In today's rapidly evolving digital landscape, understanding the intricacies of network reconnaissance is paramount for cybersecurity professionals and ethical hackers alike. Maltego stands out as a powerful tool in this domain, offering the capability to fingerprint an entire network using just a domain name. In this comprehensive guide, we delve into the nuances of utilizing Maltego for network fingerprinting on Linux systems.
Introduction to Maltego
Maltego is an advanced open-source intelligence (OSINT) tool that specializes in data mining and information gathering. Developed by Paterva, Maltego empowers users to visualize complex data relationships and perform in-depth investigations across various online platforms.
Getting Started with Maltego
Installation on Linux
Installing Maltego on a Linux system is a straightforward process. Begin by downloading the latest version of Maltego from the official website. Once downloaded, follow the installation instructions provided for your specific Linux distribution.
Here are the steps to install Maltego on a Linux system:
Selecting the target and identifying the website.
.jpg)
Finding More Websites with Tracking Codes
To track organizations, we first determine their web domain's tracking codes. These codes, like Google Analytics and Amazon Affiliates, connect linked domains. We start by transforming the domain into a website entity in Maltego. To resolve it, right-click the domain, search for "website," and select "Quick Lookup". The tracking code transform can then be executed by right-clicking the website entity and selecting "To Tracking Codes".
Our search for Gap produced no results, however when applied to Tesla's website (tesla.com), we discovered linked domains. By right-clicking the tracking code and selecting "To Other Sites With Same Code," we may find sites that use the same tracking code.
.jpg)
These linkages are critical for identifying additional domains controlled by the same business, including ones that are not legally recognized. Attackers can take advantage of this by tracing how firms track users, as the majority employ a single tracking code for easier analytics across all operations.
Name & MX Server Disclosure
Information about a company's mail service and hosting can be found out by looking at the NS and MX servers of a domain. Many people choose for outside services over internal hosting. Hackers can utilize this information to create plausible pretexts. Click the MX server details to view the provider used, right-click on the domain, type "mx" into the search box, and you should be able to find it.
We can right-click the domain and type "ns" to uncover transforms related to name servers, which will expose the website's NS records. To obtain the name server details, choose "To DNS Name – NS (name server)" from this menu. This may provide insight into whether the company hosts its domain on a third-party platform.
.jpg)
Finding DNS servers
We can use a cluster of transforms intended to do this in order to find out about the DNS servers a firm employs, including the aforementioned MX and NS. Ten distinct transforms will be executed by this transform set, all of which will retrieve further DNS details for the domain. The precise transforms that are executed in the set are displayed below.
.jpg)
In order to execute the complete set, perform a right-click on the previously inserted domain entity and choose "PATERVA CTAS" to display the various transformation groups. To execute every transform included in the "DNS from Domain" transform set, choose the "Run All" icon next to it.
.jpg)
The results of this domain set on a single domain, gap.com, can be quite dramatic once these transforms are finished. We found 183 DNS records alone with these pulls, and we also see additional websites that are associated with the domain in addition to NS and MX records.
.jpg)
Finding IP addresses connected to the target is the next step we may take once we have collected all the DNS addresses we can.
Figuring Out the IP Addresses
Now that we have a list of DNS entries, we can resolve them to the IP addresses they refer to in order to learn more about the organization's services. Many larger firms may host their own services, and recon provides an opportunity to begin probing and determining which elements are hosted internally vs externally.
.jpg)
We can accomplish this by choosing the DNS entries we've discovered and right-clicking them to display the "Resolve to IP" transformation set. It only has one transform, so we can choose "run all" to associate all of the DNS records we discovered with IP addresses. This provides a plethora of information on larger networks, revealing interconnected infrastructure.
Finding IP Netblocks
Netblocks are huge groups of IP addresses owned by a single business. By identifying a netblock that belongs to our target business, we may search all IP addresses within it for unknown services. To locate netblocks owned by the target, use Maltego transforms by right-clicking on a known IP address and selecting "To Netblocks [Using routing info]" to locate the netblock based on routing table information..jpg)
Once we've identified a netblock, we may broaden our search by looking for additional DNS domains within it. This is easily accomplished by right-clicking on the netblock entity and selecting the "To DNS Names in Netblock" transform.
.jpg)
This should provide a list of DNS domains that point to the netblock owner's various services. If the DNS entities detected in the netblock range belong to other companies, it indicates that the corporation is employing shared hosting or another sort of shared setup.
Identifying the AS Number
Identifying a target's netblock aids in determining its AS number, which is critical for routing methods used by large enterprises. Once discovered, all netblocks inside the AS are identified, which aids in determining DNS names and related IP addresses. Right-click on the target's netblock and select "To AS number" to see the AS number associated with it.
.jpg)
Next, expose the owner of the AS number by right-clicking it and selecting "To Company" to obtain the name of the organization that owns the AS number. This might be the company's internet service provider or, in the case of larger organizations, the company itself.
