You can use Maltego to gather, analyze, and visualize publicly available information, uncovering relationships and patterns between entities like domains, IP addresses, social media profiles, and more.
In this article, we'll show you how to use Maltego, a vital tool for cyber security professionals, particularly penetration testers. We'll begin by explaining what Maltego is and guiding you through the process of starting it up. Next, we'll explore the main interface, breaking down key sections to make them easy to understand.
After that, we'll provide an overview of utilizing Maltego's Transforms, a central feature that enables you to uncover hidden relationships within data sets. Finally, we'll discuss the best practices when using Maltego, ensuring you can utilize this powerful tool effectively and responsibly.
If you’re ready to dive into the world of Maltego, let’s begin.
What Is Maltego?
Maltego is a tool that leverages open-source intelligence (OSINT) developed by Paterva. Maltego comes in different versions, including a community edition that can be used for free with some limitations, as well as commercial versions that offer more features and capabilities.
Maltego is a vital tool in the arsenal of a penetration tester. As a graphical link analysis tool, it lets you visualize connections within complex data sets, displaying interconnected links. By analyzing information from various sources such as public websites, email addresses, social media, and cryptocurrency transactions, Maltego aids in uncovering hidden relationships and patterns.
This is particularly useful in penetration testing, where understanding the target's digital footprint and connections can be crucial. Working up to 80% faster with Maltego than traditional methods allows for efficient reconnaissance.
We will now show you how to get Maltego up and running. For our demo moving forward, we will be using Kali. Maltego can also be installed on Windows, macOS, and other Linux distributions.
Before you can run Maltego, you need to run the installer, which can be found in the Applications menu under “Information Gathering.”
You will be taken to a terminal window if you want to install Maltego. Select “Y” to continue.
You can also install Maltego from the terminal with the following command:
sudo apt install -y maltego
Now, you can start Maltego by entering
maltego in the terminal or running it from the application menu.
Once Maltego opens, you will be shown a window asking you to select a product. We are using the “Maltego CE (Free)” version for our demo. Select “Run” to continue.
Next, you’ll need to configure Maltego. The first step is to accept the license agreement and click “Next.”
The next step is to log in so you can use Maltego. If you do not already have an account, register one here.
After logging in, you'll be able to see your details, like your name and email address, as well as the duration of your API key. Click “Next” to continue with the download of the Transforms.
The Transforms will be downloaded, and you must click “Next” to install them in Maltego.
The next screen will ask if you want to send error reports to Paterva, and then click “Next” to continue.
The final window will ask what external browser you want to open links to. Make your choice and then click “Finish” to complete the configuration. Maltego will now be ready to be used.
This section will show you the main Maltego graphical user interface, and we will highlight three areas within the interface.
- Application Menu
In the Application menu, you'll find the application button. This grants access to the following functions:
- New Graph
- Open Graph
- Save All
- Save As
Maltego can open and save graphs using the .mtgl extension. While these are some of the core features, there are also other advanced functions.
- Start Page
The start page showcases the latest updates for products, Transform, and the Transform Hub. Any alerts affecting Maltego's functionality and security can also be found here.
- Transform Hub
The Transform Hub catalogs all the Transforms offered by Maltego, third-party providers, or available through an API/dataset. You can either purchase these items or install them for free.
Transforms in Maltego are specialized pieces of code that process information in a very particular way. They take an Entity (a defined piece of data like an email address, IP address, or name) as input and then search for related information, returning more Entities as output.
Let's walk through installing Transforms in Maltego's Community Edition. First, navigate to the Transform Hub within the software.
Since we're using the Community Edition, you'll want to filter the available Transforms by selecting “Maltego Community” from the “Plans” menu. This will show you only the Transforms compatible with our version, making choosing and installing the ones you need easier.
You’ll also want to display Transforms that are “NOT INSTALLED.”
Now that we have the Transforms that will work for us let’s choose one to install. At the time of writing, there are 50 Transforms available to you in the Community Edition—everything from infrastructure and network information to searching social media sites.
Let’s install the Censys Transform, designed to map IP addresses to the target domain and vice versa, quickly identify server misconfigurations, and efficiently scan attack surfaces for vulnerabilities
This Transform is limited to twenty-five Transform runs per month on the Community Edition of Maltego.
Several Transforms will require you to have an API key from the provider, and Censys is one of them.
To work with the Censys Transform, you will need an account and an API key. You can sign up for an account at the Censys registration page.
To install, hover over the Censys Transform and click “INSTALL.” It will ask you if you are sure you want to install it. Click “Yes” to continue.
Complete the three steps that follow to finish installing Censys inside Maltego.
Select “INSTALLED” from the Transform Hub to see the Censys Transform listed.
Starting an Investigation
The easiest way to start a new investigation is by using Machines in Maltego. These Machines are automated sequences of Transforms in Maltego that allow users to run multiple queries or operations with a single click.
