demos worked (a special thanks to the networking guys for those 2x Ethernet drops installed overnight!). But I was not super happy with the talk. It could have gone a lot better. Our feedback was good and I think people enjoyed it. Perhaps I had too high expectations. See confetti/dancing girls/trumpets later...



Tungsten release
We had a lot on our plate for Blackhat. We trained two courses, we did a talk and had to develop a lot of new tech for the talk (more on that later). But the main event - we released a major new version of Maltego called Tungsten. We normally release the commercial version first and then the community edition but we knew it was not going to fly at Blackhat. We had to have the community (free) edition ready too. And since we were showing our tech inside of Kali Linux - we had to have that version ready too.

Two major trees - commercial and community, times three for Windows (JRE32/JRE64/plain), three for Linux(RPM/DEB/ZIP) and one for OSX. And the Kali release. That's (2 x (3 + 3 + 1 )) + 1 = 15 builds.... at 74MB a pop - all uploaded and ready before we hit the plane to Vegas.

The talk was at 15h30 on the Wednesday. The Offensive Security guys had the Kali release and they were ready to 'push the button' on it *during the talk*. All was set. But then - on Wednesday morning (after the speaker's party the night before) I was awaken by a Skype chat message from Dookie saying 'Good morning - I think there's something wrong with the Kali release'. It was 9 AM and we did not have a Kali release. Got on the phone to SA, interrupted dinners, gym sessions. Our team and the their team got together in the space of 15 minutes and by 11 AM we mostly fixed the problem (OpenJDK issued a patch for OpenJDK6 on Debian two days earlier and it was breaking our ribbon). Everyone was so committed to make this work!

Just before we walked into our speaking room we moved the files to make the Tungsten release live. During the talk I looked for Dookie (OffSec) in the audience - he was standing at the back. I said '..and you can get this now on Kali', looked at him and he nodded. Tungsten was live! But somehow it was an anticlimax.  Our team worked on the release for more than 6 months. It was reduced to a 5 minute demo and one sentence - 'you can get it now'. Someone in the audience mumbled 'Cool...'. I was thinking 'fscking understatement of the year'. Perhaps I expected dancing girls, trumpets and confetti.

In time we'll do a proper Tungsten video to show just how 'cool' it really is. Perhaps we'll include dancing girls/trumpets and confetti.

Teeth/KingPhisher
Part of our talk was about Teeth and KingPhisher - two tools that give more offensive type of capabilities to Maltego. We released the tech free of charge - and it can work in both the commercial and community editions of Maltego. To get it simply do the following from a Kali terminal:

apt-get update
apt-get install maltego-teeth
apt-get install maltego    (this to upgrade Tungsten)

Start Maltego, click on the globle (top left) -> Import -> Import configuration and select the file /opt/Teeth/etc/Maltego_config.mtz

You're good to go! We've even made some videos on Teeth and KP (click on images to view):





And there is more - we also wrote a paper called 'Maltego Tungsten as a collaborative attack platform'. It's a fun read - not academic at all and you can find it [HERE].

Finally - the KingPhisher app (as well as some stuff Andrew coded for Drozer) can be found [HERE]

Final words...
Normal programming will now resume. And remember - enjoy your new shiny toys responsibly!

RT








New version of CaseFile, Tungsten updates, prices

October 17, 2013, 6:04 am
$
0
0
Hello people of the Interweb. We have some news for you.

CaseFile v2
We're happy to announce that very soon, we'll have a new CaseFile version coming out. It will contain all the graph sharing goodness you've come to expect of Maltego Tungsten, but in a CaseFile package. This means teams of analysts working with offline data can share graphs in realtime and even chat with each other.

CaseFile is like Maltego - but without transforms. We've realized that not all analysts need transforms - why do you have to pay for it? CaseFile used to be a glorified sketching application (selling at $200) with seamless compatibility with Maltego. Now, with real time graph sharing it's a lot more. We will be releasing CaseFile v2 very soon. Hereby a splash screen candidate of v2:


Tungsten update
We've created a new update for Tungsten - it solves a couple of pesky bugs we've had in the past, plus allows for better compatibility with XMPP servers (your own, public, or dedicated Paterva Comms servers). This hotfix will be released soon.

