Open Source Intelligence (OSINT) with Maltego

The dominant conception of intelligence, developed by R. B. Cattell and J. L. Horn, in the cognitive science literature is focused on problem solving and split into two types [1]:

1. Fluid intelligence
   • this is how we solve problems when we’re kids
   • eventually, we form “habits of thought,” leading to
2. Crystallized intelligence
   • the ability to “create schemes about the way the world works”

As crystallized intelligence strengthens, fluid intelligence tends to become less used.

What is Open Source intelligence (OSINT)?

OSINT and the open source movement

It is important to note up front that OSINT is not the same thing as the open source software movement. The software movement is focused on the rights to:

• access source code;
• run a program without restriction;
• modify source code, etc. [2]

A definition for OSINT

OSINT is about access to open information (i.e., publicly available information). Essentially, OSINT is the collection of data from publicly available material.

OSINT doesn’t require computers, as it was around prior to the existence of computers. In fact, the act of gathering information from newspapers or gossip is OSINT. Modern OSINT, however, recognizes the power of computers and three key aspects of open information [1]:

1. Available information
   • information is available freely online
   • information should not have to go through experts before being accessible
2. Unlimited collaboration
   • anyone can solve a problem, so anyone should be able to work on the problem
3. Anyone can co-develop
• we learn from each other, so our intelligence will remain more fluid if we are constantly working with others

The OSINT Framework [3] lists a series of information sources and tools that can be used for OSINT investigations. One of the tools identified in the framework is Paterva’s Maltego, and it is one of the most popular tools for a variety of use cases.

What is Maltego?

Maltego is proprietary software created by Paterva Ltd [4], a company based in South Africa. It is currently managed by Maltego Technologies, which is a German company.

According to its homepage [5], “Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks.”

How does Maltego work?

Maltego is used to map the relationships between pieces of information. It uses Entities and Transforms, both are described in the fourth video [6] in the Maltego Essentials series. The definitions used in the video are summarized below.

Entities

Entities are “bits of information” that we have obtained from a data source.

The above example from Maltego’s docs shows some basic Entity types available in Maltego: a physical location, a website, a company name, an email address, a person’s name and a telephone number. It is possible to create custom Entities [8].

Transforms

A Transform is “the bit of code that generates some information based on a bit of information we already have… [T]he process of executing the code that generates more Entities [is known] as ‘Running a Transform’ [6].

The example above shows a website Entity having a Transform run on it in order to reveal the IP address Entities associated with the website Entity.

More technically, a Transform “is a small piece of code that fetches related information for a given input and formats the results to be returned as Entities to Maltego” [10].

Both the Entity and Transform examples can be found in Maltego’s doc, “Introduction to Maltego Standard Entities.” [11]

Transforms are important because they allow us to see information about, and relationships between, Entities that we may not otherwise detect. This is discussed more after we consider how Maltego works.

Required software for Maltego

Maltego is available as a desktop app with a free, Community Edition (CE). The CE is limited to twelve Transforms per Entity. This video [12] describes the different versions of Maltego.

Maltego is Java-based, so you need Java 8 or higher in order for it to function. This video [13] explains how to get Maltego working on Linux, Windows and macOS.

The technology behind Transforms in Maltego

Transforms are generally written in Python, but there is no restriction on which programming language can be used. Queries that generate Transforms from Entities are XML-based, so the Python code converts the queries and responses into Python objects [10].

This is an example, from the Maltego docs [14], of what a Transform looks like in Python:

import socket
from maltego_trx.maltego import UIM_TYPES
from maltego_trx.entities import IPAddress

from maltego_trx.transform import DiscoverableTransform

class DNSToIP(DiscoverableTransform):
    """
    Receive DNS name from the client, and resolve to IP address.
    """

    @classmethod
    def create_entities(cls, request, response):
        dns_name = request.Value

        try:
            ip_address = socket.gethostbyname(dns_name)
            response.addEntity(IPAddress, ip_address)

        except socket.error as e:
            response.addUIMessage("Error: " + str(e), UIM_TYPES["partial"])

        response.addUIMessage("Slider value is at: " + str(request.Slider), 
          UIM_TYPES["inform"])

The above is a DNSToIP TDS Transform. The Transform gets the DNS name from the Desktop Client and returns the IP address associated with that DNS name. There are more steps in getting this to actually work with Maltego, but they are beyond the scope of this document. You can read more about those steps here [14].

Transform Servers

Transforms run on Transform servers that can interact with data necessary for performing Transforms [15]. A Maltego Desktop Client doesn’t connect directly to this server, however. Maltego uses servers called Transform Distribution Servers (TDS) [16] for making connections:

1. When the client runs a Transform, it forwards a request to the TDS.
2. The TDS forwards Transform requests to the correct Transform server and sends the results to users via their client.

The following image shows the basic architecture:

Let’s explore what’s going on.

XML-based requests and responses

The following XML request and response examples come from the Maltego doc, “Writing Transforms” [18].

When a Desktop Client runs a Transform, it sends an XML-based request (in this case, a DNSToIP request) to the TDS, which has been configured through a web interface. The TDS forwards the request to the appropriate Transform server.

