Quantcast
Channel: Maltego
Viewing all 97 articles
Browse latest View live

Tweet Sentiment Analysis

September 9, 2014, 9:48 am
$
0
0
Hey there,

It’s been a while since we last posted but we are pretty excited about our new sentiment analysis transforms so I thought I would make a quick post about it.

Sentiment analysis can be described as the use of natural language processing (NLP) to extract the attitude/opinion of a writer towards a specific topic. With the overwhelming amount of data being posted on the Internet every day and no way to read it all, sentiment analysis has become a really useful tool for extracting and aggregating opinions on a specific topic from many different sources. The potential use for sentiment analysis is endless, a few examples are things like brand reputation monitoring, market research, stock-exchange monitoring, etc. The transform that we built takes a Tweet as its input entity and returns either positive, neutral or negative entity. This way a large amount of Tweets can easily be categorized according to their sentiment.

Although sentiment extraction is a relatively new area of research there are quite a few methods of going about it and a lot of companies offering different sentiment analysis APIs. With many APIs to choose from it was quite difficult to decide which one would work best for the transform. I decided to use my top four APIs, aggregated their result and use that as the output of my transform. The problem with this method was that most of the time the APIs would return different and often obviously incorrect results (I won’t mention any names). While some APIs seemed to work well on certain topics of Tweets they would fail horribly on others. After much experimentation I settled for using only AlchemyAPI’s sentiment analysis tool which seems to work the best out of all the APIs that I tested, and I tested quite a few so well done to them.

I then built a new machine named Twitter Analyser to use with the new sentiment analysis transform. This machine takes a phrase in as its input and searches Twitter for Tweets with this phrase. From the Tweets that are returned hash tags, links, sentiment and uncommon words found in the Tweets are extracted. The uncommon words are extracted with one of our other new transforms that checks the word against an ordered list of common words, if the input word does not occur in the list before a certain threshold the word is returned as an entity.  The To Words transform can takes in two transform settings: the threshold it must search in the list of common words and words that should be ignored by the transform. The machine will run every 5 minutes to search Twitter for new Tweets. Running the machine in bubble view it is easy to see common hashtags, links, words and sentiment between Tweets of a certain topic. The screenshot of the graph below shows an example of using the Tweet Analyser machine on the phrase AlchemyAPI:


In this image the entities are sized according to their number of incoming links so you can see what is common between many Tweets.  From the image you can see common hashtags like: #ai, #deeplearning and #sentimentanalysis as well as pick out the common links and words between the Tweets.

As always enjoy responsibly!
Paul

PS: As most of you already know we have recently released an update to Maltego [version 3.5.2], our YouTube video here gives a quick breakdown of the new features:  https://www.youtube.com/watch?v=QK6PX4Fq5xY&list=UUThOLpqhLFFQN0nStdkyGLg
Search

Announcing Maltego Carbon Community edition

October 13, 2014, 8:36 am
$
0
0
Hey there people of the Internet..

Woot! We’re excited to announce that Maltego Carbon has finally has come to the masses. We've chosen a 1984 Russian Nuclear Expo theme for the splash page:



We stealthily uploaded the binaries to the website on Friday – but we wanted to wait with the announcement until today (as it’s silly to do a “press release” on a Friday – right?). This is a major new version of Maltego so you’ll need to get a new installer from our website. Simply click on the download section of the website to get yours now! [LINK]

The Carbon release is a major step up from the previous version (Tungsten). The major improvements are discussed in this video:

Killer feature – integrated OAUTH allow you to have your Twitter transforms back and a slick new import from CSV and XLS files. 

An online update of Carbon is included in the download – taking it to 3.5.3 and has a lot of new transform goodies and fixes -it's discussed in this video post:



Oh – last thing – don’t get too annoyed with the CAPTCHAS. We've know you need a doctorate degree in hieroglyphics to solve them – and as such – we've disabled it for now. You may just enter ‘Paterva rocks’ and it will register a pass. Truth be told….you can enter anything. 

Enjoy!
RT

Keeping with tradition

December 22, 2014, 9:36 am
$
0
0
Yup - it's that time of the year again. Another year is almost done. For many of us at Paterva, 2014 was a really really tough year. But this post is not about us - it's about you. No well.. not really. It's about this time of the year and our special discount we run for a few days.

It's the time when your extended family comes to visit with their 17 snotty nosed kids, the time when your weird uncle pitches up unannounced wearing only underpants and when your wife/husband/girlfriend/boyfriend/dog/cat/budgie/parrot is as stressed-out as you are. Perhaps us IT people are not *really* that much of herd animals after all.

This is why we run the Maltego Christmas special every year. This year we're giving 44% discount on licenses - from today up to the end of the 25th. It will allow you to retreat back to your computer during these days and make pretty graphs. When someone calls you for another family photo you can show them the graph (we suggest full screen mode) and say "Can you see I am busy with important stuff?!"

The coupon code this year is 'IHateSocks'. It's not like we really hate socks...but rather buy your loved one (or yourself) a freshly computed Maltego license.

Peace / love / baby seals,
RT


Calling all transform writers! and Maltego Chlorine details! and MORE!

February 3, 2015, 9:09 am
$
0
0
All,

In a few weeks we'll be releasing a new version of Maltego. We're calling it Maltego CHLORINE! (we're sure the malware analyst will love the name as ...you know...chlorine..germs...bugs....that.)



There are SO many new things. Where to start...??..But - let's start at 1).

1. New context menu
We've totally redesigned the context menu. The main reason for this is that it was getting a bit cumbersome / fat / lazy / had too many Doritos. If you had a lot of transforms you had to really know your way around the GUI to find them all. We took some time, looked at what users mainly use and designed this:

After some weeks of tweaking the design it ended up looking like this in the GUI:

We think it rocks and you will too. YOU WILL LIKE IT! and if you don't YOU WILL LEARN TO LIKE IT! Like cauliflower and Brussels sprouts. No actually, if we're serious, it's a vast improvement from the previous context menu.

2. Java 8 support.
Yeah - eventually. The reason this took a while is because we had to do an end-to-end test of Maltego on the new platform before we're confident that we can release it. Like a new girlfriend every Java version has it's own unique quirks. Things that worked perfectly well in Java 7 needs a lot more TLC in Java 8. 

3. Better OSX support
Everybody knows how much we love Macs (cough). We've decided to make the Mac install and startup a lot more robust - and easier for end users. Keep in mind that with 3 versions of Java floating around (6,7 and 8) and Windows / Linux / Mac support it's not always so easy to make sure Maltego installs and run perfectly in all 9 environments. Not to talk about the small differences between Mavericks and Yosemite, Windows 7 vs Windows 8 and easing the install on Flubber Linux 8.15.221. 

...but the most exciting feature...

4. Transform Hub
When we started Maltego almost 8 years ago our vision was always that other people can build their own transforms. As Maltego became more mature this dream was becoming a reality and today many interesting project are using Maltego as it's front end. The problem was that sharing these transforms with the rest of the world was a bit... tedious. This is why we decided to build functionality that allows you to see which other cool transforms other people made available. We call it the Transform Hub.

Note that we don't call this the Transform Store - but I guess we could have. It's basically the same thing with the exception that we hope most of the transforms will be free. It's up to all the 3rd party transform writers to decide if / how they want to price transforms. 

It basically means that when you start Maltego you'll get a list of 3rd party transforms and you get to choose which ones you want to use. Here's what it's going to look like (note that items in the Transform Hub hasn't been finalized!):

At startup you'll see the Transform Hub.


 If you want to quickly see what the transforms are all about you can just mouse-over on them.


If you want to see more details - click on 'details' (so original). Here you can see things like the transform writer's web page, if it's commercial or not, where to register (if you need to) and where you can contact the transform writers. 

Once you're ready to install the transforms simply click on 'Install'.  


And that's pretty much it. No more seed URLs to enter. With the new TDS we push entity definitions to the client during install as well! One click install. <in a very soft/low voice/and spoken very quickly: "This applies for TDS transforms only">. Yeah of course.

With this fantastic development in place we call all transforms writers! Let us know what you've been brewing up and we'll add you to ..<cave reverb, lots of echo> THE TRANSFORM HUB..Hub...hub...ub...b.

One more thing - you can always add your private server to the list too. And - if the transforms you are using are hosted on a 3rd party's own TDS server your traffic will only go this 3rd party - we don't see it! 

If you are interested in getting your own TDS - please let us know. We're keen to sell you one. And you can sell transforms. And you can sell your transforms on a TDS server to other people. Together we can make lots of money! (sorry, marketing INSISTED on this paragraph, they're not the most creative bunch. In the long run we actually see a lot of free stuff on there. We hope. Actually - it's in your hands really.)

PS - so... the public TDS is not 100% there in terms of all the bells of whistles of the shiny new commercial TDS - but Andrew promised us that he will be making tea for everyone every 3rd day until he's done porting the commercial TDS to the public TDS.

5. Development portal & forum
Because of 4) we decided it would be a great idea if people actually knew how to build their own transforms! In the past we've been...well...not so great at that - we confess. But this has all changed! 

We spent days and weeks building a really snazzy looking development website. It's at [http://dev.paterva.com/developer/] and it's packed with all sorts of nice goodies. We're still working on it so not *all* the sections are 100% completed but it should be a great resource for people wanting to write transforms. 

And also - the forum is back. Well - the development forum. Until the spammers list their shit on there again. Then we'll put our famous Maltego Community Edition CAPTCHAS on there!

The Chlorine release should be ready to go by the middle of February 2015 - we're really looking forward to seeing the feedback from our users. We'll start off (as always) with the commercial release and the community release (and the Kali Linux release) will follow soon afterwards.

Thanks for reading all of this - wow - it's a lot - we've been damn busy!

Baby seals,
RT

Building your own LovelyHorse monitoring system with Maltego (even the free version) - it's easy!

February 10, 2015, 2:53 pm
$
0
0
Someone linked me to the [LovelyHorse] thingy. If you missed it - it's basically a GCHQ NSA document that was leaked containing a list of a few security related Twitter accounts that the GCHQ NSA was supposedly monitoring. Seeing that, since the last release, we have some interesting Twitter functionality in Maltego, I figured it be interesting to see how we can replicate their work.

First - manually

Before even starting with Maltego I first spent some time thinking about what I really wanted from this and did it all by hand (still in Maltego, but before we start to automate the process). As a start I'd need to get the people's Twitter handles. Well that's easy - the document lists them all. In Maltego I can start with an alias and run the transform 'AliasToTwitterUser' to get the actual Twitter handle:


I want to get the Tweets that the people wrote. There's a transform for that too - 'To Tweets [that this person wrote]'.


OK great - now I have the last 12 Tweets (my slider was set to 12). What information can I extract from the Tweet itself - keeping in mind that I want to end up doing this across 36 different handles? Well - possibly extract any hashtag, any URL mentioned in the Tweet and any other Twitter user's handle. There are transforms for all those.


Running those on a single Tweet we get something like this:


Note how the http://t.co links are nicely resolved. This Tweet didn't contain any other aliases - so you only see the hashtags and the URLs.

If we select all the Tweets and run the 3 transforms across them we see that there are some matches - in this case on hashtags 'infosec and malware':


Now, this is not really interesting at all but it's a starting point. When I do the same for the last 12 Tweets of all of the lovely horses (as I'll call this group of Twitter handles) I might see some pattern.