Changes in pricing
Maltego has been priced at $650 for the last 450 years. With inflation and all of the new goodness in Tungsten we've reluctantly decided to increase the price to $760. I wanted to do this on the 13th of October but Andrew shouted at me and said that we haven't given our users fair warning. Thus - the increase will (for real) happen on the 25th of October. You've been warned! The renewal rate of $320 will not be changed and as always, users with valid licenses will get any upgrades free of charge.

Koebaai julle, koebaai.
RT

Andrew makes a blog entry! Also the story of KingPhisher!

October 24, 2013, 7:08 am
$
0
0
Hi Interwebtonians,

It has been absolutely ages since I have written a blog post - and its not from the lack of prodding from Roelof. We have genuinely just been busy!

Predominately I want to show you some of the work we had to do for Blackhat 2013 - my first BH talk ever! My section of the work was what we ended up calling 'KingPhisher' as well as the multi-threaded Python script to crawl websites for some parts of 'Teeth' (Roelof's offensive Maltego transforms).

<TL;DR>
    Video: [HERE]
    Download: [HERE]
</TL;DR>

A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line -- we don't inspect every link on every mail and we doubt if you do too.

So with this in mind we decided to integrate the two sides - 1) targeted phishing attacks and 2) information gathering in Maltego.

The first _really_ exciting part for me is that we took the first steps towards protocol 3, what's known as graph in/graph out. In this case it was just sending the graph out, but it meant that we could finally receive context on the entities sent to transforms! It uses the new 'Send to URL' transform that POSTs the graph data in XML to a specific script (e.g. http://zer0cool.tld/graphin.php). This script then returns a URL to Maltego which in turn starts a browser with that page. What this gives you is the ability to do customised exporting of data for things like viewing graphs online, reporting or doing additional data mining based on context (NOTE: There is a limit of 50 entities for this 'transform').

Please note I have added this transform to a set so that I dont need to go find it.
(Sets can be managed under the manage tab->Manage transforms)
The first section tackled was the Maltego side of things which has been done before. You can give it a go yourself within the tool or watch our videos. Having context on the graph means you can do something like Person->Email->social network membership. It means you know a) the a persons name, b) you know their email address and you know they use it for social networking and c) you know what their social network profile is. From the social network you can mine for particular types of information that you can leverage for the phishing attack.

In the above example we see that andrew@punks.co.za relates to my Facebook account and that I use andrewmohawk@gmail.com for my Twitter account with an Alias 'AndrewMohawk'.

This takes us to the second part - the KingPhisher web application. This web application is made up of the following sections:
  • The 'receiver' accepts the POST of the graph from Maltego and stores it in a local sqlite database, then returns a URL to Maltego which is automatically opened.
  • The 'wizard'/interface. This is the wizard/interface that will be used to craft templates based on information available in the graph.
  • The 'sender'. This is merely a PHP SMTP script that you can move around to send the actual mail. It ensures you can keep the wizard/main interface separate from the machine you send mail from.
  • The 'catchers'. These are fake websites used to attempt to capture credentials (where needed).

The receiver parses all the XML and works out what is connected into 'trees' that compromise of a parent and N children - where at least one of the entities, either parent or child - is an email address.

Two 'trees' shown from the previous graph


The Wizard will look at the 'trees' and figure out which templates are available for use. As an example, if a tree has a Facebook profile we can use a Facebook template as well as generic ones that don't require additional context and if it had a Twitter account we could use a template relating to Twitter as well as the generic templates.

