BlackHat 2013, Tungsten preview, Trees

Hi all,

We decided to do a quick recap of what's happening around the Paterva office the last couple of weeks. 'Why?' you ask. Well - we recently had some visitors to our offices - they only followed our blog and not our Twitter account (@paterva if you wondered) and they were clearly uninformed about what we're up to.

Blackhat 2013

We recently showed Maltego to a group of hard core pen testers. Initially they were quite doubtful about how useful Maltego could be for them ('yes it makes pretty pictures - so what') - but after about 45 minutes we won them over and by the end of the day they bought licenses for the entire team and were making plans to integrate Maltego with their own tools. It yet again illustrated to us that it's not the tools you have but how well you know and use them. This is why we train at BlackHat USA in Las Vegas. At the end of every class students walk out saying 'We never knew you could do this with Maltego' and 'We never knew it was this powerful'. Sure - this is marketing speak - but it's also the absolute truth. Bottom line - if you work in security or cyber intelligence - come to our course or send your team to our course. We guarantee it will be worth it. For more info on what we teach, course structure and fees - [click here].

Seeing that we're in full disclosure mode - we also submitted a talk for the briefings. The talk is all about creating a collaborative attack platform. In other words - it will show how can a team of attackers or analysts can use Maltego at the same time. Expect a bunch of interesting transforms... If we get accepted we hope to show something truly amazing (and hopefully super scary). Also if all goes well we'll also release Maltego Tungsten at the conference. 

Maltego Tungsten - preview

With over 600 subscribers and more than 100 thousand views our [YouTube channel] (or AndrewTV as some calls it), has become quite popular. Our latest video - it's really short (about 2 minutes) - gives a sneak peek at how collaboration is going to work in Maltego Tungsten. Click on the image below to take a look. We're pretty damn excited about it!

It's also the first time we've used multiple cameras, a jib and a boom mic. Although the video seems straight forward it was pretty challenging. We now have over 20 Maltego videos on our channel - most of them tutorials.

Trees

The last little bit of sad news is that our landlord decided to cut down some of the trees around the office. It does mean that the grass will now actually grow (and won't just be moss and gravel) and that we'll have a bit of natural light in the office, but still - we're sad to see them go. Counting the growth rings on the remaining trunks they were 25, 30 and 45 years old. Somehow it just seems wrong.

Paterva will be secretly planting 5 more trees in the garden.
сажать деревья! сажать деревья!! сажать деревья!!!

That's about it for now!
RT

TRX - Framework for writing Python transforms with the TDS

Hi there people from the Interwebs,

We wrote a 'framework' for writing Python transforms with the Maltego TDS. It's called TRX and it's pretty light, easy to use and very hip. It should see you writing kick ass transforms in no time - a complete transform could look as simple as this:

def trx_DNS2IP(m):
  TRX = MaltegoTransform()
  DNSName=None
  try:
    DNSName = socket.gethostbyname(m.Value)
    TRX.addEntity("maltego.IPv4Address",DNSName)
  except socket.error as msg:
    TRX.addUIMessage("Problem:"+str(msg),UIM_PARTIAL)
  return TRX.returnOutput() 

The document nicely explains the differences between local transforms and TDS transforms and also includes a complete entity reference guide as well as addressing the confusion between V2 and V3 entities - a must read for any transform developer. The document also takes a look at the future of the TDS.

Here is the index of the document - click to read.

Finally the framework / source code can be found [here]. We recommend that you print out the guide and keep it next to your bed. Or in the bathroom - where ever you are going to have the most free time.

Enjoy!

RT

Maltego Tungsten...

Video of alpha release -- soon...

RT

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:

Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.

We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.
RT

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina

China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:

Somehow related - the gov.cn zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the same as your grandma's internal IP range at home.

2. Almost all of the infrastructure is located in China (no surprise), but there were two or three IPs in the US (surprise). Initially we thought that was a bug in the IP2Location transform. So we checked it by hand. Sure enough - it's in the US.

