Creating Local Maltego Transforms for our DNS reconnaissance tools has been on my to-do list for a while now. I am happy to say they are now available and it is a sweet way to perform infrastructure mapping from a domain.
What is Maltego?
Maltego is a cross-platform application for performing link analysis. Discover relationships between entities and build a visual representation of different data with a graph based layout.
transform is a process that pulls new data related to the entity, automatically extending the graph.
Maltego is commonly used for reconnaissance in penetration testing engagements and open source intelligence analysis. It is possible to understand the relationship between infrastructure, services, and even users when mapping an organisations attack surface.
Using a Local Maltego Transform
There are two types of Transforms within Maltego. One runs on servers remotely, the other can run locally on the system running Maltego. Of course, as is the case with the Hacker Target Transforms, while it runs locally, the data is pulled remotely from the Hacker Target API.
Installing the Hacker Target Maltego Transforms
To run the transform you need to have
python installed along with the
requests module for retrieving the data over a
HTTP request. I have not tested on Windows, only on Linux, but it should work on all platforms.
The installation is straight forward. Clone (or download) the
git repository. Place the files in a local directory, and add the Transforms to your Maltego installation. Either manually or by using the
mtz file (Maltego Configuration File).
With no API key set, you are limited by the number of requests you can perform each day. With a HackerTarget.com Membership, this number can be increased. If you have a membership remember to add your API key to the three transform files.
What data is available
Currently, there are three transforms available. All based on
host name enumeration, for the express purpose of discovering the attack surface of a target organisation.
- GetHostNames.py - search against a domain and pull known subdomains
- GetReverseIP.py - search against an IP address and retrieve other host records pointing to that IP
- GetSharedDNS.py - search against a NS and get host records that are pointing to this NS server
This can be a circular process, as new hosts are discovered resolve these to IP address, and perform the reverse IP search. As new domains are discovered search against these with the host name search.
Sounds great but what does it looks like?
Maltego is a fun way to explore targets. Whether you are penetration testing, running down bug bounties, researching an organisations infrastructure or simply curious, you can get a lot of value from even the community version of Maltego (CE) and our Free access to the API.