Maltego

cygnos

information security

Sploitego

(Local) Partner in Crime

Introduction

How you doin'

Nadeem Douba | www.cygnos.com

About Me

► Nadeem Douba

° Work at Cygnos (http: / /www.cygnos.com ) in
Ottawa, ON, Canada

o Certs: GWAPT, GPEN

° Worked in the InfoSec field for 10+ years.

° Love (European) football and hacking stuff...

► Been a Maltego fan-boy since the beginning...

► Helped port/appify Maltego for Mac OS X ©

Nadeem Douba |
www.sploitego.com

Presentation Overview

► What is Sploitego?

► Maltego - Briefly Explained

► Dive Into Development

° Before Sploitego
° After Sploitego

► Demos

► Conclusion

► Questions

Nadeem Douba | www.cygnos.com

What is Sploitego?

► Local Transform Development Framework for
Maltego written in Python

► Provides:

° Rapid transform development

° Easy transform installation, management, and
maintenance

° Complementary scripts and modules for data
mining and debugging

° A whole bunch of cool transforms ©

But First...

► A little background 01

Maltego...

Nadeem Douba | www.cygnos.

Background

Maltego Overview

Nadeem Douba | www.cygnos.com

What is Maltego?

► Open Source
Intelligence (OSInt)

and forensics
information

mining/gathering

and graphing tool

► Developed by

Paterva and
PinkMatter

j Select All Add Similar Siblings Select Children & Add Children

% Invert Selection f£ Add Path ^ Select Neighbors Jj£ Add Neighbors

it Select by Type

'S* Select Links

lection Select None /. Select Parents <f. Add Parents it Select Bookmarked " Reverse Links

i Zoom to 'i I
| Zoom to Fit
^ Zoom 100% %,

tNamesHumerically returned

were valid!
tNamesNumerically returned

SE results
SE results
SE results
SE results
SE results
SE results
SE results
SE results
SE results

returned with
returned with
returned with
returned wiLli
returned with
rcLurr.ec wiLr.
returned with
returned with
returned with

with 2 entities
1 entities.
1 cr.Li Lies .
1 entities.
1 entities.
1 entities.
1 entities.

1 CT.L1L1C5 .

1 cr.LiLics .
1 entities.

■1

Nadeem Douba | www.cygnos.com

8

What is Maltego? - Cont.

► Information is
represented on the
graph as Entities

► For example, an
Entity could be:

° Email Address
° Image

° Phone Number
* Etc.

► Each Entity has a
value and optionally
some fields.

T Locations

4

Location

A location on Mother Earth

T Pen etr ati o n Te sti n g

BuiltWith Technology
ATechnclcgy identified by BuiltWith

▼ Personal
Alias

An alias for a person
Document

A document on the internet

Email Address

An email mailbox to which email messages may be delivered

j Image

™ A visual representation of something

i

1

Person

Entity representing a human

Phone Number

A telephone number

^ Ph

K7i( P

■1

Nadeem Douba | www.cygnos.com

What is a Transform?

paterva.com

altl.aspmx.Lgoogle.com

alt2.aspmx.Lgoogle.com

► Transforms reveal
relationships
between entities (or
information)

► Logic that mines and
returns information

(or Entities) using
another piece of
information (or
Entity) as input

o T(Eo)->{E„ E 2 , ... EJ

Maltego Demo

Just for Clarity

Nadeem Douba | www.cygnos.com

What is a Transform? - Cont.

► Two types of transforms:

° Remote: runs on a remote Paterva or third-party
Transform Server.

° Local: runs on the user's local machine.

• This is where Sploitego comes in...

