Unveiling Maltego 3.0 (Roelof Temmingh)
Abstract (source: Blackhat.com)
For a year the Paterva team has been quietly working on Maltego 3 with no new releases since March 2009. For the first time since Black Hat 2009 Paterva will be showing you what they have been up to – revealing an all new Maltego version – built from the ground up. Expect Hollywood quality graphing and animation, endless possibilities of extensions, new analytic views that will make you weep, and brand new transforms to will blow your mind.
Talk Abstract –> Unveiling Maltego 3.0
Speaker Bio –> Roelof Temmingh
Since May 2009 there has been no incremental release of Maltego. Coding on version 3 has been going for over a year, and it’s still ongoing. It’ll be done when it’s done.
Current downloads (Maltego v2) is ~550 d/l a week
maltego.blogspot.com –> Maltego v3 progress blog
What’s new in v3
- Look and feel
- Entirely new look
- Dynamic graphing
- EWV fully interactive
- Transform settings on the fly
- Detailed view
- Custom entities
- Manual linking
- Book marking / annotations
- Entity display
This presentation was very demo centric, and from what I saw, the new interface for version 3 is much more “pretty” than previously. The dynamic graphing and movement really makes it feel like a mature tool. The nodes themselves are much more configurable, with the ability to change things on the fly.
Transforms also have the ability now to run for an infinite amount of time. This becomes useful in live information gathering as it appears. A good example of this information is to automatically incorporate live data from twitter into the graph.
Problems with Maltego
Dead-end entities – As an example, there are many transforms that will return information about and from domains. However entities such as a “person” can be easily used to search for data (such as what domains they own, etc…) However it is very rare that a “person” is returned when running another transform.
To help with this Maltego v3 incorporates an entity (CIPRO) to find a “person” based on identifiable information. This could be expanded to search in any openly accessible directories of people (Company registers, Membership numbers, etc…). Many countries have public sources for director level staff in companies.
Name Entity Recognition
- Takes text and marks entities like person names / companies / phone numbers
- Complex to do
- Offered as a service from several providers
This is useful for dead-end entities as it can be used to take data from many more resources. Using previously untapped resources (such as radio, television, Internet, emails, …) and incorporating speech-to-text conversion, it allows for more information and interlinks.
Maltego offers the ability to scrape sites and run the output through open NER providers. You can then use this information as entities in Maltego. Things like Phrases can be linked.
Demo –> Maltego v3 phrase “uranium enrichment” –> Discovery of PDF files with the phrase (Google transform) –> Expanding from the phrase to all people / companies mentioned in these documents and look at the interconnections (weight, occurrences, …)
This method of transforming data back into people / company names allows for better / clearer information and the ability to further research.
Facebook terms and conditions restrict a lot of the code from being made public.
However, Facebook has a lot of information and links between people. This information is really useful.
Facebook has an API… but it’s a bit restricted (must be logged on, etc…) So to do whats needed, you need to scrape. This is against the Facebook TOS. It’s also not easy as if the site changes, the scraper will fail. Scraping through TOR is also not easy, as the language changes depending on your final exit node. Facebook also actively try to use anti-scraping techniques.
How to make it reliable
- Use the API where possible
- Use the mobile sites (less complex, changes less often)
- Keep cookies alive using a background process and change once the session dies (or is killed)
Facebook closes the holes that are needed to pull information like “friends” etc…
Demo –> Facebook Transform (Poc only)
This becomes useful when you use Facebook data alongside NER techniques.
Attacking machines vs. attacking people!
For more information please see the Blackhat Europe website