Maltego Transforms

Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to-do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.

What is Maltego?

Maltego is a cross-platform application for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout.

A transform is a process that pulls new data related to the entity, automatically extending the graph.

Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis (OSINT). It is possible to understand the relationship between infrastructure, services, and even users when mapping an organisations attack surface.

Using a Local Maltego Transform

There are two types of Transforms within Maltego. One runs on servers remotely, the other can run locally on the system running Maltego. Of course, as is the case with the Hacker Target Transforms, while it runs locally, the data is pulled remotely from the Hacker Target API.

Installing the Hacker Target Maltego Transforms

To run the transform, you need to have python installed along with the requests module for retrieving the data over a HTTP request. I have not tested on Windows, only on Linux, but it should work on all platforms.

The installation is straight forward. Clone (or download) the git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the mtz file (Maltego Configuration File).

Head over to Hacker Target GitHub page to grab the necessary files and see the detailed installation instructions.

API Quota

With no API key set, you are limited by the number of requests you can perform each day. With a Membership, this number can be increased. If you have a membership remember to add your API key to the three transform files.

What data is available

Currently, there are three transforms available. All based on host name enumeration, for the express purpose of discovering the attack surface of a target organisation.

  • - search against a domain and pull known subdomains
  • - search against an IP address and retrieve other host records pointing to that IP
  • - search against a NS and get host records that are pointing to this NS server

This can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.

Sounds great but what does it looks like?

Click for Demo


Maltego is a fun way to explore targets. Whether penetration testing, running down bug bounties, researching an organisation's infrastructure, or simply curious, Maltego provides a lot of value even from the community version and Hacker Target's Free API access.