Nadeem Douba | www.cygnos.com

Remote Transfo

✓ Paterva's Transforms

S Awesome!!!

s Centralized Transforrr
Management &
Maintenance

^Implementation details
hidden from the user
(protects your IP)

✓ Minimal Client-Side
Processing Overhead

rms - Pros & Cons

x Limited Data Visibility

X i.e. Server can only query
accessible data.

x Breach of Privacy

X OSInt target/subject
disclosed to a third-party.

x Limited Client-Side
Control:

X Transforms might not be
evil enough ©

Nadeem Douba | www.cygnos.com

Local Transforms

✓ Full Client-side Control

S No limits as to how 1 337
or evil your transforms can

be ©

✓ Privacy

^OSInt subject may not be
disclosed to third-party

✓ Great Data Visibility

^"The world is one's oyster"

✓ Extensible

^Maltego can be used for
other types of data
visualization ©

- Pros and Cons

x Processing Overhead

X Client's machine
responsible for running
transforms

x Development

X It's in your hands (or
somebody else's... just
delegate ;)

x IP Disclosure

X Implementation details no
longer hidden from users.

x Difficult to Maintain

Nadeem Douba | www.cygnos.com

Local Transform

Development

^ The Nitty Gritty

■1

Nadeem Douba | www.cygnos.com

1 5

How do Local Transforms Work?

► Maltego executes a local script or executable

► Input passed via command line arguments:

$ ./(tiytransform.sh <value>
<f ieldname 1 >=<f ieldvalue 1 >#. . .#<f n n >=<fv n >

► Transform results returned via standard
output in Maltego XML message format

° See:

http://paterva.com/web5/documentation/localTransforms-
Speclll.pdf for more details

► Debugging messages returned via standard
error

Example - Transform Call

$ ./t.pl aspmx.l. google. com
mxrecord . priority=0

• Note: the bolded property ("MX RecorcT) y
below, is the entity value (or Display
Value)

Example - Transform Message

iltegoMessage>
<Malt egoT ran sf o ruRe spo n sette s sage>
<Entities>

<En tit y Ty p e="Baltego . IPv4 Add re ss">
<Value>0 .8.0. 8</Value>
<Weig h t> ht>
<Ad ditio rial Field s>

<FieId Display Name= 1 'Inter rial"

fta t c hi rig Rule=^st rict"
Nat-"ipadd re ss , inter rial 1 .-■ t r u e--./ F iel d>
< Field Di s play Nane= " Ha rdwa re Address"

Ma t c hi ngRule^"st ri ct w

Han "ethemet. hwaddr">88 :08: 00 : 00 : 00 : 00^/Fiel
</ Additio rial Field
</Entity>
</Entities>
</ Halt egoT ransf oraRe spo n sette s sage>

Writing a Local

Transform

Without Sploitego

Nadeem Douba | www.cygnos.com

Local Transform Development
Checklist

► Learn Maltego Local Transform Specification

° XML Messaging
° Debugging
° Etc.

► Develop Transform

° Input Parsing Logic
° Data Mining Logic
° XML Serialization Logic
° Debugging Facilities

► Install Transform

► Configure & Maintain Transform

► Define Entity in Maltego (Optional)

Nadeem Douba | www.cygnos.com

20

#!/usr/bin/env python

i=ifrom sys import exit, argv, stderr
i^l from re import split

def parseargs{args=argv) :

Parse arguments for Naltego local transforms*"""

if len(args) < 3:

stderr-write( ' usage: ^s <transform> [pa rami ... paramN] <value> [fieldl=value|

exit (-1 J

arg_script = args[l]

arg_field = args [-1] if '=' in args[-l] else None
arg_ualue = args [-1] if arg_field is None else args [-2]
arg_param = []

if arg_field is None and len(args) > 3;

arg_param = list (args [2 : -1] )
elif arg_field is rot None and len(args) > 4;
arg_parain = list (args [2: -2 ] )

fields = {}

if arg_f ield is rot None:

fs = split (r' (7<=[ A \\] )#' , arg_field)
if fs is rot None:

fields = diet (map{ lambda x: x. split{ '=' , 1), fs))

return arg_script, arg_param, arg_value, fields

def debug {*args) :