Now - all the horses

I copy the text from the PDF and paste it into a text editor - Notepad will do. Clean it up a bit and we have:

Select all and paste into Maltego. It will result in every line being mapped as a phrase. Select all the entities (control A) and change the type to 'Alias' and run the 'AliasToTwitterUser' transform on all the phrases - like we did at the beginning, except now we're doing it on all the aliases. It should look something like this:

At this stage I can get rid of the Aliases because I am not going to use it anymore. I click on 'Select by Type' on the ribbon (Investigate) and select 'Alias'. Delete - and they're gone. I do a re-layout, select them all and run the 'To Tweets [that this person wrote]' - this time on all of them. Essentially I am repeating the entire process we did - but this time on all the lovely horses.

When the transforms complete the graph now looks like this:


All that's left is to run the 3 transforms (Pull URL/hashtag/alias) on all the Tweets. To select all the Tweets quickly I use 'Select by type' - Twit again. This takes a while to complete...but when Maltego has pulled out all the hashtags, URLs and aliases from the last 12 Tweets of all the lovely horses it looks like this:

No doubt this looks like ass. It's because the block layout is not really suited for this type of graph. But click on Bubble View:


and you get:


Let's get real

I wont lie - I've been spoon feeding up to now. Let's stop now - else this blog post is going to morph into a book. I am going to assume that you have a bit of Maltego experience under the belt by now. 

The way we've been doing up to now is really not terribly interesting or accurate. We're getting the last 12 Tweets. What we really want is all the Tweets in the last X seconds. Imagine that one horse hasn't been on Twitter in 14 days - then matching his/her Tweets to what's happening right now does not make a lot sense (in a monitoring scenario). We need to introduce the idea of a sliding time window. The Twitter transforms did not support that.

Didn't. Does now. Well - the 'To Tweets [that this person wrote]' does now. I hacked it quickly. Anton will not approve...but it works as it says on the tin. I've added a transform setting called 'Window' - by default 0 but when changed implements this 'in the last X seconds'. 

Now it becomes interesting when combined with machines (scripted transforms) - especially perpetual machines.  Consider the following machine:

machine("axeaxe.LovelyHorse", 
    displayName:"LovelyHorse", 
    author:"RT",
    description: "Simulates the GCHQ's LH program") {

    onTimer(240) {
        type("maltego.affiliation.Twitter",scope:"global")
        run("paterva.v2.twitter.tweets.from",slider:15,"window":"1800")
        paths{
            run("paterva.v2.pullAliases")
            run("paterva.v2.pullHashTags")
            run("paterva.v2.pullURLs")
            run("paterva.v2.TweetToWords")
        }

//half hour + half hour = one hour
        //the entities will be deleted if older than half hour
        //but the transforms time frame adds another half hour
        age(moreThan:1800, scope:"global")
        type("maltego.Twit")
        delete()
        
        age(moreThan:1800, scope:"global")
        incoming(0)
        outgoing(0)
        delete()
    }
}

Let's take a look. We run our sequence every 6 minutes ( 4 x 60s = 240s). We grab all the Twitter handles and get the Tweets - but 15 in total and only if it was written in the last half an hour (30 x 60 = 1800s - we set the window parameter to 1800. After this it's plain sailing - we get the Aliases, hashtags and URLs. 

At some stage we need to get rid of old Tweets - else our graph will just grow and grow and grow. So there's a little logic to delete nodes when they're older than half an hour. This  means that at any stage we have a one hour view on the activity of the horses. One hour - because on the limit the initial transform can contain a Tweet that's 30 minutes old and it will stay on the graph for another 30 minutes. 

The resulting graph will show us when they are Tweeting the same keyword (courtesy  of the 'TweetToWords' transform), hashtag, mention the same website or mention the same Twitter handle in their Tweets. And if they are not active on Twitter - then the graph won't contain outdated info. 

Of course - the values can be changed depending on how closely you want to monitor the situation - if the resolution is a day then the values should be (24 x 60 x 60) /2 and you should 1) up the number of Tweets returned in the slider value (as TheGrugq Tweets waaay more than 15 Tweets in a day) and 2) you shouldn't have to poll every 4 minutes.

Advanced
Right - so what we REALLY want is something that can tell us when we more than X horse's Tweets are linking to the same thing (be that a website/hashtag/whatever). For that we can't just use the 'incoming()' filter because one person could be sending ten Tweets mentioning the same website and it would mean that the website has ten incoming links. No - it has to have unique starting nodes (the horses).

We have that filter. It's called 'rootAncestorCount()'. So now - with a combo of bookmarks and this filter hackery we build something like:

        //if an entity links to moreThan 2 horses & 
        //we haven't seen it before  - mail
        incoming(moreThan:1, scope:"global")
        rootAncestorCount(moreThan:2)
        bookmarked(1,invert:true)
        run("paterva.v2.sendEmailFromEntity",EmailAddress:"roelof@paterva.com",EmailMessage:"Multiple horses mentioned: !value!",EmailSubject:"Horse Alert")
       
        //this is to ensure we don't email over & over
        incoming(moreThan:1, scope:"global")
        rootAncestorCount(moreThan:2)
        bookmark(1)


Basically what happens here is that we check for all entities with more than one incoming link (this can only be hashtags/URLs/words/aliases) and find the ones that have more than 2 unique grandparents (e.g. horses). If we find them, and we haven't seen them before (this Boolean flag is implemented with a bookmark) we mail the value out. We do the mailing with a transform that we wrote (and for obvious reasons cannot make public else it will be used for spam). It's not rocket science tho.

Such a machine can run for days...resultant graph for today (it's almost midnight), when configured with a one day window looks like this:


Highlighted with entire path here is the hashtag 'security' - no surprise here. The other one was the alias DaveAitel (again not suprising). Below is the email received. Remember that we'll only receive email ONCE per alert, that it's only when 2 or more horses links to it and only if it happened within a day.



The complete machine looks like this (please change values as needed - speed / resolution /etc):

machine("axeaxe.LovelyHorse", 
    displayName:"LovelyHorse", 
    author:"RT",
    description: "Simulates the GCHQ's LH program") {

    onTimer(600) {
        //find Twitter handles on graph
        type("maltego.affiliation.Twitter",scope:"global")
        
        //run to Tweets transform
        run("paterva.v2.twitter.tweets.from",slider:30,"window":"43200")
        
        //extract Alias/Hashtags/URLs and uncommon words
        paths{
            run("paterva.v2.pullAliases")
            run("paterva.v2.pullHashTags")
            run("paterva.v2.pullURLs")
            run("paterva.v2.TweetToWords")
        }

        //if an entity links to more than 2 unique horses & 
        //we haven't seen it before  - mail it out
        //comment this entire section if you don't have a mailing transform

        incoming(moreThan:1, scope:"global")
        rootAncestorCount(moreThan:2)
        bookmarked(1,invert:true)
        
run("paterva.v2.sendEmailFromEntity",EmailAddress:"roelof@paterva.com",EmailMessage:"More than 2 horses mentioned: !value!",EmailSubject:"Horse Alert")       
        
        //this is to ensure we don't email over & over
        incoming(moreThan:2, scope:"global")
        rootAncestorCount(moreThan:2)
        bookmark(1)
        
        
        //delete nodes when they grow old
//half hour + half hour = one hour
        //the entities will be deleted if older than half hour
        //but the transforms time frame adds another half hour
        age(moreThan:43200, scope:"global")
        type("maltego.Twit")
        delete()
        
        age(moreThan:43200, scope:"global")
        incoming(0)
        outgoing(0)
        delete()
    }
}

I hope you've enjoyed this (waaaaay too long) blog post on how our thinking goes. Of course - you get a lot more understanding of these things if you do it yourself. All of the above functionality exists in the (free) community edition of Maltego too - although there you probably want to monitor shorter intervals (say 15 minutes) as you can only display 12 Tweets per person. All in all - that's probably better.. ;)

'laters,
RT

PS: for more information on machines check out our newly built dev portal at [http://dev.paterva.com/developer]. The machine syntax etc. is located in 'Advanced'. 

And also - we made a video some time ago that shows the same kind of principle - it's [ here ]

Maltego Chlorine is ready for download

March 3, 2015, 6:04 am
$
0
0
All,

TL;DR: 
New release is called Chlorine - was a tough one. It's an awesome release. We fixed many bugs and built many features.

You should download it. Now. [ Here ].  Or click on the pretty picture.
Release video is [ here ].



The full story

Here at Paterva we've had a few milestone Maltego releases. Maltego 3.1 was one, Maltego Tungsten was another. It's hard to say which one was the most difficult to get 'over the line'. Maltego Chlorine was one of those 'giving birth' releases.

We've worked really hard at it. The release was supposed to be in mid February - then we delayed it because we kept finding conditions we've previously missed. A lot of testing was done on Chlorine, and a lot of bugs (some even came from version 3) were fixed. We even [started talking] about it early in Feb.

A product like Maltego is never really completely finished. At any given stage there is a list of features we still want and a (smaller) list of things that really annoys us. We can easily develop Maltego for months before we push out a new release, but at some stage you need let go and put it 'out there'. We're there now - it's 10 months since our last major release and the baby is overdue.

We made a video describing what's new in Chlorine. The plan was to take the cable car up to Table Mountain and shoot the video at sunset overlooking Cape Town. It started raining during the first take. There was a pesky helicopter buzzing around (because it was State of the Nation address in parliment that day). It was shot on the 12th of Feb - almost 3 weeks ago. As such the look and feel changed a little bit here and there - but you'll get the basic idea. Click below to watch what Chlorine is all about:


New features
As the video says - the major features of Chlorine are as follows:
1) Transform Hub
2) New context menu (right click menu)
3) Java 8 support - and lots of OSX install/first run enhancements

What the video does not say is that we now have:
4) Sizable fonts (no more needing a microscope to read detail view)
5) Output window shows links to entity for easy tracking
6) Removed our branding from the PDF report (SO many people, SO angry)
7) LOTS of bug fixes
8) New branding, higher quality icons / logos etc.
9) Not really a feature of the release, but we have a brand new [developer website].

A short history of Maltego releases:
We've also realized that people have difficulty following release dates, names and features. So here goes:
Jun  2010 - 3.0 - NoName - First major release, redid graphing engine, new protocol.
Feb 2012 - 3.1 - NoName - Basically redid version 3...graph annotations, link styles

We then decided to use element names for the releases:
Sep 2012 - 3.3 - Radium - Scriptable transforms (machines), auto update
Aug 2013 -3.4 - Tungsten - Real time graph collaboration
Apr 2014 - 3.5 - Carbon - OAUTH capabilities - return of Twitter transforms
Mar 2015 - 3.6 - Chlorine - Transform hub / context menu

In between the major releases there has been a lot of on-the-fly updates, patches, hot fixes etc.

It's been a long and interesting journey. We hope you enjoy using our software as much as we enjoy building it.

So long / baby seals / going to sleep for a week,
RT

Connecting the links

March 13, 2015, 12:19 pm
$
0
0

Hello there,

Today I am going to talk a bit about our new Linkedin transforms that we have been working on. Linkedin is all about finding connections between people so what better way to visualize this information than in Maltego. I set out to build some Linkedin transforms that could help show connections between Linkedin users, their shares and company profiles that may not be easy to identify on Linkedin itself. All the transforms that I built here use the Linkedin developer API so you can log into your own Linkedin account from Maltego and start visualizing your Linkedin network.

