So much information exists online that it's easy to get lost in data while researching. Understanding the bigger picture can take a lot of time and energy, but narrowing the question to one that's easy to answer is the first step of any investigation. That's why analysts use open-source intelligence (OSINT) tools like Maltego — to help refine raw data into a complete understanding of a situation.
In this tutorial, we'll explore how to conduct an investigation using Maltego, which allows a researcher, pentester, or white hat hacker to mine huge amounts of data to visually discover patterns and answer critical questions.
Null Byte has been holding a series of workshops for computer science college students in Pasadena, California, called "Cyber Weapons Lab." This lab focuses on exploring cyberweapons and the tools used in cyber conflicts around the world. One recent session focused on how OSINT professionals use tools like Maltego for reconnaissance and how these skills can be used for hacking or in industries like business intelligence.
While recon is the first stage of any attack, it's important to note that these same skills are used by analysts in the public and private sector, like business intelligence, to help investors and businesses make important decisions. Many businesses pay a lot of money for the same kind of research skills hackers employ while assessing a target, so learning to be a good researcher can be a powerful fallback skill in life.
Our talk in the video below focuses on ways the average person can use tools like Maltego to conduct an investigation to get an advantage in job interviews, secure investors for a business project, or assess a competitor or potential partner before making a decision. Of course, these skills are also the same core research skills you will need to identify and profile a target in a pentesting engagement.
These are powerful skills that will apply to many situations, so learning to turn data into understanding will expand your ability to learn anything with speed that will surprise everyone around you. You can check out our talk in the video below, and subscribe to the Null Byte YouTube channel for more.
Good research revolves around the ability to ask an answerable question, refine your search to find the right data to answer it, and process the raw information into actionable intelligence.
Intelligence is data that has been processed with context and understanding to produce meaning and is the difference between the refined product (like a report) of an OSINT investigation and the raw data points that support that understanding.
Without context, data is not useful, so simply finding a lot of data does not make you a good researcher.
Through using the intelligence collection cycle, we can plan ahead and avoid getting lost in the powerful tools that can return tons of data. If we don't have a firm idea of what we're searching for, we're likely to get swept away from the original point of our search.
The point of intelligence is to plan your collection, find the right information, process and clean the information to begin building a picture, analyze the results, and turn that understanding into a report others can learn from.
To demonstrate this process, let's conduct an investigation using Maltego CE, the free edition of Maltego.
Maltego is a program for mining data from all over the internet and displaying the relationships in an easy-to-understand graph that makes patterns very obvious. It features the ability to expand on a single piece of known information to a huge network of related data in a few simple clicks.
Maltego is great at taking something like a screen name or email address and discovering everything there is to learn about related accounts or appearances on the internet in seconds. To get started, you can download it from Paterva, the company responsible for Maltego.
Because of how much data people share about themselves and others, Maltego and tools like it can be used to track people, groups, companies, or other organizations rather invasively. These tools pull huge amounts of data from APIs, apply "transform" algorithms to analyze and mine the data, and present the findings in a simple and easy-to-understand graphical view.
This kind of power and flexibility allows us to make some very specific questions answerable in a matter of clicks. After downloading Maltego, go through the guided installation and registration process to get a CE license key, and you'll be ready to begin your first investigation.
Start Maltego and input your license key, and then, from the main screen press Ctrl + T (or Command + T on macOS) to open a new, empty tab. On the left side, you'll see the "entities" panel with a list of all the different kinds of data you can add to start with.
For our test example, we decided to see if we could identify employees of The Guardian, a news outlet, who had their accounts compromised in data breaches. While this is a tricky question for Google to answer, we can stop relying on secondary source data like new media and get our own data with Maltego.
First, we'll need a sample of email addresses of Guardian employees. Since they're journalists, they'll probably be using PGP so sources can email them anonymously, but we'll try to find more employee emails to add too.
Starting by dropping a web domain of "theguardian.com" into Maltego, right-mouse clicking and selecting the PGP transform gets us started with a list of employee emails found in the PGP keyserver.
Now, we can select these emails all at the same time, and apply another transform to all of them. We'll run "HaveIBeenPwned" to find out if they were involved in any data breaches or any Pastebin dumps.
We're in luck, as not only do we already have one breach, but several Pastebin dumps. Since we can see that several employee emails are included in the Pastebin dump, we can go to the link to discover if there might be more.
In this case, we are in luck again, since we found additional 90+ employee emails to add. We can simply paste them into Maltego, and Maltego will interpret the type of data and add them automatically.
With these email addresses added, we can now run a transform against the entire sample to see if any have been involved in breaches, and see any patterns in the employees who were.
It's also useful to expand the information on the data breaches we find, to learn what exactly the user lost in the breach. Doing so, we can even create lists of employees who were involved in breaches in which their passwords were leaked.
Just like that, we can select only users who have lost passwords in the breach, meaning we can probably locate the data dumps in question on the internet to see the kinds of password the particular person likes to use. If we're really lucky, they may use the same password for many accounts.
By knowing how to ask relevant and answerable questions, you can learn a tremendous amount of important and specific information about pretty much anything. The insight derived from open source investigations powers many of the business decisions made today, and you can benefit from the same kind of information by using these tools to better understand situations you need to make a decision about.
We explored how you can start with a single web domain, and in a few clicks mine for more information and relationships inside the data you find to produce a better understanding of a situation. This core skill of recon can help us target and configure cyber weapons as hackers, or understand the institutions and people we want to work with to make negotiations go more smoothly. As with all powerful tools, Maltego is a double-edged sword.
The power is in your hands, so use it wisely! Thanks for reading, you can leave any questions in the comments or on our Twitter, and subscribe to our YouTube channel for more videos!