"""Send debug messages to the Haltego console, '
for i in args:
£l stderr,write( ' D:^s\n 1 % str(i) )

if name = ' main ' :

args, params, value, fields = parsea rgsO

debug (' Running Hello World! Transform)

print 1 <Ha 1 1 egoHes s agexHalt egoT ran s f o rmRes pons eHes s a g e> ' \

' <EntitiesxEntity Type="maltego . Person"> ' \

1 <Value>Hello ^s</ValuexWeight>l</Weight> ' \

' < Ad d it ion alField sx/Ad d it ion alField s > ' \

1 </En t ityx/En t it iesx/Halt egoT ran s f o rmRes pons eHes s a g e> ' \

' </HaltegoHessage> ' % value

exit(

rid

Transform

47 lines of code for
a simple transform

° Not bad...

° But not great either

XML is hard-coded

° Not reusable

° Debugging
nightmare!

° Imagine returning
1 00+ entities with
fields ©

Douba | www.cygnos.com

Installing Transforms

Local Transform Wizard

New Transform - Configure details

'+"■■ #i

Enter the details of the new transform in the fields below

Display name

Transform ID

Input entity type

Transform set

To Hello World!

Description Vou say hello, and I say goodbye!

f o o barTo Hell o Wo rl d

Author Jose Bautista

Person

(none)

► Currently Manual
Process

° Two-step Wizard per
Transform

► Tedious & Prone to
User Error

° More Transforms =
More Configuration =
Less Time Playing

Grouping Transforms

New Transform Set

Set name Foo Bar Set

► Have to manually

i

create a Transform °°™<*™
Set

► Another dialog box
somewhere ©

► When does the fun
begin?

Sploitego

Bringing Back the Fun

Nadeem Douba | www.cygnos.com

What is Sploitego?

► Local Transform Development Framework for
Maltego written in Python

► Provides:

° Rapid transform development

° Easy transform installation, management, and
maintenance

° Complementary scripts and modules for data
mining and debugging

° A whole bunch of cool transforms ©

► How does it bring back the fun?

Remember our Checklist?

✓ Learn Maltego Local Transform Specification

^XML Messaging
^Debugging

✓ Etc.

✓ Develop Transform

✓ Input Parsing Logic

° Data Mining Logic <- This is all you have to take
care of! - Wawa-wiwa!

✓XML Serialization Logic

✓ Debugging Facilities

✓ Install Transform

✓ Configure & Maintain Transform

► Define Entity in Maltego (Optional) <- And
possibly this...

Nadeem Douba | www.cygnos.com

26

Sploitego Transforms - Packaging

► Sploitego transforms are simply Python
Modules within Python Packages

► Follows traditional Python package directory
structure:

° . /setup. py (Python installation script - distutils/
setuptools)

° ./foobar (Package directory)

° ./foobar/ init .py (Module/package init script)

° ./foobar/helloworld.py (Transform module)

Hello World (Revised) Transform

3

5
6
7

a

1G
11

12
13
14
15
16
17
18
19
20
21
22

■

(=Jfrom sploitego, ma Itego. message import Person, Phrase

from sploitego-maltego. utils import debug, progress
glfrom sploit ego- framework import superuser, configure

(asuperuser
(aconfigure{

label='To Phrase [Hello World]' ,

description^ Returns a phrase entity with the phrase "Hello Word
u u id s= [ 1 s ploit ego . v2 . Pe rs on ToPh ras e_HelloWo rid 1 ] t
inputs=[ ( 'Useless 1 , Person ) ],
debug=True

)

def

dot ransf orm( request , response) :
prog ress{50)

debug ( 1 This was pointless ! 1 )

prog ressdGG)

return response +■ Phrase( 1 Hello ^s' % request. value)

8def onterminatef ) :

Nadeem Douba | www.cygnos.com

Additional Steps

► foobar/
init . py must

contain all

Dissecting

he Transform

Nadeem Douba | www.cygnos.com

Sploitego Transform - Dissected

► The dotransform function is the entry point

► Accepts two parameters: request, and

response

► The request object has the following
properties:

° value: the Entity display value (string)

° fields: the Entity fields (dictionary)

° params: extra parameters that can be parsed by

optparse

Sploitego Transform - Dissected -
cont.