Linkedin's API provides awesome search functionality for finding people and companies by allowing you to refine your searches with additional search parameters making it a lot easier to find profiles with common names. Our Linkedin transforms allow you to enter these additional search parameters using transform settings (transform pop-ups). To search for a Linkedin company profile from within Maltego you will start with a phrase entity and run the transform Linkedin Company Search, a transform setting will pop-up asking you if you want to specify a county-code. Running this transform on the phrase ‘KPMG’ without specifying a country-code results in the graph below:
The results returned from the Linkedin Company Search transform are weighted according to relevance meaning that the entity in the top left-hand corner is the most relevant result for your search. In the detail view there are links to the company's Linkedin profile page and to their website as shown in the image above. There are a range of transforms that you can now run on the Linkedin company profile entitywhich are listed in our shiny new context menu also shown in the image above. One of the highlights of these transforms is the To Email Domain which returns domains that the company has specified they receive email on. This transform often returns loads of results which is great if you are looking for sub-domains for that company. Running the To Email Domain transform on the first company profile from our 'KPMG' search results in 34 different email domains many of them being sub-domains of kpmg.com. The result is shown below:
If you are ever looking to mine email addresses for a company this is probably a good place to start but that is a bit off topic for this post so I will leave that for you to try on your own. 

To search for a person’s Linkedin profile from Maltego you run the Linkedin People Search transform on a person entity, three transform settings will pop up allowing you to specify this person's company name, the country code of their home country and a past school of theirs. These transform settings are really useful when searching common names, for example whensearching the name John Doe while specifying a country-code IR (Iran) you will receive only two Linkedin profiles. If you had to exclude the country code from this search you would be flooded with results. The image below shows this search result as well as the context menu which shows all the transforms that can be run on a Linkedin Affiliation entity:
The Detail View in this image shows additional information about the user that is selected which includes their Linkedin headline, location and the industry they work in.


Currently the Linkedin People Search transform returns the 25 most relevant results for your search while the Linkedin Company Search transform will return the 20 most relevant company profiles for your search.

Okay enough with thedetails, let’s move onto an example of how this can be used: imagine you wanted to inform as many Linkedin users from a particular company of something without directly messaging them and without them being aware that they are being fed targeted information. How we could do this is as follows: start by finding our target company's Linkedin profile, from our target company's profile we then run the transform To Affiliations [only in your Network], this transform will return all the users in your network who work (or worked) at that specific company. This results in the following graph:

From all these users we then want to see what shares are currently showing in their news feed, to do this we run the transform To Shares in User’s Network. This results in the following graph (shown in bubble view on the left):

This graph is quite large but by selecting all the shares and ordering them according to their number of incoming links we find that there is a single share that is currently on 23 news feeds belonging to users at our target company. Taking this share plus its incoming links to a new graph results in the following:

Now if we were to post a comment on this share we know that our comment would show up on 23Linkedin user's news feeds that work (or worked) at our target company.

Next we want to find who authored this share, to do so werun the transform To Share’s Author on this share which reveals who it was initially posted by. Finally we run the To Companies transform on this user that reveals the company that this user works for:

This user’s Linkedin profile seems to be quite popular amongst users from our target company so its owner may be a person of interest if we were really targeting this organization. The next step would be to find this profile owner's email address which could be done by finding the companies email address domain and then their naming format for their email address but again this is out of the scope of this blog post.

I have one last highlight from our new Linkedin transforms that I want to mention before its time to go. The To Entities [Using AlchemyAPI] transform can be run on a Linkedin share entity, this transform will extract people’s names, places and company names that are mentioned in the share article. It is a nice way to easily identify topics that are being discussed across multiple shares in your Linkedin network.

A quick word about rate limits on the Linkedin API, to use these transforms you will need to log into your Linkedin account from Managed Services in Maltego, most of the API calls that these transforms use are limited to around 300 calls per day per user, when you reach your limit for the day you will receive a message in your transform output notifying you and you will have to wait until midnight UTC for your limit to be reset for your account. The Linkedin People searchand the To Affiliations [in your network] transforms have a much stricter limit so you might find that you reach the limits for these transforms a lot quicker.

For those of you who have upgraded to Maltego Chlorine the Linkedin transforms will be arriving in your Transforms hub shortly, you will be able to add them to your Maltego client simply hitting the install button. For those of you who are still running Carbon here is the seed-url:


https://bark.paterva.com:8081/iTDSRunner/runner/showseed/LinkedIn

Enjoy responsibly

PR.

Maltego Chlorine Community Edition is ready for download

April 29, 2015, 4:41 am
$
0
0
Hi there,

We're pleased to announce the release of Maltego Chlorine community edition. The release would hopefully solve most of the Java compatibility issues. It comes bundled with Java 8u45 and is available for download at our website [HERE].




The Chlorine release brings (almost) all the goodness of the commercial release with a 0$ price tag. If you're interested in the changes made from Carbon->Chlorine we suggest you view our Chlorine release video [HERE].

One of the main differences between the commercial and the community edition is that it will feature only free items in its Transform Hub.

When Kali Linux 2 is released we'll also release a Maltego for Kali release. In the meanwhile Kali Linux user can simply install the .deb on their Kali Linux.

Additionally we've made a new 'Intro to Maltego' video that will replace the first video in our tutorial series. It was about time - the previous version was made in Oct 2011 and used version 3.0. We've also had lots of complaints about the quality of the audio. The new video should be crisp and clear at 1080p with awesome sound. You can view it by clicking on the image below:


As always - please enjoy responsibly.
RT
Search

We talk to Allan about NewsLink

August 14, 2015, 12:02 am
$
0
0
This blog post presents our new transform hub item called NewsLink that we have just released on the Transform Hub. NewsLink aims to assist in identifying and monitoring patterns in information posted on the Internet from a wide range of sources including Twitter, blog posts and news articles.

Every day millions of news articles, blog posts, Tweets, pastes, etc. are posted online with this continuous stream of information it makes it difficult to identify what information is important to us and should be focused on and what could just be ignored.  One approach to pick out important information would be to look at when multiple sources all mention the same people, locations, company names (and a slew of other types of entities) in a certain time period. This is the basis for NewsLink.

The image of the graph below is a small piece of a graph that was monitoring news articles related to Defcon. The snippets on the right list the news articles that mention both Samy Kamkar and Defcon on the same page. This is an example of what we will be working towards in this blog post.



This blogpost will be broken down into a couple of sections. Firstly we'll look at transforms that are used in NewsLink to gather your information from different sources. We'll then move on to the transforms that are used to extract entities and keywords from these web pages as well as calculate the page’s sentiment towards that topic. The last step is to automate this process with the use of Machines. Using Machines you can continuously monitor your search term and only be alerted by email when something of interest occurs.

Transforms that gather information
We have four new transforms for gathering information from different sources - two of these transforms get information from Twitter and the other two get information from websites using search engines.

Search for News Articles [using Bing]

The first transform we have is called Search for News Articles [using Bing]and is used to gather recent news articles relating to a specific search term from unspecified news sources. The transform uses Bing’s news search API and will return articles from a wide range of news websites that are indexed by the search engine. The starting point for this transform is a phrase entity where you will enter your search term as seen in the image below (1). After running the transform a transform settings will pop-up allowing you to limit your results according to the age of the articles and its news category (2). Defcon is in the news currently so let's see some articles relating to the con that have been posted in the last 7 days. You can use a numerical value followed by 'd' for days, 'h' for hour, 'w' for weeks and 'm' for minutes.



The next image shows the results from this search. Each entity that is returned represents a website that has been posted about Defcon in the last 7 days. Clicking on one of these websites and having a look in the Detail View will provide you with more information on the article as seen below:

(Dated: 24 Jul 2015)
Search for Websites [Using GCSE]

The next new transform we have is called Search for Websites [Using a GCSE] and is slightly more flexible than the former as it allows the user specify a list of sites to search and only returns results from those sites. The transform uses a [Google Custom Search Engine] (GCSE) ID as a transform setting to specify the list of sites that you want it to search. To use this transform you first need to create a GCSE with the lists of the websites that you want to monitor. This list could really be anything from your favorite security blogs to a list of influential financial news services. Once created you will receive a unique ID for your GCSE which is what you will use as a transform setting when running the Search for Websites [Using GCSE] transform. The example image below shows the list of websites we have included in our GCSE (1) as well as the settings that are displayed when running this transform. These settings include the GCSE ID as well as the maximum age of the pages you want returned (3). In this case the setting can be populated with 'd' for days, 'w' for weeks and 'y' for years followed by a numeric value (hours and minutes are unfortunately not supported by the API).




The next image shows the results from this search in which you will notice that only sites included in our list were returned. By clicking one of these entities and looking in its Detail View you'll see that the different pages from the relevant websites are displayed.

(Dated: 24 Jul 2015)
Expanding websites to the actual web pages

Next we want to get all these webpages out into their own URL entities to work with them separately. To do this we runTo Pages from Website which results in the graph below:

(Dated: 24 Jul 2015)
Clicking on one of these URL entities shows details of the webpage including the sentiment of the text as seen above.

Before we start running further transforms to process these articles we should speak about our Twitter transforms that that can be used to get Tweets on specific topics or from specific users.

To Tweets [Search Twitter]

The first Twitter transform is called To Tweets [Search Twitter] which has actually been available in Maltego for quite some time and can be found in the PATERVA CTAS transform seed. This transform simply searches for Tweets that mention your search term. The image below shows running the transform on the hashtag Defcon with the transform slider set to 50:

24 Jul 2015

This transform is a very general search as it will search all of Twitter for Tweets made by any user. Most of the time you won’t actually be interested in what the common folk on Twitter have to say about your search term, instead you would like to only search for your topic from specific list of Twitter accounts.

Fortunately Twitter allows users to create lists of accounts and then search for Tweets by users in these lists. You can create your own lists of Twitter users from your Twitter profile and then access that list in Maltego by finding your Twitter profile and running the transform To User Lists [That this person owns].  Paul's Twitter account contains a public list of Twitter accounts belonging to news sites that he believes to be quite influential/popular. To find this list you will first need to find his Twitter account which can be done by searching for his alias and running the transform To User Lists [That this person owns] to see his lists. From the user list entity you can see which Twitter accounts are included in the list by running the transform To Twitter Affiliation. The image below shows the steps to get the list and the users in the list:




 To Tweet [Written by user list member]

Next up we want to monitor this list of accounts and return Tweets to our graph whenever our search term is mentioned by anyone of these users. To do this we run the transform To Tweet [Written by user list member] on the user list entity (1). A transforms setting window will pop up allowing you to specify your search term as well as specify a term to ignore Tweets by (see 2). You can also specify the maximum age of the Tweet that you want to be returned. This is entered in seconds in the first transform setting field as show in the image below:



The search above results in only ten Tweets by users in Paul's list that mentioned Greece in the last week (604 800 seconds). (3) You can see the details of each Tweets by having a look in the Detail View.

If you didn't want to search a specific topic but instead wanted all the Tweets by the users in your list you could run the same transform leaving the two transform settings, Tweets that don't contain and Tweets that contain, blank which will return all the user's Tweets in the specified time.

These four transforms are what we use to gather our information from the web and from Twitter with two of them allow you to get results from very specific sources (eg: from your Twitter lists or from your GCSE) and the other two allowing you to get results from a wide range of sources (eg: all the users on Twitter or all pages indexed by Bing's news search ). The table below summarizes how these four transforms can be categorized:


Processing the information we've mined
Now that we have our information collected we can do some interesting operations on the data to find where different sources are mentioning a common entity (like a person's name..and then some) We will also look at the sentiment across the different sources on an entity to determine that entity's “average sentiment”.