Once you have selected a particular tree and a template you can then configure it. Each template has one standard configuration option that determines how the link would behave. The options are:
  1. Clean redirect - simply changes the link to a location you have selected.
  2. Bounce redirect - changes the link to a KingPhisher 'catcher' which once browsed to will redirect the target to a user selectable location. It will also capture and store the user agent and IP address.
  3. Collect - This will redirect to a catcher that will look like a legitimate website. It also captures the user agent and IP address as well as any credentials entered into the fake website.  In future these sites could/should be made a little more intelligent by only serving sites if the target is coming from the correct IP range or serving different websites based on the user agent. 
The wizard screens are shown below:


    The templates available to this email address based on the context

    The template settings for the Twitter template where the "fromProfile" field
    has been entered by the attacker



    The rendered version of the template ready to be sent out


    Once the templates have been selected and configured they can be viewed and saved. When everything is fine tuned the emails can be sent out to the targets. The sending process is routed via the 'sender' script which can either live on the same machine as the interface/wizard or anywhere else on the Internet.

    Getting templates into the actual mailboxes without them hitting spam filters proved particularly difficult as there were 3 main things that common email providers seemed to look for:
    1. SPF/DKIM for the domain you were using for the spoof address - this means no email from *.facebook.com, *.twitter.com etc.
    2. The DOM markup of each template (if it was too similar to the original one it was flagged) -- so no stealing of templates.
    3. Particular phrases within templates - this was probably the trickiest to get around as often it was strings like company address or name. It took a few runs to get it right!

    Once we had got around these (you can see the email addresses and templates we use in the code) the mails were delivered to the inboxes of our targets (in this case my Gmail account):

    The newly received Twitter email


    The opened email in my mailbox (not flagged as spam and from "Twitter")


    The fake Twitter site

    After this process has been completed the attackers can then sit back and enjoy watching their Maltego machine run. The machine will query the KingPhisher server for campaigns (emails sent out), then retrieve those email addresses and any additional information (UA/IP for 'bounce' type links and the posted fields/other collected data for the 'collect' type links).

    The sequence of transforms in the machine are shown below:

    At this stage the user has not entered any details into the fake site,
    merely opened it and his/her UA and IP are collect


    The users details entered into the fake site.


    To get KingPhisher you can go to http://www.paterva.com/BlackhatUSA2013/ and download the ZIP package. Inside the ZIP are a number of documents relating to installation as well extending the interface, creating templates and so on. Have fun!

    So long and thanks for all the shoes!
    -AM
    Search

    Maltego CaseFile v2 released!

    November 8, 2013, 6:45 am
    $
    0
    0
    Maltego CaseFile version 1 was really cute. You could draw pretty pictures with it and show it to your friends. We even made a Game of Thrones graph with it - because we had friends that did not read the books and only started watching it at Season 3. And we were tired of explaining all the intricate relationships to them.

    We didn't give CaseFile a lot of attention. In a way it was like washing your elbows. You wash your face and under your arms and so on.. but you don't actively think about washing your elbows. It's not like you would tell your child "Hey Pietie - make sure you wash your elbows tonight OK?". And so it was with us and CaseFile.

    We released Maltego Tungsten at BlackHat USA in August this year. For the next couple of months CaseFile would sit next the Tungsten on the website. It would look at Tungsten with envy. Tungsten was shiny and new. It had nice shoes and a pretty dress. It was all grown up. CaseFile was left behind and it seemed that nobody at Paterva cared. CaseFile cried a little bit.

    But then something wonderful happened! The developers picked CaseFile up from the shelf. They dusted her off. They gave her new shoes and a pretty dress - as pretty as Tungsten's. They gave her a complete makeover and called her CaseFile version 2.0. They loved her again - they gave her a new splash page and made a cool new video with her name in lights and they talked about her all day long:



    CaseFile was happy again. And you could be too.
    Download a fresh copy now from our website (www.paterva.com).


    Christmas special. Another useful Paterva tradition.

    December 23, 2013, 6:25 am
    $
    0
    0
    All,

    It's that time of the year again. When going grocery shopping feels like scene from The Walking Dead. Human meat density coefficient just waaay to high. Going to the office feels like a scene from The Walking Dead (but another episode). Not fun either way.

    Since we moved to Cape Town about 3 weeks ago we still don't have formal offices and as such I am working from home (Andrew is back up in Gauteng spending time with family). I suspect many of you are doing the same - still very much connected, online and reading those emails marked as 'I'll get back to that when I am not so busy'.  Pro tip - start with 'Sorry for not getting back to you earlier'. It's already weird. Just face it.