► The response object is where we populate our
results

► dotransform must return the response object

► response object uses mathematical operators
to add and remove Entity and UIMessage
objects

° E.g. response + Phrase( ( Hi } ) appends a Phrase
Entity object to the response object

► Finally, onterminate function is called if
Maltego interrupts the transform - it is
optional

Transform Execution - Meta-data

► @superuser instructs the dispatcher to run
the transform as the super-user

► If a transform is being executed as a non-
super-user:

° dispatcher will invoke sudo

° Prompt user for sudo password

° If successful, execute the transform using sudo

° Else, abort execution after three retries

retaliation Meta-Data
^configure

9

10
11

12
13
14

(aconf igure(

la be 1=' To Phrase [Hello World]',

description^ Returns a phrase entity with the ph

u u id s = [ 1 s ploit ego , v2 , Pe rs on ToPh ras e_HelloWo rid 1

inputs=[ ( 1 Useless ', Person ) ],

debug=True

)

"Hello Word!"

►
►

nstructs mtginstall on how to configure transform in Maltego
Parameters:

° label: display label of transform in Maltego
° description: A brief description

° uuids: list of universally unique identifiers (or transform descriptor file
names)

° inputs: list of tuples containing Transform Set name and Input Entity
type

° debug: whether or not debug window should appear in Maltego on
transform execution

Nadeem Douba | www.cygnos.com

34

retaliation Meta-Data
^configure - cont.

9

10
11

12
13
14

(aconf igure(

la be 1=' To Phrase [Hello World]',

description^ Returns a phrase entity with the ph

u u id s = [ 1 s ploit ego , v2 , Pe rs on ToPh ras e_HelloWo rid 1

inputs=[ ( 1 Useless ', Person ) ],

debug=True

)

"Hello Wordf"

For example:

° Transform will appear as To Phrase [Hello World] in
Maltego GUI

Will belong to the Useless Transform Set
Can only be applied to Person type Entities
Have a unique ID of

sploitego . v2 . PersonToPhrase_HelloWorld

A debug window will appear on transform execution

o

o

Nadeem Douba | www.cygnos.com

35

Installation Meta-Data -
^configure - One more Thing.

► Notice how uuids and inputs are lists

► mtginstall supports one-to-many relationship
between transforms and input entity types

° For example, Hello World Transform could be applied
to Phrase entities as well

° Just add another uuid and inputs entry (matching
order)

(aconf igure(

label='To Phrase [Hello World]',

d escript ion =' Returns a phrase entity with the phrase
u u id s = [ 1 s ploit ego . v2 . Pe rs on ToPh ras e_H elloWo rid 1 ,

1 s ploit ego . v2 . Ph ras eToPh ras e_H elloWo rid ' ] ,
inputs=[ ( 'Useless 1 , Person )

( 1 Useless 1 , Phrase ) ] ,
debug=True

Nadeem Douba | www.cygnos.com

36

Hello World (Revised) - The Stats

► 24 Lines of Code in Total!

° Approximately 50% less code!

° Only SIX (6) lines were "actual" code!

° The rest were annotations, function signatures, and
imports

► Not a single print line in sight!

► No hard-coded XML!

► What about installation?

Managing Transform

Packages

Install, Uninstall, Etc.

Nadeem Douba | www.cygnos.com

Installing Transforms (Revised)

► To install a Sploitego transform:

° First, Install Python package containing transforms

• distutils or setuptools are great for that!