<MaltegoMessage>
  <MaltegoTransformRequestMessage>
    <Entities>
      <Entity Type="DNSName">
        <Genealogy>
          <Type Name="maltego.DNSName" OldName="DNSName"/>
        </Genealogy>
        <AdditionalFields>
          <Field Name="fqdn" DisplayName="DNSName"> alpine.paterva.com</Field>
        </AdditionalFields>
        <Value>alpine.paterva.com</Value>
        <Weight>0</Weight>
       </Entity>
     </Entities>
     <Limits SoftLimit="256" HardLimit="256"/>
  </MaltegoTransformRequestMessage>
</MaltegoMessage>

The server performs the Transform, and the TDS sends the following response XML to the client:

<MaltegoMessage>
  <MaltegoTransformResponseMessage>
    <Entities>
      <Entity Type="maltego.IPv4Address">
        <Value>
          <![CDATA[173.230.156.137]]>
        </Value>
        <Weight>100</Weight>
      </Entity>
    </Entities>
    <UIMessages>
      <UIMessage MessageType="Inform">
        Slider value is at: 256
      </UIMessage>
 Mk</UIMessages>
  </MaltegoTransformResponseMessage>
</MaltegoMessage>

The user then sees this in the Maltego Client:

Note that the Java-based client also prints messages to a console beneath the Transform in order to let the user know what is happening.

How is Maltego used for OSINT?

There are two approaches to OSINT using Maltego [20]:

1. Active
   • direct contact with target in real-time
   • pro: provides more accurate data
   • con: higher risk of detection
   • example: scanning a target website
2. Passive
   • no direct contact with target
   • based on historical or third-party records
   • pro: lower risk of detection
   • con: information may be outdated
   • example: looking up historical DNS records

One of the major advantages of Maltego for OSINT is that it is reasonably private, even when running more active OSINT measures [21]. As discussed above, when you run a Transform, your Maltego Client is interacting with a TDS, which, in turn, interacts with a Transform server that actually handles the Transform. This means that, if the target detects that it is being scanned, it would be the Transform server that would be detected. So, while the target would know it had been scanned, it wouldn’t know that you were the one who scanned it. Unfortunately, this means that Maltego is not exclusively used by ethical hackers.

With the two approaches above, Maltego can be used for a variety of investigations, some of which are discussed below.

What types of investigations can Maltego be used for?

What is the point of all of this? How do Transforms help with OSINT investigations? The key thing here is that Maltego can be used to identify relationships that might otherwise not be obvious. When we have a huge amount of information, it can be really difficult to identify connections between apparently disparate pieces of that information.

By visualizing relationships within data, Maltego makes it easier to see connections that could otherwise go unnoticed. Aspects of Maltego not explored here (like Layouts and Views [22]), can help identify clusters of information that may have been missed without a visualization tool.

This infographic [20] identifies many of the data sources and use cases for Maltego. Here are some examples that can be explored:

Footprinting

This is also called reconnaissance.

A variety of actors make use of this technique, and this is probably the most obvious use case for someone interested in cybersecurity.

A pen-tester would run this type of investigation in order to identify potential weak points in a company’s network infrastructure. The lecture on “Network Exploitation - nmap and Metasploit” [23] showed us the technical aspects of such analysis, using tools like whois to to discover information about a domain and nmap to scan ports.

Maltego provides a good guide to performing the same activity through Transforms: “How to Use Maltego Transforms to Map Network Infrastructure: An In-Depth Guide” [24].

Social Media

You can examine someone’s social media footprint and connect your findings to open source tools like Have I Been Pwned [25]. You can even start with your own. Here is a brief example of how to do it: “Beginner’s Guide: Examining Your Digital Profile and Social Media Footprint” [26].

Tracking/Profiling

Imagine you are tasked with brand monitoring [27] for a company. Maltego can be used to see if people are spoofing your brand for phishing attempts. The “Tracking Typosquatting and Brand Monitoring With Maltego” [28] describes how you could monitor this problem with Maltego.

Threat Intelligence

While police and security forces have their own intelligence sources, many of which do not fall under the umbrella of OSINT, OSINT does allow for analysis of threat actors, as outlined in the “Investigate TA505 Threat Actor Group Using Maltego” [29] case study. In this study, domains associated with a threat group are analyzed to identify the threats from Malware and to allow an organization to block IPs associated with the threat group.

Police forces do make use of Maltego, as it can also be used for things like Person of Interest investigations.

Analyzing Web Content

We can analyze content on the web with Maltego. The “Investigating Covid-19 Domains with Maltego” [30] case study shows that it’s possible to examine the likelihood that a domain purporting to be related to Covid-19 is actually a scam website housing viruses or ransomware.

Document Analysis

Finally, we can analyze documents, like Wikipedia pages. In the seventh video [31] in the Maltego Essentials series, detailed information about Wikipedia edits is returned and examined. This isn’t a full-fledged investigation, but it gives you an idea of some of the things Maltego is capable of.

Conclusion

It is easy to get started with Maltego, and there are many things that you can do with it that aren’t listed here. If you explore the “Case Studies & Whitepapers” [32] section of the website, you will find many other ways to use Maltego.

This introduction didn’t even begin to explore all of the OSINT tools that Maltego connects to via APIs, but there are a significant number of them.

Visualizing information can lead to the discovery of relationships that weren’t previously apparent, and Maltego is a great tool for creating such data visualizations.

Download Maltego