Series (3) Essential Maltego Transforms for OSINT and Investigations

How to optimize Maltego for OSINT Investigations with Maltego Transforms

Maltego Transformationen

In my experience, Maltego is an important and useful addition to other OSINT investigation tools and methods.
It is a very versatile tool for a range of very different users. For example, threat intelligence teams, analysts at the SOC, incident response teams, investigators, cyber investigators, prosecutors, and many others. But which Maltego transforms do they use?

Almost all users carry out “OSINT” investigations, but they have different perspectives and needs. The range of professional transformations in Maltego’s “Transform Hub” is therefore just as diverse. From free-to-use transformations to expensive enterprise solutions, everything is available. Last but not least, there is the possibility to write or install your own local transformations. In this post, I will introduce the most important “OSINT” Maltego transformations.

Maltego for Corporate Investigations

The focus of my investigations is “corporate investigations”. For example, for email addresses and social network profiles, I need to identify the possible “real” person behind them. It is also often a matter of identifying the connections between websites, finding users/owners of domains and IP addresses, and other similar topics. So gathering individual information from many sources makes sense, for example, data from SEO tools or information from threat intelligence databases. Therefore, I will limit my consideration of transformations in this post to the investigative benefits rather than aspects of penetration testing. With this perspective in mind, below I evaluate the current transformations for Maltego Classic. I plan to provide additional details about individual transformation providers again from the perspective of investigations.

The User Needs to Understand Maltego Transformations

Using Maltego and finding the best course of action for your own application is not difficult. In my courses, I rarely need longer than one day for this part of the training. However, it is much more important for users to know and understand the installed transformations. This is also the biggest hurdle in the workshops and takes the most time.

I need to know my transformations and (exactly) understand:

  • Which data sources do these transformations query?
  • What information can I query and how?
  • What data do the transformations query, and how do they do it?
  • What are the expected results?
  • What transformations can I use with the results?

The first time you try the software, you’ll want to start all existing transformations for an entity. However, this leads to unclear results and frustration. See the image below as an example:

The goal is to use transformations in a structured way with knowledge of their fundamentals, and having good documentation from the transform providers would be a real help. Unfortunately however, the different providers have one thing in common: there is often no sufficient documentation of the offered Maltego transformations.
And, this is not only true for the free offers ̶ even the expensive suppliers do not shine here. Of course, there are exceptions:
Luckily, some transformations provide good documentation. For instance, the Paterva transforms are well documented. This explains, for example, why the user cannot compare the search engine results from the transformations with his own Google results. (Patervas uses the Bing API).
Farsight has also published very good documentation.
The vast majority of transformations offered in the “Transform Hub” are subject to a charge. However, some of these providers (marked “purchased separately”) offer queries that are limited in scope, which means that they make sense to use for more basic needs.
I will also address these transformations in this post and a related article. I will also go into the current limitations in more detail.

Recommended Maltego Transformations

Maltego empfohlene Transformationen

Outside the Transforms Hub:
Hunchly Maltego Transforms
https://support.hunch.ly/article/47-1-using-the-hunchly-maltego-transforms

Additional API keys needed:

Details about the Maltego transformations

Standard Patervas Transformations, (Maltego Classic / XL)

148 Transformations as part of the Classic/XL license.

These cover many areas very well, e.g. everything around the infrastructure of the domain or also about Twitter.

dataprovider.com has crawlers that navigate from link to link in order to index all sites in a country. In this way, the company collects extensive data on over 280 million domains from 50 different countries every month. The database has information with 200 different variables, including phone numbers, email addresses, IP addresses, analysis IDs, and more. It is updated monthly. The transformations provide access to this structured database. dataprovider.com offers free but limited use of the service. For more intensive use, an API key from the provider is required: https://www.dataprovider.com/products/maltego https://docs.maltego.com/support/solutions/articles/15000024933-installation

Farsight offers one of the largest databases of passive DNS data.
For example, users can query information about DNS record types such as domains, IPs, NX, MX, AAAA, SOA. A wildcard search is also available.
They offer free limited queries – including instant access, no registration, no API key required!
Free query limits:
12 queries per hour
Maltego Classic and XL – 50 answers per request

https://www.farsightsecurity.com/maltego/
https://www.farsightsecurity.com/integrations/
https://www.farsightsecurity.com/assets/media/download/DNSDB Maltego User’s Guide.pdf

Social Links provides transformations for open source and social media intelligence.
It contains more than 750 transformations (3,000 queries per day) to retrieve data from over 50 sources.