Let's return to our previous Defcon graph where we got related news articles by running the transform Search News Articles [using Bing].  We've run the transform To Pages from Website to get the different news articles out into their own URL (webpages) entities.

From here there are a few options for transforms to run on these URL entities. The first transform is called To Related Words with Sentiment and is used to extract uncommon words from webpages. The words need to be within a certain distance of your search term in order for them to be returned. This distance between the extracted word and our search term is specified in a transform setting. This same transform can also be run on our Tweet entities although you won't need to specify a sentence distance as the transform will look at the entire Tweet. There are two other settings for this transform which are used to specify a list of words to ignore and another to specify a list of words that should always be returned if found on the webpage or in the Tweet.

The next transform we have for processing our information is called To Entities with Sentiment and uses Named Entity Recognition (NER) to identify different entities that are mentioned anywhere on the webpage. The transform will look for things such as peoples’ names, company names, countries, cities, etc. It will also extract the sentiment of that entity and return it in its Detail View. This same transform can be run on our Tweet entities too.

If you want to be more specific and only return entities that are found a certain sentence distance from your search term you can then use the set of transforms To Related Entities. These transforms take in a transform setting that specifies a maximum sentence proximity between the found entity and your original search term on the page - it thereby reduces the amount of irrelevant results that are returned to your graph. Running the To Related Entities transform set on our URLs that mention the term ‘Defcon’ and specifying a maximum sentence proximity of "1" results in the graph below.

All the nodes at the bottom of the tree are entities extracted from the various webpages and appear within 1 sentence of the word ‘Defcon’ on our page.


Viewing this type of information in the Main View is not ideal as it is very difficult to see where multiple pages link to the same entity which is what we are looking for. The next image is of the same graph but in Bubble View using the new DiverseSentiment Viewlet (included in this post, but not available by default - please install manually). This viewlet will be explained next:



In this view entities are sized according to how many incoming links they have making it easier to identify entities that are mentioned across multiple news sources. Entities relating to a common topic will also cluster together on your graph. For the NewsLink Hub Item we created a new Viewlet called DiverseSentiment which colours nodes on the graph according to their average sentiment - the more red the entity is the more negative it is and the greener it is the more positive.

The sentiment for an entity is calculated by taking each sentence that the entity was mentioned in from the various different sources and then averaging the sentiment across all the articles. To calculate this sentiment we use a great service from [AlchemyAPI] which gets the targeted sentiment of each entity in each information source. The image below shows an entity from this search in more detail. It has quite a negative "average sentiment" from the three articles it was mentioned in (this graph was created on the 24 Jul 2015):

(Dated: 24 Jul 2015)

Automating the process with machines
So far what we have done has been a manual process but what we really want is to build a machine that automatically fetches information from various sources every [n] minutes, runs our word processing transforms on the data and then only alerts us when anything interesting happens on our graph by sending us an email, bookmarking the entity or performing some other action to alert the user.

For each of these new transforms we have a new perpetual Machine that automates the process of running these transforms and can be used to continuously monitor websites for activity. Each Machine is essentially broken down into three phases. Initially your information is collected with one of the "information gathering" transforms discussed earlier. Transforms are then run to pull out related entities and uncommon words that are mentioned on the webpage in close proximity to your search term. The last phase of the machine is to deletes old entities from your graph that are out of your monitor's time window and then sets up email alerts for when a new topic being mentioned by multiple sources.

Another new transform we have is called Email Alert Message which takes in an email address (or list of email addresses) as a transform setting and sends an email alert message to those addresses when the transform is run. This transform is used in our new machines to alert the user when a specific event happen on their graphs. By default the email alerts are commented out in the Machine scripts.

The machines also use different coloured bookmarks to indicate which iteration of the Machine an entity was returned in - red bookmarks indicate that the entity was returned in the most recent iteration, orange for the previous iteration and so on.

The names and descriptions of the four machines are below:

  • General News Source Monitor - This machine will search for news articles relating to a certain topic using the Search for News Articles [using Bing] transform. It will then run the language processing transforms on the results to extract related words and entities.
  • GCSE Term Monitor - This machine uses the transform Search for Websites [Using GCSE] to search a list of websites for a specific term. It will then run the language processing transforms on the results to extract related words and entities.
  • Twitter Monitor V2 - This machine will start by searching a specific phrase on Twitter and then extract entities found in the Tweet, uncommon words, hashtags, links and Twitter handles.
  • Twitter List Monitor - This machine is similar to the former however it will only return tweets from a specific list of Twitter users by using the transform To Tweet [Written by user list member].

Opening up the script for any of these new Machines you will see at the top there are a couple of variables you can configure for your monitor which are explained below:
  • incoming_link_count - This variable specifies how many incoming link an entity will need before an email alert is sent or before the entity is bookmarked.
  • ignore_words - This is a comma separated list of words/entities that you want the transforms to ignore in results. For instance if you were monitoring Defcon you wouldn't want to be alerted every time terms like 'BlackHat', 'hacker' or 'Las Vegas' were mentioned close to your search term. You can achieve this by include these in your ignore list.
  • through_words - There are some words that you will always want to have returned if they are mentioned close to your search term somewhere on the web, these words should be included in the through_words list. For instance if you were monitoring a stock you could include the words 'buy', 'sell' or 'hold' in the through_word list.
  • timer - Timer will specifies the time between iterations of your machine and is measured in seconds.
  • max_age - This specifies the maximum age an entity can be on your graph before it is deleted.
  • email_address - An email alert will be sent to this address when an alert is triggered. 

One last note about DiverseSentiment: the new Viewlet won't be downloaded when you install the NewsLink hub item but you can get it here (http://www.paterva.com/SentimentViewlet.mtz) and manually import it into your Maltego client.

Newslink aims to provide a flexible way of monitoring news, websites and Tweets and then alert the user of what is most important by identifying where multiple sources are mention the same words or entities.

As always, enjoy responsibly,
PR

Transforms reference

For gathering information:

  • Search for News Articles [using Bing] - This transform will search for news articles that are indexed by Bing relating to a specific topic. The transforms has two transform settings: one for specifying the maximum age of articles that should be returned and one for specifying the news category of the results. The age of the articles should start with a numeric value and be followed by either 'm' for minutes, 'h' for hours, 'd' for days or 'w' for weeks.
  • Search for Websites [Using GCSE] - This transform will search for a specific term on a custom list of websites specified in a Google Custom Search Engine (GCSE). The transform has three transform settings: one to specify the age of results, one to specify you GCSE and another to specify whether or not pages without a publish date should be returned. The maximum page age should begin with either a 'd' for days, a 'm' for months or 'y' for years followed by a numeric value.
  • To Tweets [Search Twitter] - This transform searches Twitter for a specify phrase.
  • To Tweet [Written by user list member] - This transform returns Tweets from a specific list of Twitter users, it has three transform settings: one to specify the age of the Tweet (in seconds), one to specify a search word and one to specify words to ignore Tweets by.

For extracting information:

  • To Entities with Sentiment - This transform will return all entities found on the entire page including that entities targeted sentiment. [This transform can be run on URLs and on Tweets entities].
  • To Related Entities - This is a transform set with transforms that will only return entities found in a specific sentence proximity to your search term. This sentence proximity is specified in a transform setting. The transforms in this set include:  To Related Companies,  To Related Countries, To Related Cities, To Related People , To Related Financial Market Index , To Related States Or Counties , To Related Organizations , To Related Technologies and To Related Field Terminology.
  • To Related Words with Sentiment - This transform will look for uncommon words that are mentioned in close proximity to your search term. [This transform can be run on URLs and Tweet entities].

For alerting the user:

  • SendEmailAlert - This transform will alert the user by sending an email when multiple sites point to the same term.

Jumping on the Website Tracking Code bandwagon

September 3, 2015, 7:35 am
$
0
0
Services like Google Analytics allow you to easily add functionality to your website simply by pasting a bit of JavaScript into your page's html. Often this JavaScript includes a tracking code that uniquely identifies the site owner's account with that service. Searching this tracking code with a search engine that indexes JavaScript allows you to find other sites that belong to the same user. There are quite a few web services that require you to add a tracking code to your webpage in order to use it. For analysts this provides a great way for making connections between websites that may seem unrelated using other OSINT techniques.

Recently there was an interesting project write-up calledAutomatically Discover Website Connections Through Tracking Codesby @jms_dot_py and @LawrenceA_UK. They used the source code search engine Meanpath to search for websites with a specific tracking code and Gephi to visualize the relationships from their results. We've been having the same idea for while now and decided to release two new transforms today. This means you can use this technique from within Maltego.

The first transform is called To Tracking Codes and runs on a website entity in Maltego. The transform will parse the home page of the specified site for tracking codes from services including Google Analytics, PayPal donate buttons, the Amazon Affiliate program, Google Adsense and AddThis. The image below shows the different tracking codes that can be found with this transform as well as the Detail View that is returned with each entity that includes a source code snippet of where the tracking code was found. The second transform is called To Other Sites With Same Code and is used to find other website that have the same tracking code.


Let's see what can be done with these transforms with a quick example using the Google Analytics code found on Ashley Madison's home page from the graph above. Running the transform To Other Sites With Same Code returns 100* different sites that all use a tracking code from the same Google account as the one from Ashley Madison. The resultant graph is shown below. (*Currently this transform is limited to returning a maximum of 100 results so there could actually be far more sites).

Most of these sites are just variations of the name ashleymadison.com and all redirect to Ashley Madison's home page. There are also a few other online dating sites here too as well as a couple of completely unexpected results of pages that you would not see being related to Ashley Madison in any way. These sites have piqued our interest so let's look a little deeper.

Taking all the websites from the previous step and running the transform To Tracking Codes again only finds one new code on the sites mysexydateprofile.com and adultxmeet.com. Running To Other Sites With Same Code on this new code does not result in any new sites being found. This looks like it could be a dead-end so let's use another tool we have in the Maltego workbench. Resolving all the websites in the graph above to IP addresses shows that most of these sites sit on the same IP address except for a couple of outliers as shown below:

(only a portion of full graph)
We are looking for something out of the ordinary that is seemingly unrelated to Ashley Madison. We next remove all the sites with titles that are obviously related to Ashley Madison. This results in the graph below with just a couple of IP addresses that are scattered across the globe.



Finally let's see what else resolved to these IP addresses by running the transform To DNS Name [Other DNS names]. This transform will return historical DNS records for these IP addresses. Doing this results in some really interesting NSFW sites specifically found on the IP address that also host mysexydateprofile.com and adultxmeet.com.

The image below summarizes the connection found between Ashley Madison and our somewhat unsurprisingly very much not safe for work (VMNSFW) websites that won't be listed here.


These two new transforms for working with website tracking codes are now available in the PATERVA CTAS seed on both commercial and CE. Simply hit the Update Transforms button in the transforms hub and they will be added to your Maltego client.

As always, enjoy responsibly,
PR

New Community TDS (NCETDS... just kidding we have enough acronyms!)

September 30, 2015, 10:20 am
$
0
0
TL;DR -
Video Tutorial - [ Here ]
Developer Documentation - [ Here ]
Community TDS inferface - [ Here ]

This blog post (one of the few by Andrew) is here to tell you about the new public TDS (technically an update for the community TDS so that it is inline with the private TDS source base). For those who aren't interested in reading all the words we have a great video to talk about this below:



Let's start off with an introduction to the TDS. It provides an easy to use, distributable means of writing and sharing transforms (and essentially the data so that users can turn that into intelligence) . All the transforms in the transform hub are built on either the the free public TDS or a private one.

