Maltego is an open source intelligence and forensics application. It allows you to mine and gather information and represent the information in a meaningful way. The phrase open source in Maltego means that it gathers information from open source resources. After gathering the information, Maltego allows you to identify the key relationship between the information gathered.
Maltego is a tool that can graphically display the links between data, so it will make it easier to see the common aspects between pieces of information.
Maltego allows you to enumerate the following internet infrastructure information:
- Domain names
- DNS names
- Whois information
- Network blocks
- IP addresses
It can also be used to gather the following information about people:
- Companies and organizations related to the person
- Email addresses related to the person
- Websites related to the person
- Social networks related to the person
- Phone numbers related to the person
- Social media information
Kali Linux, by default, comes with Maltego 3.6.1 Kali Linux edition. The following are the limitations of the community version:
- Not for commercial use
- A maximum of 12 results per transform
- You need to register yourself on our website to use the client
- API keys expire every couple of days
- Runs on a (slower) server that is shared with all community users
- Communication between client and server is not encrypted
- Not updated until the next major version
- No end user support
- No updates of transforms on the server side
There are more than 70 transforms available in Maltego. The word transform refers to the information gathering phase of Maltego. One transform means that Maltego will only do one phase of information gathering.
To access Maltego from the Kali Linux menu, navigate to Application | Information Gathering | Maltego. There is also a start icon on the desktop, or you can use the console and type the following command:
# maltego
You will see the Maltego welcome screen. After several seconds, you will see the following Maltego start up wizard that will help you set up the Maltego client for the first time.
Click on Next to continue to the next window and enter your login details. (Click on register here to create an account if you do not have login details.)
Once logged in, enter your personal details (name and email address).
You will then need to select the transform seeds, as shown in the following screenshot:
The Maltego client will connect to the Maltego servers in order to get the transforms. If Maltego has been initialized successfully, you will see the following screenshot:
This means that your Maltego client initialization has been done successfully. Now you can use the Maltego client.
Before we use the Maltego client, let's first look at the Maltego interface:
On the top-left side of the preceding screenshot, you will see the Palette window. In the Palette window, you can choose the entity type for which you want to gather the information. Maltego divides the entities into six groups, as follows:
- Devices such as phone or camera
- Infrastructure such as AS, DNS name, domain, IPv4 address, MX record, NS record, netblock, URL, and website
- Locations on earth
- Penetration testing
- Personal such as alias, document, email address, image, person, phone number, and phrase
- Social network such as Facebook object, Twitter entity, Facebook affiliation, and Twitter affiliation
In the top-middle of the preceding screenshot, you will see the different views:
- Main View
- Bubble View
- Entity List
Views are used to extract information that is not obvious from large graphs—where the analyst cannot see clear relationships via the manual inspection of data. Main View is where you work most of the time. In Bubble View, the nodes are displayed as bubbles, while in the Entity List tab, the nodes are simply listed in text format.
Next to the views, you will see different layout algorithms. Maltego supports the following four layout algorithms:
- Block layout: This is the default layout and is used during mining.
- Hierarchical layout: The hierarchical layout works with a root and subsequent branches for hosts. This provides a branch structure to allow for visualization of parent/child relationships.
- Centrality layout: The centrality layout takes the most central node and then graphically represents the incoming links around the nodes. This is useful when examining several nodes that are all linked to one central node.
- Organic layout: The organic layout displays the nodes in such a way that the distance is minimized, giving the viewer a better overall picture of the nodes and their relationships.
After a brief description of the Maltego client user interface, it's time for action.
Let's suppose you want to gather information about a domain. We will use the example.com domain for this example. We will explore how to do this in the following sections:
- Create a new graph (Ctrl + T) and go to the Palette tab.
- Select Infrastructure, and click on Domain.
- Drag it to the main window. If successful, you will see a domain called paterva.com in the main window.
- Double-click on the name and change it to your target domain, such as example.com, as shown in the following screenshot:
- If you right-click on the domain name, you will see all of the transforms that can be done to the domain name:
- DNS from domain
- Domain owner's details
- Email addresses from domain
- Files and documents from domain
- Other transforms, such as To Person, To Phone numbers, and To Website
- All transforms
- Let's choose DomainToDNSNameSchema from the domain transforms (Run Transform | Other Transforms | DomainToDNSNameSchema). The following screenshot shows the result:
After the DNS from Domain transform, we got information on the website address (www.example.com) related to the example.com domain.
You can run other transforms to the target domain.
If you want to change the domain, you need to save the current graph first. To save the graph, follow these steps:
- Click on the Maltego icon, and then select Save.
- The graph will be saved in the Maltego graph file format (.mtgx). To change the domain, just double-click on the existing domain and change the domain name.
Next, we will describe several tools that can be used for getting routing information.