  • Social networks: Facebook, Instagram, LinkedIn, Twitter, Skype, Xing, Foursquare, Badoo, Blogger, Classmates, Flickr, Github, FullContact, MyMail, Myspace, Odnoklassniki, Snapchat, Sqoop, Vkontakte, Youtube, Photobucket, Deviantart, Pinterest, Tinypic, Imageshack and others.
  • Messenger: Telegram, Signal and others.
  • Unique search in more than 30 darknet forums and marketplaces.
  • Companies: CompaniesHouse, Open Corporates, Google Companies, OCCRP, Offshores.
  • Integration with third-party services: Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye and others.
  • Access to Social Links database with 7 TB of emails, aliases, names, phone numbers.
  • Cryptocurrency: Ethereum Platform Analysis, Bitcoinwhoswho, TokenView;
  • Other sources: DocumentCloud, Ebay, Torrents, TruePeopleSearch, Wikileaks, Dating sites such as Match, Chemistry, Fling, Meetup, okcupid, ask.fm, rsvp.com.au and others.

Trial Key available from https://www.mtg-bi.com

The 24 transformations were written by Patervas and a Shodan API key is needed for better results.

From the data of the Shodan database there is then e.g. IP information, network blocks, services/port, domain queries. But also native Shodan queries for terms or phrases are possible.

https://docs.maltego.com/support/solutions/articles/15000012021-how-to-shodan

SocialNet offers more than 700 transfroms with data from 70+ social media networks.

Query is possible by e-mail address, alias, phone number or name.

Trial can be obtained via https://www.shadowdragon.io/

8 Maltego transformations to visualize the Bitcoin blockchain.

Contains queries about Bitcoin addresses, transactions, and details.

http://maltego.blogspot.com/2016/04/visualization-bitcoin-blockchain-in.html

Five transformations supported by ThreatCrowd.org:

  • From domains and IPs to historical DNS resolutions and links to malware.
  • From MD5 hashes from malware to C&C domains and IP addresses.

ThreatCrowd is a non-commercial website and there is no private API.

http://threatcrowd.blogspot.co.uk/p/threatcrowd-maltego-transform.html

Query the VirusTotal Public API for information about IP addresses, hashes, domains, and URLs.

http://www.malformitylabs.com/hub-addition-virustotal-public-api/

This set of 121 transformations is based on the PassiveTotal API. Queries are possible to entities such as domain, IPv4 address, URL, email, SSL certificates and many others.

Limited use of 25 requests per day.

If you need more, you need to register under https://www.passivetotal.org/enterprise.

Passive Total is a product of RiskIQ.

Community information: https://community.riskiq.com

Six Maltego transformations to https://haveibeenpwned.com

Has a [hashed] password, domain been violated or an alias/email listed in a post to Pastebin, etc.?

Queries for Breach name, domain, alias, email.

https://github.com/cmlh/Maltego-haveibeenpwned
https://github.com/cmlh/Maltego-haveibeenpwned/wiki

14 transformations are currently available for FullContact,

An API key is required for installation.

Enrichment of email address, Twitter, domain, person, company, alias and phone number.

Price:
https://www.fullcontact.com/pricing-plans/
API Key:
https://dashboard.fullcontact.com/consents

A (free) API key is available for both the “Risk API” and the “Name to Domain API” of Clearbit.

Five transformations to:

  • Company Name to Domain
  • Autocomplete
  • Domain to Logo
  • Risk from E-Mail
  • Risk from IP address

https://github.com/cmlh/Maltego-Clearbit
https://github.com/cmlh/Maltego-Clearbit/wiki

Python 2.7 is (still) required to use the transformations.
The transformations access the case data within the Hunchly software.

The starting point is the query of a Hunchly Case. From there you can go to secured pages and photos and to the data and keywords contained therein.
The transformations are still quite simple and improved, but also give a good insight into the possibilities of local transformations.

https://support.hunch.ly/article/47-1-using-the-hunchly-maltego-transforms

Conclusion

Maltego needs the right Open Source Intelligence (OSINT) add-on modules – so-called transformations – to show its full strength. These can be transformations bought from a professional provider or local transformations. This post contains the most important selection of transformations for Maltego from my point of view. I will update it as needed. In the next article

Interested in a Maltego seminar?

I offer tailor-made in-house Maltego workshops in small groups according to your schedule!

An example agenda can be found here:
https://corma.de/en/course-portfolio/maltego-training-and-workshop/

Information about the Maltego OSINT basic training in Brüggen:
https://corma.de/en/course-portfolio/maltego-training-germany/

Information about Advanced SocialLinks & Maltego OSINT Training in Brüggen:

https://corma.de/en/course-portfolio/advanced-sociallinks-maltego-training-in-germany/

How can we help you?

Want to discuss a confidential matter in more detail?
Need a private investigator in Germany or Europe?
Get in touch and we’ll work out a free tailor-made proposal for you.

Send us an email, use our or

Contact