OSINT Investigation with Maltego

 Please note: that the software provided by Maltego is subject to certain limitations and restrictions. Users are free to utilize the software within legal boundaries; however, it is prohibited to employ it for unlawful activities, such as gathering email addresses for spamming purposes. Additionally, any data or graphs generated through the software are also subject to these restrictions.

It is important to understand that Maltego cannot be held responsible for any unfavorable outcomes resulting from the use of their software. If any issues arise during your use of the software, it is your sole responsibility to rectify them.

Maltego is a powerful tool used for open-source intelligence (OSINT) data mining. It sources data from various open-source databases and generates graphical representations, or graphs, that facilitate the analysis of connections between different information pieces. These graphs provide a convenient way to identify relationships among data elements such as names, email addresses, organizational structures, domains, and documents. Maltego is built using Java, making it compatible with Windows, Mac, and Linux operating systems. It is often included in OSINT-focused Linux distributions like Buscador and Kali.

In essence, Maltego automates the process of searching and organizing large amounts of information from open-source websites. It then presents a visually appealing graph that helps investigators piece together information and uncover connections. While Maltego can be utilized at any stage of an investigation, it is particularly useful for mapping networks when targeting a domain. By starting with Maltego, investigators can obtain a bird's-eye view of the network and its connections right from the beginning of their investigation.

Which version of Maltego should I choose to download?

There are various options for Maltego versions that you can consider:

1. Maltego XL: This is the premium version designed specifically for handling large amounts of data. It offers advanced features and capabilities.

2. Maltego Classic: This version is available for purchase and includes access to all the APIs (transforms) offered by Maltego.

3. Maltego CE: If you are looking for a free version, Maltego CE is available. However, this version has limited access to APIs (transforms).

4. Casefile: This version is specifically designed for analyzing links in offline data. It allows you to conduct investigations without the need for an internet connection.

Consider your specific requirements and choose the appropriate Maltego version accordingly.

Maltego Classic, Maltego XL, and Maltego CE differ primarily in the quantity of entities that can be obtained from a single transform and the maximum number of entities permitted on a single graph. In this context, we will utilize the free version, Maltego CE, which offers limited Transforms. This software is included in the Buscador Linux distribution, which is commonly preferred by Open-Source Intelligence investigators.

 To install Maltego on different platforms, follow these steps:

https://www.maltego.com/maltego-id-registration

1. Buscador: If you're using Maltego via Buscador, it will initially be the Casefile version. To upgrade it to the Community Edition (CE), visit the Maltego website and create an account. Once you have created an account, you will receive a key that will convert your Casefile into the CE.

2. Kali: Maltego is already pre-installed on Kali. However, to use the Community Edition, visit the Maltego website and create an account. Once you have created an account, you will receive a key that will enable you to use the CE.

3. Fresh Install: If you are performing a fresh install on Windows, Mac, or Linux, Paterva (the developer of Maltego) provides a step-by-step installation guide on their website. Simply follow the instructions provided to install Maltego on your desired platform.

https://docs.maltego.com/support/solutions/articles/15000008704-installing-maltego

What is all this API/Transform nonsense?

An API, or Application Programming Interface, is a system that allows different software programs, such as Shodan and Threatminer, to connect and communicate with each other.Within the Maltego framework, these linkages are known as "Transforms." Some Transforms are available for free in the Maltego CE (Community Edition) version, while others require payment.

When using the free version of Maltego, not all Transforms are pre-installed. To use these additional Transforms, you will need to sign up on each corresponding website and obtain an API code. This API code is then used to activate the specific Transform you wish to use.

Depending on your specific requirements, you can focus on obtaining Transforms that are tailored for OSINT (Open Source Intelligence), Threat Intelligence, Organization Mapping, and more. This allows you to minimize the amount of manual work needed for activation.

To initiate a simple network reconnaissance, the process begins by utilizing a domain name to gain insights into the organization's infrastructure and discover any additional websites owned by them. It is astonishing to uncover a significant amount of information solely by employing a domain name. Proceed by clicking on the "new graph" button situated in the upper left corner, which will create an empty graph pane for further investigation.

Locate the Domain option in the Entity Palette on the left-hand side, and then use drag and drop functionality to place it onto your empty graph pane.

To begin investigating a specific domain, follow these steps:

1. Locate and double click on the domain icon.

2. Modify the existing domain name to the one you wish to investigate.

3. As an example, let's say we want to investigate hbo.com, so replace the existing domain name with "hbo.com".

To access the Run Transforms box, simply right-click on the domain icon. In this box, you have the option to search for specific items by scrolling through the palette and selecting them. However, if you prefer a more comprehensive approach, you can choose to Run All Transforms by selecting the fast forward arrows located next to it.

When the Run Transform option in Maltego is chosen, the software immediately starts mapping out the network's structure on a graph. It is important to note that the graph pane on the left side provides various layout options for visualizing the graph.

Upon viewing the image provided, various types of information become apparent, such as DNS servers, associated websites, related email addresses, and email servers.

These connections can be utilized to establish more comprehensive connections, such as linking names with corresponding email addresses and phone numbers.

Now, let's examine one of the individuals associated with hbo.com, named "Thomas Peterson." To access more details about him, simply right-click on Thomas's icon and select the option "Run All Transforms."

Once the transformations are completed, a comprehensive graph displaying all emails associated with Thomas Peterson will be included.

Engaging in such searches can occasionally uncover peculiar discoveries. I have come across numerous amusing or concealed emails in my past encounters with similar searches.

To run an email address in Maltego, follow these steps. Firstly, I became interested in locating Thomas’s Rick Grimes Tormail address, hence I decided to further investigate. Begin by creating a new graph using the same procedure we used in the previous step. This time, go to the Entity Palette and select Email Address. Then, drag the selected Email Address entity and drop it onto the empty graph.

To search for a specific email address, double-click on the email address icon and replace the text with the desired email address. As an example, I utilized "realrickgrimes@tormail.org".

To execute All Transforms, simply right-click on the email address icon and choose the fast forward arrows.

Once the transformations are complete, a visual representation of all the connections to the specified address will appear in the form of a graph. This graph allows you to observe that the email address realrickgrimes@tormail.org is associated with an individual named "Rick Grimes," who in turn is linked to numerous other email addresses. The connection between Rick and carl.grimes1995@gmail.com caught my attention, prompting me to initiate another round of transformations solely focused on that particular email address.

Through an email from Carl.grimes1995@gmail.com, I discovered more fascinating individuals such as Carl Grimes and Steve Brule. It seems like I am gradually becoming engrossed in an overwhelming amount of references from the show "Walking Dead," so I decided to take action by investigating Steve Brule.

Steve Brule is the person who gave me the contact information for the email addresses steve@checkitout.com and steve@brule.com, and also for the website checkitout.com.

When I attempted to access the website, I discovered that it was inactive. Therefore, I conducted a speedy search using the WhoIs tool. The search results revealed that the website's registration belonged to CSC Global, a prominent company specializing in digital brand services and domain management.

The Hearst Corporation was the registrant before.

At this stage, rather than delving deeper into the Steve Brule rabbit hole, I believe that the domain is being held by the Hearst organization and now CSC either to safeguard it from abuse or to potentially sell it in the future.

As demonstrated, there are numerous exciting possibilities that can be explored through a basic domain and email search using Maltego! You can personally experience Maltego by conducting a search on your own email address or website, and observe the connections that can be unveiled. Take it a step further by searching for your phone number, and discover how it can be associated with you.