We will demonstrate how to use a Machine in Maltego, specifically focusing on the “Company Stalker” Machine. This Machine aims to locate email addresses associated with a domain, map these to corresponding social media profiles, and finally, attempt to retrieve or analyze any related metadata.
To begin, click on the “Machines” tab at the top of the Maltego window.
Next, select “Run Machine” to select the Machine you want to run.
Choose “Company Stalker” and click “Next.”
Now enter a domain you want to use as the target. In our demo, we are using example.net and click “Finish.”
Click through any popups you receive and wait for the machine to finish running. Once finished, you will be presented with any information that was returned.
For a more detailed investigation, you can also run one manually. If you want to start a new project in Maltego, the first step is to select “New” in the Application menu.
You will then be presented with different screens, such as the “Entity Palette,” “Graph,” “Output,” and “Run View.”
To begin your investigation, you will now want to add an “Entity” to the new graph. The easiest way to do this is using the “Entity Pallete” on the main interface's left side. You can either scroll through the list of entities or use the search function.
In Maltego, an Entity represents a single piece of data you want to investigate or analyze. It can be something as simple as an email address, a phone number, a domain name, or an IP address.
Let's add an Entity to the graph. In the “Personal” section, you can select the “Email Address” Entity or simply use the search bar to find “Email.” Once you locate the Entity, drag it onto the graph to add it.
Working With Transforms
Now, we will show you how to work with different Transforms. For this demo, we will be using a domain name to perform various analyzes.
Search for “Domain” in the Entity Palette and drag it to the Graph. We will use nmap.scanme.org for the demo, so change the domain name from maltego.com to nmap.scanme.org.
Let’s run our first Transform. Let’s run Censys to map an IP to the domain name. Right-click on the domain in the graph and select Censys. Then click the “Run All” button to run all the Censys Transforms simultaneously.
As a penetration tester, this information gathering technique during the information gathering phase can give insight into the organization's network structure and may reveal the relationships between different servers, such as mail servers and websites.
Read the steps involved in a penetration test in our article: Penetration Testing Steps: A Comprehensive Assessment Guide.
The Transform will run and present you with the IP information in the graph.
Now let’s run another Transform. This time let’s run the “To Snapshots between Dates [Wayback Machine].” This can be extremely helpful when performing a penetration test as it could reveal important information such as past vulnerabilities, changes in security configurations, deprecated or hidden pages, and subdomains.
Right-click on the domain, and in the search bar, search for “wayback” then select “To Snapshots between Dates [Wayback Machine],” and finally click run.
On the next screen, choose the begin and end dates for the search and click Run!
Once the Transform completes, you will be shown the Wayback Machine data found. With this information, you could click on a specific date and open the URL for further information gathering and investigations.
Maltego is an extremely powerful tool and can do so much more than what we’ve shown you here. Using Maltego, you could map out the digital footprint of a target organization, including identifying key employees, emails, social media profiles, or devices.
This information can be used with tools like the Social Engineer Toolkit for information gathering. It can be used to create:
Phishing Campaigns: Information gathered about email addresses and social connections could aid in crafting targeted phishing emails.
Spear Phishing and Social Engineering Attacks: Insights into the relationships between entities might inform more advanced spear-phishing or social engineering attacks.
Let's talk about some Maltego usage best practices. Maltego is a very versatile tool that can do many things, and there are some things you can do to work more effectively and intelligently before and while using it. Our list of recommendations for working with Maltego is provided below.
- Create a Strong Workflow: Understand your goal before you start. Map out what you want to uncover and tailor your search accordingly.
- Use Transforms Wisely: Transforms are queries that fetch you different data types. Learn them well, and use only what's necessary. Too many unnecessary Transforms may clutter your results.
- Secure Your Data: Maltego can pull sensitive information. Make sure you handle it with care.
- Stay Up to Date: The digital world and tools like Maltego change rapidly. Regularly update to the latest version to keep up with new features and security enhancements.
- Use Entities Properly: Entities are the building blocks in Maltego. Use them correctly to represent the data you're working with.
- Use Notes and Bookmarks: You can attach notes to entities, connections and bookmark essential elements. This helps track why something is important or how you discovered it.
- Export and Share with Care: You can export your findings to share with others. But remember, this might include sensitive data, so only share it with those who need it.
As you can see, Maltego is a powerful tool used in penetration testing and other investigations. It provides a graphical representation of your data and enables clear visualization of complex relationships and connections, and aids in the thinking process.
In this article, we began by explaining Maltego and guiding you through its installation process. Next, we demonstrated how to get Maltego up and running, and we introduced you to the main interface. Following that, we dove into initiating an investigation and working with Transforms. Finally, we outlined some best practices to follow when using Maltego.
We've just scratched the surface of what Maltego can do, but you should now understand how to use this tool effectively.