When a "normal" transform (one on the public/private CTAS) runs what happens in the back is that a message is sent to the server containing the entity details (like its value and other properties) as well as the transform that needs to run. For example it could be the domain paterva.com and the transform "to MX record". This would then be run on the server (the code would execute - performing an MX lookup on paterva.com) and the result would be returned to the client.

Previously people used local transforms which had a number of painful setup and distribution points:
  1. Local transforms require people to setup code and environments on the end user system.
  2. Code updating was painful as you would need to send all your users new code to run.
  3. Code containing all the API calls, passwords and other sensitive information needed to be obfuscated.
Our solution to this was the original TDS. Essentially what it does is provide a way that users can write and create transforms that they host on a web server. This is all done through a simple and intuitive web interface (the TDS).

What happens with the TDS is that when it recieves the call that includes the entity and transform to run, (as described previously) instead of executing code on the machine it will simply make a call over HTTP or HTTPs to a web server. This web server then receives the call and can then do whatever it needs to - be that talking to a database or API or something else... literally anything that you can write a program for.

You can read more about this over at our developer portal. It's got explanations, code samples and more. It will quickly get you up to date with the aspects of coding transforms.

This update of the community TDS keeps it in line with the private version with a range of new features include the following:

OAuth Integration

OAuth Integration allows transform writers to utilise open OAuth integration connectors (such as Twitter) or write their own to control who uses their transforms or just to do statistics.

Paired Configuration

Developers can now pair  exported Maltego configurations with their transforms which means they no longer need to ship MTZ files containing entities, machines, sets and seeds. These configuration files can be simply uploaded to the web interface and when the end user discovers the transforms they will automatically get these items added to their client!


Bug fixes, interface tweaks

A number of bug fixes and interface updates have been done to the interface and the whole experience should hopefully be more usable and intuitive for everyone :)

What are you waiting for? Head on over to the new community TDS  now!

Pink fluffy unicorns, dancing on rainbows
-AM

Year in review, plans for next year and the usual Christmas special.

December 23, 2015, 12:41 am
$
0
0
Hi everyone.

Season's greetings. Time to break out the boxset of Glee and rewatch all Hugh Grant's movies again.

It's been a good year. Mostly. Paul learned how to program in Python (somewhat/mostly) and did his first public talk. He made a short Maltego video too. Andrew traveled the world and sauna-ed with strangers. Someone (you know who you are) hugged him and he was OK with it. Uhmmm...no - not at said sauna. I started drawing things and managed an entire day at Defcon before hiding in my hotel room. We appointed RI to sort out our admin. The office dog doesn't eat our checks anymore (BTW, this really happened, try to explain that to your bank). We all received Tshirts from Russia.

Maltego got a transform hub and we've added a ton of providers. We made a new TDS. We added a few transforms. We made a developer portal thing-thing. Compared with what's happening in the next year it's pretty boring. So what you ask is on the menu?

1. New version of Maltego. Called Plutonium. Built for handling large graphs.
2. New product. Called Plutonium XL. Build for handling really large graphs.
3. New website. All grown up. Really shiny and actually useful. You might even find what you're looking for on there.

Plutonium will have a brand new look and feel. Even the alpha drives like the Batmobile and looks like something from Tony Stark's bedroom.

1,2 and 3 are to be all released in Q1. I know I know - we said before the end of the year. But Maltego releases are born not built. And this one needs a little more time in the oven. Watch this space..

Of course everyone came here for the yearly Christmas special discount coupon code. In fact, you probably scanned through this post for the word Christmas and ended up at this paragraph. So here it is. It's the animal that ate our checks (lower case), then the number '4' and then the two capital letters used in the new product we're launching next year. Hee hee..of course you could be a real poephol and tweet the code. Nobody will love you if you do that. Especially us. We won't love you.

The special runs from the 23rd to the 28th and offers 44% discount.
Happy holidays and see you all on the other side of 2015!

RT


NameChk Transform

April 7, 2016, 11:16 am
$
0
0
NameChck is a really useful service for quickly finding online accounts associated with a specific alias. This blog post showcases our new Maltego transform that queries NameChk to find social accounts across a wide range of social networks.

The transform runs on an alias entity and returns entities that represent different online accounts.  Running the transform To Social Account [Using NameChk] on the aliases used by Paterva employees returns the results below:



Clearly Andrew is the most socially active Paterva employee...;)

In the Detail View of the entities that we get back there is a link to the actual social account:


Pivoting from existing alias entities


In Maltego we already have a couple of transforms that are useful for finding aliases associated with a person. Our Flickr and MySpace transforms both run on email addresses and return the accounts associated with the address as well as additional aliases that are used on that account. This provides a great way for finding aliases that a person might go by. Next with the use of our new NameChk transform we can quickly pivot from these aliases to find what social networks they have been used on.

In the example below we start by running the transform emailToMySpaceAccount on the email address andrew@punks.co.za which returns a MySpace account entity as well as three additional aliases associated with the account. Namely zapunk, AndrewMacPherson and Andrew MacPherson.The alias AndrewMacPhersonis quite common and could be anyone however the zapunk looks interesting so next we run the transform To Social Account [Using NameChk] which returns links to 10 different social accounts that have a user with the alias zapunk.


These social accounts can now be manually inspected for accuracy.

API keys


The NameChk API is subject to rate limiting. By default our transform will use Paterva's limited API key but to avoid being rate limited you can register your own API key from the NameChk website. You should then replace the default value with your API key under the NameChk APIKEYtransform setting.

Getting the transform


Simply click on the 'Update transforms' button in the Transform Hub next to the Start Page - the NameChk transform is part of the standard transforms supported by Paterva.


Enjoy responsibly,
PR

Visualization the Bitcoin Blockchain in Maltego

April 12, 2016, 9:02 am
$
0
0
This post will provide a quick overview of our new Maltego transforms for visualizing the Bitcoin blockchain. There are 11 new transforms in the seed which use Blockchain.info’s API to query data from the blockchain.

(Screenshot's in this post are taken with the Maltego 4 beta release.)

Before we begin, it is important to have an understanding of how Bitcoin and their transactions work so I will start with an overview of some of the main concepts:

Bitcoin Overview


Bitcoin address:
Bitcoin addresses are transaction endpoints that are used to send Bitcoin to another person. A person can generate as many addresses as they want and people should (which they often don’t) use a new address for every transaction that is made. An address is represented with a 26-35 sequence of alphanumeric characters and looks like this: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2. For a more in-depth explanation of Bitcoin addresses you can have a look at the Bitcoin Wiki here.

Bitcoin wallet:
A Bitcoin wallet is a file that contains a collection of private keys that are used to generate bitcoin addresses associated with the wallet. Ownership of these private keys allows the user to spend bitcoin that have been sent to associated addresses. Naturally these private keys should be kept private.

Bitcoin transactions: 
The Bitcoin Wiki has a good explanation of a Bitcoin transactions here

A transaction is a transfer of Bitcoin value that is broadcast to the network and collected into blocks. A transaction typically references previous transaction outputs as new transaction inputs and dedicates all input Bitcoin values to new outputs. Transactions are not encrypted, so it is possible to browse and view every transaction ever collected into a block. Standard transaction outputs nominate addresses, and the redemption of any future inputs requires a relevant signature.

Misconceptions about Bitcoin:
Addresses are not wallets and technically do not have a balance. However most blockchain explorers that you find online will specify an address's balance as the amount of Bitcoin that the address has received minus the amount of Bitcoin the address has sent.

Address attribution:
A single Bitcoin address is only intended to be used for a single transaction, however a lot of the time people will reuse addresses. Address reuse has numerous associated problems including making it easier for people to identify the owner of a particular address. Some Bitcoin services allow users to add tags and meta information about addresses that they know. This information can be publicly queried which provides a useful way for attributing an addresses back to its owner. Keep in mind that this information can be edited by anyone and therefore should not be fully relied upon without further analysis. Our Bitcoin transforms will check for tags associated with addresses and if found will return them in an entity note.

Transform List


The Bitcoin transforms include two new entity types, namely a Bitcoin Address and a Bitcoin Transaction.



Transforms that run on a Bitcoin address:
  • (Bitcoin) Get Address Details– This transform will return additional information about a specific Bitcoin address and adds this information to the address entity's detail view.
  • (Bitcoin) To Addresses [*Received from] - This transform returns Bitcoin addresses that were inputs to transactions where this address was an output. Essentially this transform returns Bitcoin addresses that sent Bitcoin to your input address.
  • (Bitcoin) To Addresses [*Sent To] - This transform returns Bitcoin addresses that were outputs to transactions where this address was an input. Essentially this transform returns Bitcoin addresses that received Bitcoin from your input address.
  • (Bitcoin) To Addresses [Received from][Using Taint Analysis] - The taint relationship between two Bitcoin addresses is represented as a percentage and indicates how closely related two addresses are. This transform allows the user to specify a taint relationship threshold (in %) and returns Bitcoin addresses that have sent Bitcoin to your input address with a higher taint relationship than what was specified in the transform setting.
  • (Bitcoin) To Addresses [Sent To][Using Reversed Taint Analysis] - This transform allows the user to specify a taint relationship threshold (in %) and returns Bitcoin addresses that have received Bitcoin from your input address with a higher taint relationship than what was specified in the transform setting.
  • (Bitcoin) To Transactions [where address was an OUTPUT] - Returns transaction hashes where Bitcoin address was an output of the transactions (receiver).
  • (Bitcoin) To Transactions [where address was an INPUT] - Returns transaction hashes where Bitcoin address was an input to the transaction (sender).

Transforms that run on a Bitcoin transaction:
  • (Bitcoin) To INPUT Addresses - This transform will return the input addresses for the Bitcoin transaction.
  • (Bitcoin) To OUTPUT Addresses - This transform will return the output addresses for the Bitcoin transaction.
  • (Bitcoin) To IP Address of First Relay - This transform returns the IP address of the node which first broadcast this transaction to BlockChain.info. This does not necessarily mean that the IP address returned is the true source of the transaction.
Transforms that run on a URL entity:
  • (Bitcoin) To Bitcoin Addresses on Page - This transform will pass any Bitcoin addresses found on a specific webpage.

    Using the transforms


    Let’s have a look at an example of how we can use these transforms in a practical scenario. Starting with the address 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX which is allegedly the SilkRoad Seized Coins address. Running the transform (Bitcoin) Get Address Details returns the following information about the address as well as a link to open the address in a blockchain explorer.




    Next running the transform (Bitcoin) To Addresses [Output to transactions] to get all the addresses that were outputs in transactions where this address was an input. Running this returns a single address that includes meta data stating US Marshal Auction Coins. The meta data for this address also includes a link that provides more information about the alleged owner of the address.



    In the detail view of the returned address further information about the transaction that links these addresses is included.



    Going directly from an address to another address, like we have done here, is a bit of a shortcut as we miss out on including the transaction entity on the graph which is the link between these two addresses. An alternative method would be first running the transform (Bitcoin) To Transactions [Where address is an INPUT] which will return a Bitcoin transaction entity. From the transaction entity we could then run the transform (Bitcoin) To Transactions [Where address is an OUTPUT] which will return us the same US Marshal Auction address entity that we had previously.



    Most of the time you won’t actually be interested in taking the intermediate step of getting the transaction entity first and you can just run the transform that takes you straight from one address to another.

