Review: Digital Intelligence Gathering Using Maltego

docricedocrice Member Posts: 1,706 ■■■■■■■■■■
Think you can hide on the Internet? If you leave even a few digital breadcrumbs behind, someone can follow your trail and find you hiding in that cave a hundred miles below the Earth's surface.

At Black Hat 2013 some weeks back, I took a two-day class on using Maltego to do just that.

Other security training classes that I've previously taken have mentioned Maltego in passing, but never dove into it. This is probably because 1) the older community versions of the tool in the past had some painful crippled limitations, 2) those vendor-neutral courses didn't want to unnecessarily praise a commercial product, and 3) most importantly, you can essentially do what the tool does using manual methods with other native tools on an operating system or using online resources.

But that said, using Maltego as part of an investigation provides some nice visual tracks to follow, assuming you carefully proceed along logical lines of thought. It's very easy (and misleading) to simply extract all the information possible at once and end up with a nice collection of gibberish data with too many false inferences.

Digital Intelligence Gathering Using Maltego was taught by two people - Chris Bohme and Andrew Macpherson, both employees of Paterva (the organization which produces Maltego). As a matter of fact, they're the only employees of Maltego. I never realized how small Paterva is.

Here's their YouTube channel:

The class was structured around the newest release version known as Tungsten. More than just "these are the buttons Maltego has and how to use them," the class is focused on leveraging open source intelligence (freely-available data which can be extracted from public sources) and finding your target. From what I've heard, if there's one step that many pentesters tend to skip, it's reconnaissance, a critical part of the overall process of determining the attributes of a person or organization for much more efficient intrusion and exfiltration later on.

I've made very little use of Maltego in the past, although I have a licensed copy at work. This is partly due to getting other priorities done, but also because I've never understood how to use the tool properly. Going through the course was very helpful in realizing what I've been doing wrong and seeing other tricks in gathering more information.

The course is a bit of lecture, some review of the architecture of online information resources (in case some students are completely oblivious to certain fundamentals like how DNS works), and lots of hands-on time digging for clues and unearthing the target hidden in the vast online metropolis of the Internet, pivoting from one information type to the next and connecting the dots. All this is complemented by real-world use-cases. The last part of the second day involves a capture-the-flag challenge. By this point, one student was exhausted and was about to leave, although the instructors provided the additional inspiration to keep her going.

I've only seen this class available at Black Hat conferences, although I'm assuming it's probably available elsewhere or through direct in-person training for your company. Overall this was a fun class, but most people can probably make do with other tools to perform recon. Maltego's licensing is relatively cheap though and it's pretty slick to look at when demonstrating recon visually to folks who don't understand how this sort of thing works. It also has that cool factor if you want the typically-unrealistic Hollywood operating system representation of information security.

If anything, Maltego can visually provide good justification on why certain areas of security need to be improved to reduce leaks from metadata, public information postings, liability from working with third parties who may disclose information unintentionally, etc., all the while being a powerful tool (in the right hands) to spot your own weaknesses from the perspective of the outside world. You may be tempted to lock your windows a bit more tightly after you evaluate your own exposure.
Hopefully-useful stuff I've written:


  • azmattazmatt Member Posts: 114
    As always, thank you so much for your post training reviews. I (and I'm sure many others) love to read them and benefit from them.

    How was your blackhat experience overall?
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    This year's Black Hat USA 2013 was decent and as usual had way too many things going on at once. This is why buying the conference videos is sort of crucial because there are always a bunch of talks I'd miss out on. Next year is apparently going to be at Mandalay Bay (the conference center there look massively huge). After four days walking around in Caesar's Palace, I got real tired of their coffee. There were sponsored workshops which looked interesting as well which I missed out on.

    I was in the crowd during the General Alexander keynote when one or more people called the General out about the NSA program. That was ... interesting. Not unexpected, of course.

    On a side note, DEF CON didn't seem as populated as last year, but I wasn't as engaged by the time it came around. A week in Vegas is a long time for me. Last year I did four days of Black Hat training and the length of the trip got too long by the time DEF CON ended.
    Hopefully-useful stuff I've written:
  • Master Of PuppetsMaster Of Puppets Member Posts: 1,210
    Thanks for the awesome review! Very useful.
    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.
  • cgrimaldocgrimaldo Member Posts: 439 ■■■■□□□□□□
    Thanks for the review!
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,665 Admin
    I'm wondering about the attendance at Defcon too. It was 15K last year at DC20; it wouldn't surprise me if there were a few K less this year (and no, not because the Feds stayed away). Their were a lot of first-timer there (as evidenced by the raised hands when asked at the beginning of the talks), and the talks were let out five minutes sooner to allow people to get to their next talk easier, which pretty much killed the in-talk Q&A segments. There were also a lot more villages and Skytalks to spread the attendees out too, so maybe it only seemed like a smaller crowd.

    Oh--Gen Alexander's BH talk is on YouTube in full. The "shouted down by hecklers" turns out to be one guy talking out of turn during the Q&A segment. icon_rolleyes.gif
Sign In or Register to comment.