    Every year we run a Christmas special. And it's really a special - not a silly 10% off. In 2011 it was 50% off. In 2012 it was 33% off. This year -2013 - it's 50% again. We're all for consistency.  That means you get the commercial version at $380. Remember - the community edition is still FREE. We know that at $380 it's hardly an impulse buy - so you want to get your boss/FD on the phone (if he is not relaxing next to a pool with a G&T) and convince him that this REALLY only happens once a year!

    The special is aimed at the people that are still hard at work at this time of the year. It's your reward for being the backbone of the 'skeleton staff'.

    Enjoy the festive season. Show restraint when it comes to family matters. Embrace social awkwardness. If you're reading this you're probably the weird uncle...

    Oh. Ya. The coupon. It's "GiveMaltegoAsAGift". Try it as a gift. Your wife / husband / girlfriend / boyfriend / dog / cat / pet ferret will enjoy our technology!

    Note: Offer runs from today to the 26th of Dec.

    reCaptcha: Stop spam...and everyone else.

    January 20, 2014, 3:11 am
    $
    0
    0
    Hey guys,

    About a week ago we noticed that the images we were getting from reCaptcha were near impossible to solve. And wow did people let us know, we've had emails ranging from just strings of cuss words to people who refuse to touch anything we do after it.

    Unfortunately as we were just passing on an image we got from the google reCaptcha service ( http://www.google.com/recaptcha )  it wasn't really in our control. We have seen them go through bouts of absolute madness, but usually only for a day or so. We decided to leave it for a week and hoped it would get better. It sadly didn't.

    At this stage we are no longer verifying reCaptcha images (you can put in anything and it will validate) while we explore other options.

    We apologise for the inconvenience, frustration and mental instability trying to solve those impossible CAPTCHAs were.

    Monkeys gone to heaven.
    -AM

    Where is my Maltego release?

    March 20, 2014, 8:35 am
    $
    0
    0
    Good question. We said we'll release this week and we haven't. Actually - truthfully, we said we'll release LAST week and we didn't. There are good reasons for this delay.

    The updater broke -don't ask why.... Which means we can't send the new release as an update. Which in turns means we should really have a major new version and new builds - and a new element name. And that's OK, because we've added a whole lot of cool new features into this release. But - it also means that we need to do a bit of rebranding and have a few more edges to smooth out. And all of this takes time. Additionally it's a short week in SA (Human Rights day tomorrow), we finally moved into our Cape Town offices (and had to sort out Internet access) and nobody pushes out a new release on a Friday.

    We CAN tell you that we're trying our best to have Maltego CARBON out before the end of the month. Yeah I know...don't even mention it. But you know that it's close when we're deciding on splash screens and testing angles for the associated video.

    We'll leave you with the shortlist of Maltego Carbon splash screens:




    Maltego Carbon - now!

    April 1, 2014, 3:47 am
    $
    0
    0
    Hi there,

    It took a while to get there (and this release was tricky to schedule) but we're finally ready with Maltego Carbon. As this is a major release you'll need to download a fresh copy from the website  - it does not update from Tungsten.

    Major new features are:

    1. OAuth - means you can use Twitter transforms again!
    2. New and improved tabular import - create a graph from XLS/CSV  
    3. Discovery of Maltego configs from NTDS (much needed feature for those with their own servers) as part of discovery.
    4. Bug fixes, optimization and new looks. 

    Andrew explains of this in the next episode of AndrewTV (click below for this exciting episode):


    For server clients - you can download new updated servers from the server portal:

    1. NTDS - now with paired configuration functionality and generic OAuth support. You can simply backup your configuration and load it into the new VM.
    2. CTAS - with new Twitter transforms and fancy *_SE transforms.

    Maltego Carbon is live for download from the [Paterva website] right NOW. As always the free community edition of Carbon will follow in a few weeks.

    Enjoy responsibly!!!
    RT






    Viewing all 97 articles
    Browse latest View live
    Search