    Next let’s go back to our original address and run the transform (Bitcoin) To Addresses [Inputs to transactions] which will return Bitcoin addresses that were inputs to transaction where this address was an output.

    *small portion of the graph


    As you would expect we get a large number of addresses back (remember this address was allegedly used on Silk Road). The transform returns the maximum amount of entities of 10 000. The entities that are returned are weighted according to how many transactions they were involved in with the input address making it easier to pick out the addresses that are most related to the input. The entities that are most related will appear in the top left of the block layout while the least related entities will be found at the bottom right.

    Finally let's have a look at the transforms that make use of Blockchain.info’s Taint Analysis data. These transforms allow you to return addresses that have either sent or received bitcoins to or from a particular address. Additionally these transforms have another parameter called Taint Relationship which is measured as a percentage and represents how strong the link is between the addresses. Running the transform To Addresses [Using Taint Analysis] on our address while specifying a Taint Relationship of greater than 1% results in the three entities below being returned.



    API keys for Blockchain.info:
    By default the Bitcoin transforms use Paterva's API key which is subject to being rate limited by Blockchain.info. If our API key does get rate limited you will receive a message returned from the transform indicating this. To reduce the chances of being rate limited you can sign up for a free  API from Blockchain,info and enter it in the blockchain.info APIKEY transform setting. Please also note that the endpoint used for Taint Analysis is heavily rate limited.

    You can install the Bitcoin transforms to your Maltego client from the transform hub simply by clicking Install:



    As usual enjoy responsibly.

    PR

    Abracadabra! It's Sho(dan) time!

    April 20, 2016, 6:04 am
    $
    0
    0
    Shodan -- used by pentesters, stalkeˆWˆWˆWresearchers and data scientists everywhere to analyze information about computers on the Internet. From webcams to SCADA to looking at where various SSL information in certificates can tie organisations together. It is a common tool used by many different people. We really wanted to get some Maltego goodness on that!

    TL;DR -- You can get the Shodan transforms in the transform hub right now. To use all of the different transform options (or you can stick with the free options) you can simply click on settings in the transform hub after installing to add your API key.

    There have been transforms written for Shodan before, but we really felt like they needed refreshing. So we took it upon ourselves to look at the information provided by Shodan and decide how we could integrate it into the needs of Maltego users. We first started by looking at what information was readily and easily available and then if it was useful in an n-th order graph. This is what we came up with.

    (Please note these screenshots are from the newest closed beta of Maltego 4 -- it's coming soon!)

    IP Information


    Taking an IP address you can identify various pieces of information for that IP address, these are broken down into the following:

    • Service - A service is an application running on a particular port and is represented as <port>:<banner> in a new maltego.Service entity. If the banner is unknown the text "<unknown>" is displayed.
    • Hostnames - Any hostnames enumerated by Shodan will be displayed. Most often this is the reverse DNS for the IP address.
    • Owner Details - This will return two phrases (unless they are the same), one for the ISP and one for the organisation identified by Shodan.
    • Location - If GPS and Location variables have been identified these will be returned as one or two different entities.
    • AS -  Returns the AS number for the IP address in question.
    With this kind of information and the power of Maltego it means you can easily to do link analysis across a large number of IP addresses (and later networks!) ... fantastically. Graphing information such as common services, owners or locations means that even if the machines you are investigating/targeting are on disparate networks you can find connection between them. It is of course still up to the analyst to identify if the connections are valid or not. 

    An example of this could be something like looking at the infrastructure of the NSA (starting with nsa.gov) and performing a simple footprint with Maltego ( Domain -> DNS -> IP Addresses). Once we have the IP addresses we can run the "To Shodan Details" transform and see the following:


    From here we can switch to 'bubble view' (replaced in M4) to get an idea of the most common nodes, and we see the usual suspects, Layer 3 communications (a T1 provider ), the AS used and a number of machines running what looks like webservers:


    Above example shows the ability to correlate - however it may be even more interesting to look at machines that did not match the more common nodes. Looking at these you can quickly identify 'the odd one out':



    Netblocks
    The ability to send a netblock to Shodan and have it return IP Addresses it has found within a particular range is phenomenally useful. As such we have included this transforms within the pack! What it gives you is the ability to take a large network space (think multiple Class A/B's) and have only a small subset of that returned. This is usually interesting as the results returned show only the populated space in the netblock -- Shodan does the pre-scanning for you!

    Keeping with our previous example of the NSA, if we take a handful of IP addresses within the 8.44.101.x network space found previously:

    8.44.101.21 - remoteoffice1.nsa.gov
    8.44.101.8   - smtp.nsa.gov
    8.44.101.9   - smtp.nsa.gov
    8.44.101.5   - dsdn-gh1-uea05.nsa.gov
    8.44.101.20 - remoteoffice.nsa.gov
    8.44.101.6   - dsdn-gh1-uea06.nsa.gov
    8.44.101.22 - remoteoffice2.nsa.gov

    If we now run the transform "To Netblock [Using natural boundaries]" to get the  class C those are in (or do it manually), which returns 8.44.101.1-255. 

    From here you can run to "toIPs [Shodan]" and you will see the following in the ouput window:


    As you can see from this example we're using a free API key and our results are limited to 100 but you can use your own paid-for key to get all the results available! Even with just the first 100 results (of 198) it means we have already managed to narrow down our space further.

    Now we can look at the results and perform tasks such as looking at the reverse DNS names (with the transform "To DNS Name [Reverse DNS]") and already get new DNS names we previously did not find such as emvm-gh1-uea08.nsa.gov and eas.nsa.gov.


    Service/Port Splitting


    One thing you might notice about the first example is that there is a service entity returned that contains the details in the format of <port> : <service> . There are two additional transforms included in the Shodan transform hub item that will break these apart into the various ports and services. This allows you to quickly visualize which ports and applications are more commonly used.

    If we look at an example quickly mapping defense.gouv.fr to DNS, then to IP addresses as we did above we see something like the following:


    From here however it becomes more interesting as we can take each of the services to a port and banner and within bubble view examine the common infrastructure on a port and service level:


    Typically you would see something like the graph above where there are a lot of port 80's running an HTTPd of some kind, but it is interesting to see things like port 81,82,83 and 84 as well. In this case these all seem to be a standard webmail configuration. A graph like the one above however is filled with additional interesting artifacts...

    Further Port Manipulation


    From a port entity (either in your existing graph or dragging it in from the palette) you can also run transforms that identify other IP addresses running services on that port. For example if we look at S7 devices (from https://icsmap.shodan.io/) we can see that they generally run on port 102.

    In Maltego we add the port to our graph and run the transform to IPs From Port [via Shodan]. This gives us the option of adding additional terms in the query (that might be found in the response) as well as the country code as seen below:


    From here we get a number of results back for IP addresses that have services running on port 102. We can then take each of these services to the details for those IP addresses and visualize the results to identify commonality between them. Here we can see that a lot of the machines running the Siemens S7 devices on port 80 also have VNC listening on port 5900.



    Native Shodan Queries


    In addition to the above queries we have also included the ability to search for your own custom terms or use a more guided version of the transform.

    The first is the advanced search - this transform will send the terms you specify in a phrase entity directly and unmodified to Shodan. For example if you started with the phrase "National Security Agency" and wanted to see all results that contained that exact string you could run the "to IPs via Shodan [Advanced Search]" transform. This would return the following:


    You can also see in the detail view that the text Basic realm="National Security Agency" is seen within the IP address highlighted. You can view additional key terms used by exploring the Shodan API documentation at https://developer.shodan.io/api and viewing the keywords available under the  /Shodan/Host/Search heading.

    If you would prefer to be guided through the four terms we use (ssl, hostname, org and isp) you can run the transform "to IPs via Shodan [Basic]" which will allow you to specify the terms you want. You can use a space ( "" ) for terms you wish to exclude. 

    PLEASE NOTE:  The free API will only allow you to use one term at a time. To use more terms you need your own API key.

    Let's see how this works. If you used the phrase "NSA Search" (remember this can be anything as we are doing the basic search), and you filled in the terms as shown below when running the transform "to IPs via Shodan [Basic]":


    You would receive the following in your response:


    Here you can now run the standard IP to Shodan details to get the details of each of these IP addresses, and as we were searching for any DNS Name containing nsa.gov we get the following out:

    nsaoa.nsa.gov.cn
    msux-gh1-uea02.nsa.gov
    ns2.nsa.gov.cn
    cli456.nsa.gov
    emvm-gh1-uea09.nsa.gov
    www.nsa.gov.pl
    ...list truncated...

    Keep in mind that Shodan returns *anything* that contains the word nsa.gov - so entries like nsaoa.nsa.gov.cn are also returned!

    Domain Queries


    The last two transforms are more an incorporation of the previous ones where we will use two specific Shodan keywords (namely 'ssl' and 'hostname') to search through any results found for additional DNS records that we might not have seen before using the other DNS transforms. These are uber useful, especially with certificates (the ssl keyword) to find specific machines on the Internet.

    If we run the two transforms we get a nice subset of DNS names (that we had also seen before) with just two simple transforms (To DNS Names [Via Shodan] and To DNS Names SSL [Via Shodan]) -- Abracadabra! 



    Adding Shodan Transforms:

    To add the Shodan transforms it's as simple as going to the transform hub item and clicking on "Install":



    API Keys:

    Shodan API keys are free with limitations for any user on the Shodan website and registration is completely free. The limitations of the free API key are as follows:
    • Only the first 100 results per query
    • Advanced keywords can only be used one at a time (ie you cannot search for a dns name within a particular country)
    Registered users (a once off fee) do not have these limitations (apart from a certain number of lookups per month on a  registered key) and the project is really useful so we would encourage you to signup.

    To add your API key you can simply click on "settings" within the transform hub and enter your key.


    May your english be fluid and your dancing be premium. Use responsibly!

    -Andrew


    Search

    Network footing printing with Maltego.

    May 2, 2016, 2:20 am
    $
    0
    0
    One common task that Maltego is used for is doing infrastructure footprints on an organisation's network. This post will detail a possible methodology used for network footprints as well as demonstrate how they can be performed in Maltego. Finally the post will show how the process is drastically simplified with the use of machines that automates the process of running transforms in Maltego.

    Network footprinting methodology.


    When performing a footprint on a domain the goal is to find as much information about the domain as possible on an infrastructure level. When dealing with a large footprint it can be quite difficult to know when you have found all possible information that is publicly available for that particular domain. To make the process a little easier we have a structured methodology that we follow when conducting a network footprint in Maltego. This process is outlined in the data model below in the Image 1.

    (Image 1)

    At each level of this data model we want to find as much information as possible relating to the domain in question. Arrows in the data model relates to transforms within Maltego that can be used to find related information either above, below or on the same level of the model. Throughout this blog post I will refer back to this data model.

    Starting at the top of the model with the target domain you'll see an arrow that points from a domain back to a domain. This transform relates to the TLD (top level domain) expansion of the target. In the real world this means going from (for example) google.com to all the other Google domains (google.net, google.co.uk etc.)

    Once the top level domains are enumerated the first step is to try find as many DNS names from that domain’s zone file. This includes getting the domain’s MX records, its NS records and as many A records as possible. In Maltego there are nine transforms for finding DNS names related to a domain. Explaining how each of these transforms work is out of the scope of this post, however, transform explanations can be found in our transforms guide. In Maltego there is also a transform set named DNS from Domain that includes all nine of these transforms. Running this transform set on the domain linkedin.com results in the graph shown in Image 2 below:

    (Image 2)

    Note that there are 742 entities in the DNS name collection node.