° Alternatively, place Python module in Maltego's working
directory

° Second, run mtginstall

Installing Transforms (Revised) -
Cont.

► Input Parameters:

° Hello World Transform is in foobar package

° Maltego's settings are stored in -/Library/
Application\ Support/maltego/v3.1.1/ (on Mac
OS X)

° Your transform working directory is ~/

► To Install Transform Package, Run:

$ mtginstall --package foobar --maltego-pref ix
~/Library/Application\ Support/maltego/v3 .1.1/
--working-dir ~/

Transform Installer - mtginstall

1. mtginstall first imports init .py in

foobar package

2. Iterates the __all__ special variable to get list
of modules in package

3. Loads each module and looks for
dotransform function annotated with
@conf igure

4. Reads installation meta-data and installs transform in
Maltego accordingly

a) If Transform Set doesn't exist, it will create it.

b) Detects name collisions between transforms

Nadeem Douba | www.cygnos.com

Uninstalling Transforms

► To uninstall a Sploitego transform run
mtguninstall :

$ mtguninstall --package foobar --maltego-pref ix
~/Library/Application\ Support/maltego/v3 .1.1/

► mtguninstall will remove the transform package
(Transform Sets and Transforms) from Maltego's GUI
but not from Python site-package directory

Demos

1ft The Fun Stuff

Nadeem Douba | www.cygnos.com

Metasploit Integration

Demo

Nadeem Douba | www.cygnos.com

Nmap/Amap Integration

Demo

Nadeem Douba | www.cygnos.com

Scapy Integration

Demo

Nadeem Douba | www.cygnos.com

Extra Utilities

The Goodies

Nadeem Douba | www.cygnos.com

Debugging, Testing, Etc.

► mtgdebug script prints results in readable
format

► mtgsh shell version of mtgdebug - still a
work in progress

bitter:^- ndouba$ mtgdebug sploitego. transforms. whatismyip -
h - MaltegoTransformResponseMess

h - Entities:

Entity: {'Type'; 1 maltcgo , IPv4Address 1 }
h - Value: 0.9.0.0
- Weight: 1
* - AdditionalFiclds:

Field: true { 1 DisplayNama 1 : ■Internal', "Name 1 : 'ipaddrcss.i
ntcrnal 1 „ 1 MatciiingRul* 1 : 1 strict 1 }

h - Field: 90:00:00:08:00:00 { 1 DisplayName 1 ; Hardware Address 1 ,
'Name' ; 'cthcrnct. hwaddr 1 . 1 MatchinaRulc ' ; 1 strict 1

Graph Export Conversion Tools

► mtgx2csv converts exported Maltego graphs
to CSV (comma-separated value) format.

► csv2sheets reads the output of mtgx2csv and

separates entities of the same type into
separate CSVs

CONCLUSIONS

Last but not Least

Nadeem Douba | www.cygnos.com

Project Roadmap

► Get a website up with some documentation ©

► Create more transforms for:

° Social Engineering
° Forensics
° Exploitation

° Scanning and Vulnerability Discovery
° Third-party Tool Integration
o Etc.

► Create an online community and transform
package index for transform developers similar
to PyPI

► Develop a context engine

° Minimize data duplication on graphs
° Provide transforms with access to full graph

Nadeem Douba | www.cygnos.com

Looking for Help!

► Sploitego needs your help!

° Developers

° Transform Gurus

° Hackers

° Documenters

° Website Designers

° Chefs who deliver to the Ottawa area©

Contact Info

► Please feel free to contact me:

° Email: ndou ba@gmail.com
° Twitter: @ndouba
° Skype: nadeem.douba

Kudos

► To the Paterva team:

° Andrew MacPherson (Mohawk)
° Roelof Temmingh (RT)

► To the Cygnos & RCGT team (wOOt!)

► Thank you for attending!

Nadeem Douba | www.cygnos.com

Questions

it) Anyone?

Nadeem Douba | www.cygnos.com