Of course this is where we stopped because we are civilized, suit-wearing responsible adults. But someone (you know who you are) did not. They proceeded to nmap all of these in Maltego. And then mailed us the graph (while it's interesting, we did not ask for this). It even prompted Roelof to Tweet the following:

Of course the graph is interesting. It shows that, if you were to do a conventional infrastructure over-the-Internet attack [that's like...so 90s - Ed], it looks like there's a nice cosy attack surface  [it's a giant honeypot - Ed]. In the graph below we ONLY look at port 23 (telnet) and 22 (SSH):

Why is this picture so blurry? Ag no man - don't be silly! We're pretty sure the Americans/pick a 1st world country are not sitting on their hands either and have pictures just like this on their pretty 4K projectors. In fact - we would just love to see the (translated!) Chinese intelligence reports on US based attacks...

[C]anon [C]300

Canon South Africa was nice enough to let us use their spare C300 for a week. A week! It meant we had to do a lot of videos in a short space of time. We ended up doing three. One we are keeping for the BlackHat CFP prize. The other two we put out on the Interwebs. The first one is just a recap of navigation in Maltego. We did this as our nerves were getting pretty thin with people navigating Maltego with scroll bars. The video was shot at a dairy that's across the street from our office (no really). What made the video really interesting was the fact that a black swan chased Andrew around. Here is a still of Andrew gracefully defending himself with a metal table. For more - click on the video below:

The second video was a lot more serious. Andrew wore a suit. OK, he didn't but the video was a lot darker and moody. We looked at how you could use Maltego with Machines that run perpetually to create a type of intelligence dashboard. Furthermore we showed how you can easily create alerts in Maltego - in our case when two people phoned that same 3rd party. Here's a still from the video:

Why does Andrew start with 'Hi James'? It's a tricky question. Ask him next time you see him. It's a nice video and although we released it on a Friday afternoon we almost have a thousand views on it today.

Thanks to Canon for letting us use their C300! Now we just need to convince the guys at RED to do the same...

[C]ollaboration

Last Friday we went to the developer's cave to get a demo of collaboration. It's VERY freaky to see how a Maltego graph updates on a untouched computer. It's also quite fabulous and it's going to change everything. Oh, and we also support real time chat right inside the client. Best part - NO SERVER required. Unless of course you're paranoid and don't believe us that the messages are 256 bit AES encrypted with an user chosen passphrase. Then you are welcome to buy your own comms server.

As soon as we have something that is barely stable we'll show you. It's SOOOO cool!! [OK we can all see you're really excited about it, but please contain yourself - Ed]

[C]heers!
 RT

Manually linking one node to multiple others

Someone asked support@paterva.com: "It is very tedious to put five thousand arrows of emails to a single identity. Is there any way to make this easier?" There is indeed an easier way and I thought I'd put the recipe out here on the blog:

Follow these easy steps to link many nodes to a single node:

1. Select the many nodes.
2. Move the mouse pointer so that it hovers over the single node, but don't select it.
3. Left click on the single node AND hold the left click button in.
4. Drag a line to any of the many nodes.

The single node will now be linked to the many nodes with multiple links, but the link direction must be inverted.

We now need to select all these links and invert their direction. To do this:

1. Select the single node.
2. On the ribbon go to Investigate -> Select links -> Outgoing. You can also do this by holding control and dragging a box around the links.
3. On the ribbon - Investigate -> Reverse Links.
4. Voila!

For those that need pictures - here they are:

Maltego Radium Community Edition Released!

Hi there.

As promised, and on time, we are proud to release the community edition of Maltego Radium.

Some of the major features of Radium are:

• Use of machines (transform sequences - use, edit and build your own!)
• Incremental Auto update (You don't need to download a 80MB release ever again)
• Full screen mode (think dashboard)
• Massive memory and speed optimization
• Sound (useful when you switch to something else and want know when your transforms are done)
• Find in files (only added this some weeks ago to the Commercial edition!)
• And much much more...(tm)

We have also upgraded the community server to leverage all the new cool goodies (like link style/color, notes on entities etc) that Maltego Radium offers.

To get the new Maltego Radium Community Edition simply download the community edition from our [website] - or click below:

The huge improvements that used to be only available to commercial users are now available for everyone! Having said that - results are still limited to 12. This also apply to machines - you can only have 12 entities in a pipeline.

We hope everyone has a great time using our new product!
RT