> For the complete documentation index, see [llms.txt](https://tzero86.gitbook.io/tzero86/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://tzero86.gitbook.io/tzero86/footprinting-and-reconnaissance/untitled.md). # Footprinting with Maltego ![](/files/a1638966c56d810d8d0ad11dd881ecc60df52c81) In this exercise we will use **`Maltego`** in its free version (`Community Edition`) to understand how we can, using this tool, carry out a **`footprinting`** of a target website. ## Installing Transforms In Maltego the "Modules" are called `Transforms` each of them provides functionalities and various types of `scans` that we can use. To install **`transforms`**, Maltego has a section called **`transform hub`**: ![](https://i.imgur.com/2jLKfOH.png) The `hub` is a kind of `store or market` where we can find`transforms` paid, free and some that offer free trials. We have `filters` to refine our search. In this particular case we will use all `free transforms` to do our web reconnaissance exercise. In my case I will use the following free transforms: ![](https://i.imgur.com/2WCbem9.png) The installation of the `transforms` is simple, just `click` each one and choose the `install`option. Then a window will open to begin the installation. ![](https://i.imgur.com/Zl42thC.png) Some `transforms` like the one from `Shodan`, require an `API Key` to function and will ask for it during installation: ![](https://i.imgur.com/tz71trn.png) ## Web reconnaissance with Maltego The objective of this exercise is to generate a `web reconnaissance using Maltego and the transforms` that we installed previously. ### Creating a new scan To start we generate a new `graph` from the Maltego menu: ![](https://i.imgur.com/LQyXoPm.png) Once created we see that we have a sort of `canvas` empty where we will be able to organize the elements of our scan. These elements in Maltego are called `Entities`. We can see a list of each one in the `panel on the left` of our `canvas`, differentiated by categories. ### Defining the Domain (Entities) The `Entities` allow us to place in the `canvas` the different types of `devices`, `events`, `infrastructures`, `locations`, `Personal`, etc. To begin our scan, we look in the list of entities for the entity called `Domain`: ![](https://i.imgur.com/ewAAXik.png) To add our entity to the `canvas`, just drag and drop it onto it. By default this entity points to `paterva.com`. We need to adjust that value and point it to our target. For that we have 2 ways: * **Option 1:** Double `click` on the `text` of the `entity` and change the `value` to the `target domain`: * ![](https://i.imgur.com/d6OIkRN.png) * **Option 2:** Edit the `domain` using the properties panel of the `entity` (this panel is generic to any `entity` that we have selected): * ![](https://i.imgur.com/K4Nx6PL.png) In my case I will use as `target` an online news website: * `https://semanarionuestragente.com/` ### Performing the first Manual scan In Maltego each `entity` offers us various types of scan (they are actually also called `transforms`). These are enabled by the `transforms` that we have installed. Each entity can contain different types of `scans` available according to its type. To see the `scans` available, we can `right click` on the entity: ![](https://i.imgur.com/mUCw5A4.png) We see that the contextual menu that unfolds is called `Run Transforms`. It shows us each `transform` installed, we can `click` on one in particular or we can `click` on `All Transforms` to see the complete list of available options: ![](https://i.imgur.com/s0EL8nJ.png) We will start by doing a scan of the type `whois`. We can use the search bar of the contextual menu to refine the list and for example see the `scans` of type `whois` that are available: ![](https://i.imgur.com/vSU6ymG.png) In this case we will try the `transform` (scan) called `to DNS - NS (Name Server)`. By `click` it `the selected scan/transform is executed. We see that after a moment` new entities appear in our `2` . We can also see that each `canvas`transform/scan `generates a` log `when executed that is shown in the` output `window below the` In this way we see that we obtain both `canvas`: ![](https://i.imgur.com/GMryuvF.png) Name Servers `that are linked to our target. These new entities allow us to run` additional. Let's see which are available for `scans` ns69.domaincontrol.com `Let's try running the`: ![](https://i.imgur.com/6f5w3wZ.png) called `transform` To Domains \[Sharing this NS] `and when running it we see that it updates our` with all the domains that also use that same `canvas` Name Server `We can already get an idea of Maltego's potential to do reconnaissance of our targets.`: ![](https://i.imgur.com/1cMuUgZ.png) Let's take for our next scan jamibgoode.com `and run the` To Email Address \[from whois info] `transform` To Domains \[Sharing this NS] `We see that in this way we manage to list the email that is specified in the`: ![](https://i.imgur.com/4tMGV8j.png) records for that domain. In this way we can begin to obtain information about our target, but Maltego also offers us another automated way to perform scans of `whois` using what is called `footprinting` machines `Using Machines for Automatic Footprinting`. ## Maltego provides us with different that are a kind of `Using Machines for Automatic Footprinting` pre-set `scans that we can run automatically for the target domain we have defined. Let's see how we can use` to do `Using Machines for Automatic Footprinting` , this time for the domain `footprinting`kimballoon.com `First we locate the`: ![](https://i.imgur.com/QauHK22.png) machine `that we want to run, for this exercise we will use the one called` Footprint L1 `. Just`click `click` on the desired machine to run it: {% hint style="warning" %} In the **`community`** version of **`Maltego`** the functionality and power of these **`machines is limited.`** {% endhint %} ![](https://i.imgur.com/xb1uLqi.png) After running the **`that we want to run, for this exercise we will use the one called`**, in the upper right of the Maltego screen we see the result of the `scans/transforms` executed by that `that we want to run, for this exercise we will use the one called`. And when seeing the `canvas` we see that we have multiple new `entities`, each of which continues providing us with additional information for our `footprinting`: ![](https://i.imgur.com/etwMmj1.png) We see that in this case the `footprinting` performed generates in our `canvas` a considerable number of new `entities` of varied types. Each of which allows us to continue using `transforms` additional to try to obtain information and additional details that we can then collect to have as complete a picture as possible of our target. As we can observe Maltego's power is considerable and the ease of use it offers makes it a formidable tool for our **`footprinting`**` ``and`` `**`reconnaissance.`** During this simple exercise we saw some of the functionalities that Maltego offers, certainly there are many more to discover, learn and use. I hope this text is useful and helps to begin exploring this powerful tool. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://tzero86.gitbook.io/tzero86/footprinting-and-reconnaissance/untitled.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.