    From the DNS name level on the data model back in Image 1 you will see that there are three transforms for going back up a level from DNS names to find more related domains. Two of these transforms look for domains that share the same name servers (NS) or mails servers (MX) that have been found from our original domain. The third transform simply extracts the domain from that DNS name.

    When finding shared infrastructure it is important to consider whether the name servers and mail servers are hosted by your target organisation or by an ISP. Looking at the shared infrastructure belonging to an ISP will results in many domains being returned that are hosted by the ISP but not related to your target. Determining if a MX or NS is hosted can be tricky but visiting the website of the related enitity mostly helps in making that decision. It is outside the scope of this document to detail this process (but it's mostly just common sense). 

    The next step in going down the data model is to resolve all the DNS names to IP addresses. Doing so results in the graph the below:

    (Image 3)

    It is interesting to note here that 283 of the DNS names that we found all resolve to a single IP address shown in Image 3 above. From the image it can also be noted that there were 97 DNS names that currently do not resolve to an IP address at all. This might be an indication of old DNS names or DNS names that resolve to internal resources configured on a split DNS system.

    On the IP address layer of the data model we could now go back up a level to find more DNS names related to the IP addresses. This can be done by looking at historical DNS records collected from passive DNS, reverse DNS and by querying Bing to see what other website have been seen resolving to the same IP address (aka the "IP:" trick). 

    Continuing down the data model from the IP addresses we next want to find the netblocks that the addresses belong to and determine whether the entire netblocks actually belongs to our target organisation. Finding the correct netblock size can be a tricky process and often requires some trial and error to get right. In Maltego there are three transforms for finding netblocks from an IP address and it is important to understand how each of these work. These three transforms are listed below:

    • To Netblocks [Using natural boundaries] - This transform will sort IP addresses into netblock sizes specified by the user. 
    • To Netblocks [Using routing info] - This transform determines the netblock that an IP address belongs to by looking up its routing table information.
    • To Netblocks [Using WHOIS info] - This transform will look up the Netblock for an IP address by querying the registrars.

    It is very important to place IP addresses into the correctly sized netblocks.  If you make the block size too small you will miss out on IP space belonging to your target organisation. You also do not want to make the netblock too large and include IP space belonging to someone else. Running the transform To Netblocks [Using WHOIS info] on our example graph from Image 3 results in the following graph:

    (Image 4)

    Image 4 above shows a portion of the resulting graph. Once we have these netblocks it is important to validate that we are still looking at our target's infrastructure and have not included IP space belonging to "innocent bystanding" organisations. One way of doing this is to run the historical DNS transform on the netblock and then manually inspect whether or not the block belongs to your target by looking at the (reverse) DNS names that you get back. This is done by running the transform To DNS names in netblock [reverse DNS]. Running this transforms on the netblock 108.174.0.0-108.174.7.255 found previously results in 121 DNS names being returned. 

    (Image 5)

    Manually inspecting these DNS names it is quite easy to see that they all do belong to our target organisation and we can therefore make the assumption with near certainty that the entire netblock does in fact belong to our target. In this step we have also found more DNS names related to our target and the process can be repeated by resolving the newly found DNS names to IP addresses and then finding the netblock that they belong to. 

    Next from the netblocks we have found we can have a look at the Autonomous Systems (AS-es) that they belong to and determine whether the entire AS is in fact owned by our target organisation. First we run the transform To AS number on the netblocks we have. We then run the transform To Company [Owner] to see who owns the AS. Doing so on our example results in seven AS-es being returned that belong to the LinkedIn organisation. Image 6 below shows a small portion of the graph and the path taken to get to one of these AS-es:

    (Image 6)

    At this point we have reached the bottom level of the data model from Image 1. The next step would be to take the AS-es we have found belonging to our target organisation and start moving back up the data model to find more related information at each level. First we would get all the netblocks in the AS-es and from these new netblocks we would then find more DNS names by looking at their historical or reverse DNS records. From new DNS names that are found we could potentially find more domains belonging to the target and then start the whole process again on the new domains. Note that this step is not included on the example graph in this post.

    An important aspect to realize here is that a network footprint is a cyclical process, not a linear one (and you're never done, you just give up ;)) . The most simple footprint you can do would be to go from the top of the data model to the bottom without moving up the model at any stage as we have done here in this example. However we could continue this footprint by moving back up the data model from the AS-es that we have found belonging to our target.

    The final graph from our example in bubble view is shown in Image 7 below. Bubble view will size entities according to the number of incoming links it has from different sources. This makes it easy to identify the most connected parts of the network as well as its outliers.


    (Image 7)

    Foot-printing machines

    Fortunately, it is not required to remember every step of this footprinting process thanks to the concept of machines in Maltego. Machines allow you to script transforms together and have them run sequentially in an automated fashion. Out-the-box Maltego comes with three machines for network footprinting that roughly follow the process described previously. These three machines are described briefly below. Note that Maltego also ships with a forth machine for footprinting named Footprint XXL. Footprint XXL uses a different method which is useful when footprinting larger networks. However this machine is not within the scope of this blog post as it is aimed at advanced Maltego users footprinting massive multi-national organizations.

    Footprint L1:
    This is the most basic footprinting machine and runs through the data model from Image 1 straight down from top to bottom without looking at any shared infrastructure or historical DNS records. 

    Footprint L2:
    This machine will run through the same steps as Footprint L1 above. Additionally this machine will look for additional domains related to the original domain by looking for shared infrastructure of its name servers (NS) and mail servers (MX). The machine will also look for other websites hosted on the same IP addresses. The machine also has user filters - these are popups which are displayed while the machine is running and prompts the user to manually inspected results and decides with ones to continue with. In machine L2's case user filters are used to allow the user to choose which name servers, mail servers and websites are hosted by the target organisation or by an ISP. This is done to prevent the machine from looking for shared infrastructure on DNS names that are not hosted by the target. An example of a user filter when running Footprint L2 on the domain paterva.com is shown in the Image 8 below:

    (Image 8)
    From visual inspection it is clear that Paterva's mail is hosted by Google and their name servers are hosted by Linode. Therefore you would not want the machine to continue to run transforms that look for shared infrastructure on these entities as you'll follow the rabbit hole all the way to Google's (and Linode's) infrastructure!

    Footprint L3:
    Footprint L3 runs the same transforms as Footprint L2 but additionally it will look at historical / reverse DNS records on the netblocks that are found in order to find additional DNS names belonging to the target. Again the machine will use user filters to allow the user to specify which of the netblocks are still relevant.

    Footprint L3 will also run a transform named ToServerTechnologyWebsite on selected website entities on the graph and returns the name of different server technologies that are used on that particular website. Running this transform provides an easy way to identify which technologies are used commonly across many of the target's websites as well as outliers - the (sometimes more outdated) technologies that are only be used on one or two servers. The screenshot in Image 8 below shows the results of the transform ToServerTechnologyWebsite on web servers of redcross.org.

    (Image 9)


    51 websites are found that are related to the domain redcross.org and inspecting the graph you can identify the website technologies that are commonly used. Selecting all the BuiltWith entities on the graph and ordering the detail view in descending order according to the number of incoming links shows which website technologies are the 'odd-ones-out' and are only used on a couple of websites - these are often the more 'interesting' sites...

    Conclusion


    The examples shown in this blog post provides one possible strategy for conducting a network footprint in a structured and repeatable way. The three footprinting machines that come with Maltego out-the-box provide an easy method for applying this strategy to any domain while each machine differs in exploration depth.

    Maltego 4 - it's finally time...

    May 3, 2016, 5:58 am
    $
    0
    0
    TL;DR:

    Maltego 4 is finally ready...click on the picture below to view the release video:


    Download the software [here]

    ...but if you want to know more...

    The Maltego 4 story

    In March of 2015 myself, Chris and Andrew sat in a room in Cape Town to decide which feature to build next. It's one of the hardest challenges managing Maltego - deciding what to do next. There's always at least five major features competing for our attention. Be that geospatial view, temporal view, feeders or a browser plugin - there's always the next big thing waiting. We argued the entire day, everyone having their own favorite. At around 7 o clock we were tired, hungry and irate. I asked Paul (at the time still pretty green and struggling to keep up with all the intricacies of a new design) "if you could have any feature in Maltego - what would it be?". He didn't have to think long and answered "handling big graphs". Then he casually put his headphones back on and ignored us.

    It wasn't what I wanted to hear. We kept on ignoring the issue to the point that we almost believed it wasn't a problem anymore. We didn't want to fix it. It was hard to fix. It meant ripping the guts out of our product. We all knew that it would mean many months of nothing but rebuilding things we already had. No new features, no new flashy bits. Just hard work - rebuilding Maltego from the ground up. But Paul was right. It wasn't the popular answer, but probably the right answer.

    For the months to follow we had no new features coming out. We issued a couple of patches for Maltego Chlorine (3.6) and kept supporting the old version. I asked Chris and Sonja if they had a rough idea on when we'll be done. The first date we tried for was Black Hat Las Vegas 2015. August. By June we all knew it was way too early and we pushed it back to Christmas 2015. In early December 2015 they sent me a barely working version. It included lots of disclaimers on which parts I could play with - but it could handle 30 000 nodes with ease. It was exciting, so exciting that I had to make a video about it. We decided we needed a new website too. Paul was to run with that - it had to be ready to go with the release of the new version.

    Putting back all the pieces took longer than we anticipated and we hadn't even started on collection nodes - the secret weapon in the fight against large graphs. Collection nodes were not a new concept. We tried it back in 2009 and never released it - it failed miserably, partly because the product (and perhaps we ourselves) were simply not mature enough. The trick then was usability and the usability of collection nodes was a major struggle now. We decided to completely redo the interface. The version I had in my hands looked really bad. The user experience was bad. It was riddled with bugs, things that simply didn't work. I pulled the video. It said we'll have it before 2016. There was simply no way we'd have it done. Christmas came and went and we had nothing.

    During January 2016 I felt like the new version was never going to happen and that, even if we did get it right, users would hate it.  I didn't even want Andrew and Paul to try this version because it would leave a bad taste in their mouths. But we kept slogging and gradually things started to get better.

    The turning point was early March 2016. After many usability / look /feel meetings we were slowly getting there. Things started to fall into place. It was looking the part and after several iterations the interface was starting to behave the way you expected it to. Preparing for a conference in April I exclusively used the new version. Using it in anger for the first time it was clear that this was something really special. All of the hard work was starting to pay off. Things that only lived in our imagination for a year were now right there on the interface, and it was working exactly the way we envisioned it. It was fast - terribly fast. And slick. And it handled almost anything I could throw at it. There would be no going back to Chlorine ever. It was time to set a date for the final release.

    The date was set to be the first of May 2016. But that was a Sunday so we went with May 2. This was a public holiday in South Africa (and in many other countries) so we went with Tuesday May 3. Now we had to tie up all loose ends (memory leaks, branding, testing/fixing/testing/fixing). We contemplated calling the new version Plutonium, but this release was so different to anything we've had in the past that we decided it would be easier to just go with 'Maltego 4'. We sent out betas to a select group of trusted users. The feedback was phenomenal. They loved it.

    We made a 'camera-ready' release  on the 26 of April and I flew to Cape Town to go make the release video. We shot an afternoon, an evening and the next morning and I flew back to Gauteng to edit. After some hiccups the final edit was ready on the Sunday before the release.

