Footprinting with Maltego

In this lab we will see how to use Maltego to perform footprinting.

In this exercise we will use Maltego in its free version (Community Edition) to understand how we can, using this tool, carry out a footprinting of a target website.

Installing Transforms

In Maltego the "Modules" are called Transforms each of them provides functionalities and various types of scans that we can use.

To install transforms, Maltego has a section called transform hub:

The hub is a kind of store or market where we can findtransforms paid, free and some that offer free trials. We have filters to refine our search. In this particular case we will use all free transforms to do our web reconnaissance exercise.

In my case I will use the following free transforms:

The installation of the transforms is simple, just click each one and choose the installoption. Then a window will open to begin the installation.

Some transforms like the one from Shodan, require an API Key to function and will ask for it during installation:

Web reconnaissance with Maltego

The objective of this exercise is to generate a web reconnaissance using Maltego and the transforms that we installed previously.

Creating a new scan

To start we generate a new graph from the Maltego menu:

Once created we see that we have a sort of canvas empty where we will be able to organize the elements of our scan. These elements in Maltego are called Entities. We can see a list of each one in the panel on the left of our canvas, differentiated by categories.

Defining the Domain (Entities)

The Entities allow us to place in the canvas the different types of devices, events, infrastructures, locations, Personal, etc.

To begin our scan, we look in the list of entities for the entity called Domain:

To add our entity to the canvas, just drag and drop it onto it. By default this entity points to paterva.com. We need to adjust that value and point it to our target. For that we have 2 ways:

• Option 1: Double click on the text of the entity and change the value to the target domain:

  • 

• Option 2: Edit the domain using the properties panel of the entity (this panel is generic to any entity that we have selected):

  • 

In my case I will use as target an online news website:

• https://semanarionuestragente.com/

Performing the first Manual scan

In Maltego each entity offers us various types of scan (they are actually also called transforms). These are enabled by the transforms that we have installed. Each entity can contain different types of scans available according to its type. To see the scans available, we can right click on the entity:

We see that the contextual menu that unfolds is called Run Transforms. It shows us each transform installed, we can click on one in particular or we can click on All Transforms to see the complete list of available options:

We will start by doing a scan of the type whois. We can use the search bar of the contextual menu to refine the list and for example see the scans of type whois that are available:

In this case we will try the transform (scan) called to DNS - NS (Name Server). By click it the selected scan/transform is executed. We see that after a moment new entities appear in our 2 . We can also see that each canvastransform/scan generates a log when executed that is shown in the output window below the In this way we see that we obtain both canvas:

Name Servers that are linked to our target. These new entities allow us to run additional. Let's see which are available for scans ns69.domaincontrol.com Let's try running the:

called transform To Domains [Sharing this NS] and when running it we see that it updates our with all the domains that also use that same canvas Name Server We can already get an idea of Maltego's potential to do reconnaissance of our targets.:

Let's take for our next scan

jamibgoode.com and run the To Email Address [from whois info] transform To Domains [Sharing this NS] We see that in this way we manage to list the email that is specified in the:

records for that domain. In this way we can begin to obtain information about our target, but Maltego also offers us another automated way to perform scans of whois using what is called footprinting machines Using Machines for Automatic Footprinting.

Maltego provides us with different

that are a kind of Using Machines for Automatic Footprinting pre-set scans that we can run automatically for the target domain we have defined. Let's see how we can use to do Using Machines for Automatic Footprinting , this time for the domain footprintingkimballoon.com First we locate the:

machine that we want to run, for this exercise we will use the one called Footprint L1 . Justclick click on the desired machine to run it:

In the community version of Maltego the functionality and power of these machines is limited.

After running the that we want to run, for this exercise we will use the one called, in the upper right of the Maltego screen we see the result of the scans/transforms executed by that that we want to run, for this exercise we will use the one called. And when seeing the canvas we see that we have multiple new entities, each of which continues providing us with additional information for our footprinting:

We see that in this case the footprinting performed generates in our canvas a considerable number of new entities of varied types. Each of which allows us to continue using transforms additional to try to obtain information and additional details that we can then collect to have as complete a picture as possible of our target.

As we can observe Maltego's power is considerable and the ease of use it offers makes it a formidable tool for our footprinting and reconnaissance.

During this simple exercise we saw some of the functionalities that Maltego offers, certainly there are many more to discover, learn and use. I hope this text is useful and helps to begin exploring this powerful tool.