How to optimize Maltego for OSINT Investigations with Maltego Transforms
In my experience, Maltego is an important and useful addition to other OSINT investigation tools and methods.
It is a very versatile tool for a range of very different users. For example, threat intelligence teams, analysts at the SOC, incident response teams, investigators, cyber investigators, prosecutors, and many others. But which Maltego transforms do they use?
Almost all users carry out “OSINT” investigations, but they have different perspectives and needs. The range of professional transformations in Maltego’s “Transform Hub” is therefore just as diverse. From free-to-use transformations to expensive enterprise solutions, everything is available. Last but not least, there is the possibility to write or install your own local transformations. In this post, I will introduce the most important “OSINT” Maltego transformations.
Maltego for Corporate Investigations
The focus of my investigations is “corporate investigations”. For example, for email addresses and social network profiles, I need to identify the possible “real” person behind them. It is also often a matter of identifying the connections between websites, finding users/owners of domains and IP addresses, and other similar topics. So gathering individual information from many sources makes sense, for example, data from SEO tools or information from threat intelligence databases. Therefore, I will limit my consideration of transformations in this post to the investigative benefits rather than aspects of penetration testing. With this perspective in mind, below I evaluate the current transformations for Maltego Classic. I plan to provide additional details about individual transformation providers again from the perspective of investigations.
The User Needs to Understand Maltego Transformations
Using Maltego and finding the best course of action for your own application is not difficult. In my courses, I rarely need longer than one day for this part of the training. However, it is much more important for users to know and understand the installed transformations. This is also the biggest hurdle in the workshops and takes the most time.
I need to know my transformations and (exactly) understand:
Which data sources do these transformations query?
What information can I query and how?
What data do the transformations query, and how do they do it?
What are the expected results?
What transformations can I use with the results?
The first time you try the software, you’ll want to start all existing transformations for an entity. However, this leads to unclear results and frustration. See the image below as an example:
Understanding the Basics of Transformations
The goal is to use transformations in a structured way with knowledge of their fundamentals, and having good documentation from the transform providers would be a real help. Unfortunately however, the different providers have one thing in common: there is often no sufficient documentation of the offered Maltego transformations.
And, this is not only true for the free offers ̶ even the expensive suppliers do not shine here. Of course, there are exceptions:
Luckily, some transformations provide good documentation. For instance, the Paterva transforms are well documented. This explains, for example, why the user cannot compare the search engine results from the transformations with his own Google results. (Patervas uses the Bing API).
Farsight has also published very good documentation.
The vast majority of transformations offered in the “Transform Hub” are subject to a charge. However, some of these providers (marked “purchased separately”) offer queries that are limited in scope, which means that they make sense to use for more basic needs.
I will also address these transformations in this post and a related article. I will also go into the current limitations in more detail.
Recommended Maltego Transformations
Outside the Transforms Hub:
Hunchly Maltego Transforms
Additional API keys needed:
Details about the Maltego transformations
- Standard Patervas Transformations, (Maltego Classic / XL)
- 148 Transformations as part of the Classic/XL license.
- These cover many areas very well, e.g. everything around the infrastructure of the domain or also about Twitter.
dataprovider.com has crawlers that navigate from link to link in order to index all sites in a country. In this way, the company collects extensive data on over 280 million domains from 50 different countries every month.
The database has information with 200 different variables, including phone numbers, email addresses, IP addresses, analysis IDs, and more. It is updated monthly. The transformations provide access to this structured database.
dataprovider.com offers free but limited use of the service. For more intensive use, an API key from the provider is required:
Farsight offers one of the largest databases of passive DNS data.
For example, users can query information about DNS record types such as domains, IPs, NX, MX, AAAA, SOA. A wildcard search is also available.
They offer free limited queries – including instant access, no registration, no API key required!
Free query limits:
- 12 queries per hour
- Maltego Classic and XL – 50 answers per request
- https://www.farsightsecurity.com/assets/media/download/DNSDB Maltego User’s Guide.pdf
Social Links provides transformations for open source and social media intelligence.
It contains more than 750 transformations (3,000 queries per day) to retrieve data from over 50 sources.
- Social networks: Facebook, Instagram, LinkedIn, Twitter, Skype, Xing, Foursquare, Badoo, Blogger, Classmates, Flickr, Github, FullContact, MyMail, Myspace, Odnoklassniki, Snapchat, Sqoop, Vkontakte, Youtube, Photobucket, Deviantart, Pinterest, Tinypic, Imageshack and others.
- Messenger: Telegram, Signal and others.
- Unique search in more than 30 darknet forums and marketplaces.
- Companies: CompaniesHouse, Open Corporates, Google Companies, OCCRP, Offshores.
- Integration with third-party services: Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye and others.
- Access to Social Links database with 7 TB of emails, aliases, names, phone numbers.
- Cryptocurrency: Ethereum Platform Analysis, Bitcoinwhoswho, TokenView;
- Other sources: DocumentCloud, Ebay, Torrents, TruePeopleSearch, Wikileaks, Dating sites such as Match, Chemistry, Fling, Meetup, okcupid, ask.fm, rsvp.com.au and others.
Trial Key available from https://www.mtg-bi.com
- The 24 transformations were written by Patervas and a Shodan API key is needed for better results.
- From the data of the Shodan database there is then e.g. IP information, network blocks, services/port, domain queries. But also native Shodan queries for terms or phrases are possible.
- SocialNet offers more than 700 transfroms with data from 70+ social media networks.
- Query is possible by e-mail address, alias, phone number or name.
- Trial can be obtained via https://www.shadowdragon.io/
- 8 Maltego transformations to visualize the Bitcoin blockchain.
- Contains queries about Bitcoin addresses, transactions, and details.
Five transformations supported by ThreatCrowd.org:
- From domains and IPs to historical DNS resolutions and links to malware.
- From MD5 hashes from malware to C&C domains and IP addresses.
- ThreatCrowd is a non-commercial website and there is no private API.
Virus Total Public API
Query the VirusTotal Public API for information about IP addresses, hashes, domains, and URLs.
Passive Total (A)
- This set of 121 transformations is based on the PassiveTotal API. Queries are possible to entities such as domain, IPv4 address, URL, email, SSL certificates and many others.
- Limited use of 25 requests per day.
- If you need more, you need to register under https://www.passivetotal.org/enterprise.
Passive Total is a product of RiskIQ.
Community information: https://community.riskiq.com
Have I been Pwned
Six Maltego transformations to https://haveibeenpwned.com
Has a [hashed] password, domain been violated or an alias/email listed in a post to Pastebin, etc.?
Queries for Breach name, domain, alias, email.
14 transformations are currently available for FullContact,
An API key is required for installation.
Enrichment of email address, Twitter, domain, person, company, alias and phone number.
A (free) API key is available for both the “Risk API” and the “Name to Domain API” of Clearbit.
Five transformations to:
- Company Name to Domain
- Domain to Logo
- Risk from E-Mail
- Risk from IP address
Hunchly Maltego Transforms
Python 2.7 is (still) required to use the transformations.
The transformations access the case data within the Hunchly software.
The starting point is the query of a Hunchly Case. From there you can go to secured pages and photos and to the data and keywords contained therein.
The transformations are still quite simple and improved, but also give a good insight into the possibilities of local transformations.
Maltego needs the right Open Source Intelligence (OSINT) add-on modules – so-called transformations – to show its full strength. These can be transformations bought from a professional provider or local transformations. This post contains the most important selection of transformations for Maltego from my point of view. I will update it as needed.