    Today is Monday. Tomorrow we release. A brand new website, a brand new product. The release is not perfect. There are always things we want to improve and there are most likely a few minor bugs that we'll squash over time. With a system as complex as Maltego it's almost impossible to achieve perfection and I have to constantly remind myself that nobody cares about Maltego as much as we do. It's a child we all raised together as parents,siblings and a crazy uncle.

    Some other stuff we probably need to say

    Maltego 4 comes in two commercial flavors. Classic (the standard version) and XL (the pro version). The *only* difference between the two is that Classic is capped at 10 000 nodes. Oh wait - and the price - Classic is still $760 and XL is $1800. We had lots and lots of discussions about the price. We haven't raised the price on Maltego for a long time and we didn't want to raise the price for the new version. So we decided to split it into two products (we've been wanting to do this for a while now). We then had to decide what's in the XL version and what's not. An easy out would have been to exclude collection nodes from the Classic version. But collection nodes are super useful - even when working with small graphs as they quickly show you where you need to (probably) look - NOT at the collections. So collection nodes stayed. Then it was crippling Classic in some way...but that just felt wrong and so we didn't. Every time we thought about taking things out of Classic we cringed. Finally we decided capping the total number of nodes in a graph. But where to cap it? We decided on 10K nodes because of two reasons - the first being that in the past, working with 10K nodes would be painfully slow - so - we weren't taking functionality away from anyone...as they never had it. Secondly the slider was always maxed out of 10k - it didn't make sense to have it at a lower number. 10K it was.

    Still more stuff

    Maltego Chlorine users will be able to simply download Maltego 4 Classic and activate it with their license key. No upgrade fee to Maltego 4. Users that wish to upgrade to XL should just pop us an email.

    Then there's the question of the community edition. Ye - we're no longer supporting it and we'll be removing it from our site. Hehe.. no. Give it a bit of time. We'll create Maltego 4 CE and Maltego 4 Kali soon. No really. We will. Currently the CE versions are still using the old tech.

    And finally..

    One last thing. CaseFile. The one we always leave behind at the bus stop. There's good news. With Maltego 4 being so totally amazing we're making CaseFile completely free. No registration. No nothing. Just download and use. And in time we'll upgrade CaseFile to goodness of collection nodes, large graphs and a face lift.


    Right, that's about it. We're super excited to see what you think about all our new tech. It's been a long journey and we're really pleased with our progress. We hope you're too!

    RT and the rest of the (tired) team.


    Panama Papers in Maltego

    May 16, 2016, 1:44 am
    $
    0
    0
    By now everyone knows about the Panama Papers and the Offshore Leaks. If you don't you should read about it [here]. We've downloaded the CSV files from them, imported into a SQL database, then wrote some transforms for Maltego. That's the context.


    Disclaimers. You should really really read this!

    First off - some disclaimers. I know nobody ever reads disclaimers but these are pretty important so you really need to read them.

    Disclaimer 1: Not everyone in the database is 'bad'. Having an offshore account is not a crime. There are good reasons to have one. Like they say on the their site: "There are legitimate uses for offshore companies and trusts. We do not intend to suggest or imply that any persons, companies or other entities included in the ICIJ Offshore Leaks Database have broken the law or otherwise acted improperly."

    Disclaimer 2: People have the same names. Who would have thought?! You find someone in the data and go 'oooh! Het jou katvis!' - but remember that it could be someone else with that same name. Manually verify results - always!

    Disclaimer 3: The data is not very clean. There could be four entries for the same person and in Maltego these nodes will not merge (different node_IDs). You'll need to manually merge them if you feel like it. Of course, see 2 - e.g. they could be four different people. The same goes for addresses - the data was clearly captured by hand, so people write the same address in many different ways. Best thing here is to take the most significant part of the address and search for that - then manually verify.

    Disclaimer 4: The transforms might break. I am not even a proper coder. It should be OK, but when a query does not return or stuff falls apart then remember this disclaimer. If we get a LOT of interest on this then we might rewrite the transforms properly. Also - there's a lot of improvements that can be made on the transforms. Display info etc. etc. Don't tell us - we know this.

    This was hacked together on a Friday afternoon and a Saturday night and by the end of the day it seemed very useful and that's why we're releasing it now.

    With that out the way, let's first see how to get the transforms and entities into Maltego. We thought about adding this into the Transform Hub but decided against it. It's cool, but it's not THAT cool. That means you need to install the transforms by hand. Luckily, it's pretty easy.

    How to install

    In the transform hub, click on the [+] sign. Fill in the fields as you wish. The only part that needs to be the same as our example is the seed URL. The seed URL is [https://bark.paterva.com:8081/iTDSRunner/runner/showseed/PanamaPapers]


     

    Once you filled it in hit OK. You'll now see the item appears in the transforms hub:

    Hover over it and click on 'Install'. It should look something like this when you're done (this is Maltego 4, but the other versions should look similar):

    Woot! Now you're ready to start using the transforms.

    How to use 

    Before we start we want to quickly discuss the data. There are 4 tables. Officers (people), Entities (companies, trusts or other legal entities), Addresses (duh - addresses), Intermediaries (think agents or companies or people doing the work on behalf of the officers). Then there's a table that links all of these together. 

    There are 4 entities in Maltego - Officers, Entities, Intermediaries, Addresses and Country. The transforms implement an almost fully meshed grid between these with a couple of spaces where it's not really applicable.

    The starting point for all transforms is a Phrase. As the data is mostly linked by node IDs you cannot start with any of the 'PanamaP' entities as you don't know what the node ID is. You always start with a Phrase and search from there.

    Let's see how this works. Let's assume we're looking for an officer called 'Hillary Clinton'. We suggest looking for just the word 'Clinton'. We drag a Phrase entity (in the Personal section) onto the graph, double click on the text and change it to 'Clinton'. Then we right click on the entity to bring up the context menu, navigate all the way to the top (right click on the menu) and select the Panama Papers transforms:
    In that group we select the 'PP Search officer' transform:
    This results in:
    Let's assume we're interested in one of the nodes and want to see what entities and addresses are connected to that officer. We select one of the nodes, right click and run the 'PP Get details' transform:
    We can do the same on the Entity that's returned from here:

    And so the story goes on...

    Another interesting way to look at the data is to start looking for the Addresses. This is sometimes useful to identify Officers from certain locations. For broader searches you can start from a country...

    Let's see which officers stays in Beverly Hills. We start with a phrase 'Beverly Hills' and run the 'PP Search addresses':
    We get 47 addresses in Beverly Hills that's in the database. Let's see what's going on there. We select all the nodes and run the transform 'PP To officers or entities here' transform:

    ...but wait...

    Does 'Beverly Hills' exist in other countries too? Yes. In Australia. In Hong Kong. Probably in other countries too. So we need to remove them. Control F, type in 'Hong'. Hit find. Control shift down arrow (select children). Delete. Rinse and repeat for others. Hmmm.. perhaps Beverly Hills was a bad choice. There's even a Beverly Hills in Balito, South Africa. Really? REALLY?

    Anyhow. Rinse. Repeat. And then:

    Pretty please read the disclaimers at the start of this post. You probably scrolled to the end right away. But please read them.

    And this time, for realsies -- use responsibly!
    RT

    Maltego 4 CE / Kali Linux release is ready for download!

    September 29, 2016, 5:57 am
    $
    0
    0
    Hi there,

    We're happy to announce that Maltego 4 is now (finally) ready for the masses! We're releasing the community (free) edition today and the Kali distros have been updated by the kind people from Offensive Security (thanks Dookie/Muts!).  In other words - we're ready to roll on a major upgrade of your favorite information visualization tool.


    (click on the image above to see our very grown-up/proper promotional video of Sandra the 15 year old Dachshund and Maltego/Kali Linux. !(We plan to screen this at our booth at a major conference.))

    Our decision to make CaseFile free with the release of Maltego 4 had some interesting side-effects. In CaseFile importing data from CSV/XLS was enabled. So too printing. And reporting. So when we made CaseFile free it did not make sense to limit the Kali/CE releases - you'd simply open CaseFile, import the data and save the graph - then open in CE.

    So - bottom line - reporting/printing/CSV import is now enabled in the free release!

    The major changes from 3.6 to 4.0 is the ability to render and use large graphs, the use of collection nodes and a brand new interface. To see a more complete overview of the improvements in Maltego 4 you might want to view our release video [HERE].

    For the CE version (OSX/Windows/Linux/SNES/ZX81/C64) click [HERE], download and install.

    For Kali Linux - if you're running 2016.2 (recommended) you can simply type:

    # apt-get update && apt-get install maltegoce

    If you're using Kali Linux 2016.1 it's a bit of a bigger mission but you can open a terminal and type:

    # apt-get update && apt-get dist-upgrade

    This will upgrade your Kali to the latest - and it's good thing(tm) anyhow.
    Once you're good to go start Maltego like you normally do.



    We hope you have endless fun using Maltego 4 and that you find it super useful in your explorations.

    RT

    Christmas Special & State of the Nation. It's a thing!

    December 23, 2016, 6:00 am
    $
    0
    0
    Here we are – at the end of 2016. For some 2016 was a great year. For others... not so much. It was indeed a year where we saw many changes around the world. And you know what they say about change. No no - not the holiday thing, that funny thing about not wearing ski pants in the desert. 

    Was 2016 a bad year for Maltego? Hmm - no. We released a major version (M4) this year. We fixed a lot of bugs in it and we’re now up to the 12th update for the 4.0 version. We finally had the courage to split it into two flavors (Classic and XL). We built the MDS this year. A few more tests and it’s ready for production in early 2017. Every time I play with the MDS I smile. It’s truly a thing of beauty. Maltego 4 + MDS is going to turn out to be VERY powerful.

    The company has grown too – not just with clients and sales – but with people too. Yesterday another recruit started with the company. His name is Andrew. How is it that we have five people working in one office and two of them are called Andrew?  Don’t ask – it’s still 2016. We now have proper offices in Pretoria(here and here) having moved from Cape Town. Yes – we moved there and then moved back. I said don’t ask. 

    After almost 10 years around people tend to think we need to “grow up”. Become a “proper company”.  Focus more on “making the numbers” and thus less on making cool and useful tech anymore. Cut the intros for our videos and use "sensible fonts". Find a receptionist and a PABX and a stall at *that* conference and a real company letterhead. Well |=|_|[|< all that.  We fight against that on a daily basis.  We resist to conform, to become a “me too!”. And after every Maltego design meeting we sit down again and question our decisions and ask if it’s REALLY the direction we want to take.

    I know you’re actually only here for the Christmas special coupon code. It’s a tradition we’ve kept going for the last few years. The plan here is that you can buy Maltego as a gift to your partner/wife/husband/girlfriend/boyfriend/dog/parakeet/goldfish/cactus/athlete's foot at a real bargain and that you don’t need to buy them socks - again. 

    The coupon is all lower case. It contains no spaces. It’s the new server we’re releasing in 2017 – append to that the name of person that just joined the company. You can of course Tweet this coupon to the world. Do that and we'll give your Twitter alias to a South African traditional healer which in turn will give you a penis enlargement. Even if you’re not male. And keep in mind they’re not always super reliable so stuff might go wrong. It’s up to you.

    The coupon gives you 40% off Maltego Classic and XL (discount do not apply to renewal free). The coupon is valid from now to the 27thof Dec (00h00, GMT+2).

    Baby seals,
    RT



    Viewing all 97 articles
    Browse latest View live
    Search