.jpg)
In our example, we took a netblock obtained from a DNS name at gap.com and determined that it belonged to AS number 40526. Selecting the firm owner information reveals that this AS number is registered to Gap, Inc., implying that any netblocks inside it, as well as any IP addresses within those ranges, are also held by our target and not a third party.
.jpg)
Backing Up the Chain
In Maltego, we can use found data to trace back up the chain. Starting with the AS number, we expose netblocks, which contain DNS names and IP addresses. We continue ascending, resolving IP addresses to web domains and renewing our target pool. This circular method provides continual discovery, but it might lead to crowded findings over time, making it difficult to spot links in the data..jpg)
This basic view isn't useful from a long distance, so we can do a few things with the data to make relationships more clear. First, we may alter the view to a more compact one by picking the "Organic" option from the upper left window. This will arrange the graph in a way that saves space while also graphically demonstrating relationships by spacing elements that are closely related closer together.
This view should be more compact, but we may highlight relationships even more by clicking the downward arrow in the "Manage View" icon in the top left. This lets us change the view to "Ball Size by Diverse Descent."
.jpg)
According to Maltego, "With diversified decent, entities are scaled based on the number of inbound links they have. However, incoming linkages with distinct grandparent entities are weighted more heavily." This is described in the figure below from the Maltego user handbook.
.jpg)
When this is applied to our graph in organic view, it becomes much clearer when an object is strongly related to and likely to be of interest. We can now concentrate our efforts on larger entities and investigate the links between them.
Facilitating Automated Attacks
Using Maltego for network fingerprinting, attackers can swiftly gather extensive details about a target's network, including email services, hosting providers, and all IP addresses linked to the company's AS number. This information facilitates active reconnaissance, enabling hackers to load discovered IP addresses into automated vulnerability scanners to exploit vulnerabilities. By creating a detailed map of technical aspects, attackers can easily pinpoint and exploit weaknesses. Maltego simplifies this process, providing the necessary information to select the most efficient target, enhancing the effectiveness of attacks.
.jpg)
We can accomplish this by choosing the DNS entries we've discovered and right-clicking them to display the "Resolve to IP" transformation set. It only has one transform, so we can choose "run all" to associate all of the DNS records we discovered with IP addresses. This provides a plethora of information on larger networks, revealing interconnected infrastructure.
Finding IP Netblocks
Netblocks are huge groups of IP addresses owned by a single business. By identifying a netblock that belongs to our target business, we may search all IP addresses within it for unknown services. To locate netblocks owned by the target, use Maltego transforms by right-clicking on a known IP address and selecting "To Netblocks [Using routing info]" to locate the netblock based on routing table information
.jpg)
.jpg)
Identifying the AS Number
Identifying a target's netblock aids in determining its AS number, which is critical for routing methods used by large enterprises. Once discovered, all netblocks inside the AS are identified, which aids in determining DNS names and related IP addresses. Right-click on the target's netblock and select "To AS number" to see the AS number associated with it.
.jpg)
Next, expose the owner of the AS number by right-clicking it and selecting "To Company" to obtain the name of the organization that owns the AS number. This might be the company's internet service provider or, in the case of larger organizations, the company itself.
.jpg)
In our example, we took a netblock obtained from a DNS name at gap.com and determined that it belonged to AS number 40526. Selecting the firm owner information reveals that this AS number is registered to Gap, Inc., implying that any netblocks inside it, as well as any IP addresses within those ranges, are also held by our target and not a third party.
.jpg)
Backing Up the Chain
In Maltego, we can use found data to trace back up the chain. Starting with the AS number, we expose netblocks, which contain DNS names and IP addresses. We continue ascending, resolving IP addresses to web domains and renewing our target pool. This circular method provides continual discovery, but it might lead to crowded findings over time, making it difficult to spot links in the data..jpg)
.jpg)
According to Maltego, "With diversified decent, entities are scaled based on the number of inbound links they have. However, incoming linkages with distinct grandparent entities are weighted more heavily." This is described in the figure below from the Maltego user handbook.
.jpg)
When this is applied to our graph in organic view, it becomes much clearer when an object is strongly related to and likely to be of interest. We can now concentrate our efforts on larger entities and investigate the links between them.
Facilitating Automated Attacks
Using Maltego for network fingerprinting, attackers can swiftly gather extensive details about a target's network, including email services, hosting providers, and all IP addresses linked to the company's AS number. This information facilitates active reconnaissance, enabling hackers to load discovered IP addresses into automated vulnerability scanners to exploit vulnerabilities. By creating a detailed map of technical aspects, attackers can easily pinpoint and exploit weaknesses. Maltego simplifies this process, providing the necessary information to select the most efficient target, enhancing the effectiveness of attacks.
0 Comments