Skip to main content

New infra enum transforms - with sweet example

We're happy to release a couple of simple transforms via the TDS that assist with the foot printing / enumeration of infrastructure. These are:

  • NetblockToNetblocks
Essentially this transform breaks large networks into smaller chunks of networks. This is useful when you have transforms (such as reverse DNS, portscans etc) that only works on class C networks...and you are stuck with a class B.

  • NetblockToIPs
Shows every IP within the netblock as a separate IP address entity. Useful when you need to run a transform on an IP address itself, and want to repeat the process over all the IP addresses in the network. An example of this will follow.

  • WebsitetoDNSName
  • NStoDNSName
  • MXtoDNSName
These transform simply converts the NS,MX or website to a DNS name so that the enumerate numerically transform can work on it. In other words - see the next transform..

  • enumerateHostNamesNumerically
This transform will test for the existence of DNS names that end with the same name, but another number. As example - if ran on it will check for mx1, mx2, The range and padding can be set with transform settings.


How is this interesting at all (because frankly, on the surface it looks pretty boring) ? Let's look at examples. Let's assume we are are foot printing a domain called (if you missed that class - EOP is the Executive Office of the President - which, network wise, is a lot more interesting than We run the 'Find common DNS name' transform on this, and end up with a graph like this:

Clearly ns1 is a good candidate to be enumerated numerically. And so we shall:

The transform will ask us for some transform settings:

And ends up producing a graph looking like so:

With a couple of more transforms, a little re-arrangements and manual linking we get:

The resultant DNS entries (at the bottom of the screen shot, and produced by looking at reverse DNS within those netblocks) also looks yummy for numerical enum, so we'll run them too (but perhaps from 0 to 99 with one digit padding). You end up with graph looking like this:

In the end we'll take all of the DNS names, copy them to a new graph and resolve them to IP addresses. This gives us:

For the next step we'll use one of the other new transforms. We'll take the two blocks, and enum them to individual IP address entities. Why? You'll soon see. But first, this is what it should look like:

The blue dots are the IP addresses. The 'hands' sticking out at the sides are IP addresses that were discovered from two transforms, resolving the DNS names, and the enum. Sonowwhat? Now, we'll put every IP address into a search engine and see if there is any results. EH? Well, when anyone browses the 'net the site that they browse probably records the IP address in a log...and sometimes, just sometimes...those logs get index by a search engine. So - we end up with a graph that gives us a list of websites that were visited by that IP address. You might think it does that happen a lot - but you'll be surprised. Hereby the resultant graph:

The blue dots are IP addresses, the pink ones are websites where that IP address was found. This is the edge weighted view, so the larger the sphere, the more IP addresses pointed there. Of course, IP addresses don't just end up in logs that gets indexed. This closeup shows you why:

In fact, the more interesting sites are the ones that are only visited once or twice. We can also weed out the false positives (sorry Rob, in this case that's you) by searching our graph for words like 'usage stats' and the likes. The results then start looking a lot better - here is a small portion of the graph:

In the detail view we can see when and what were visited:

If you missed the point of this whole mission - it was to see if we can figure out to which web sites the people in the Whitehouse browsed to..

Anyhow - this was just a *brief* idea of where you can go with these transforms. On their own they are boring and bland, but when used with others they sparkle.

OK, initially I thought "brief" and then I ended up spending 45 minutes on it (most of the time copy and pasting the graphs, cropping them and struggling with this web interface blog editor).
Also, before I forget, and your reward for reading all of this - the seed for these transforms can be found here:
You may use instructions on [this blog post] to see how to get these into Maltego. They don't need any special entities. So it's load, discover and play.

Crisp out,


Popular posts from this blog

Maltego 4 CE / Kali Linux release is ready for download!

Hi there,

We're happy to announce that Maltego 4 is now (finally) ready for the masses! We're releasing the community (free) edition today and the Kali distros have been updated by the kind people from Offensive Security (thanks Dookie/Muts!).  In other words - we're ready to roll on a major upgrade of your favorite information visualization tool.

(click on the image above to see our very grown-up/proper promotional video of Sandra the 15 year old Dachshund and Maltego/Kali Linux. !(We plan to screen this at our booth at a major conference.))

Our decision to make CaseFile free with the release of Maltego 4 had some interesting side-effects. In CaseFile importing data from CSV/XLS was enabled. So too printing. And reporting. So when we made CaseFile free it did not make sense to limit the Kali/CE releases - you'd simply open CaseFile, import the data and save the graph - then open in CE.

So - bottom line - reporting/printing/CSV import is now enabled in the free release…

Abracadabra! It's Sho(dan) time!

Shodan -- used by pentesters, stalkeˆWˆWˆWresearchers and data scientists everywhere to analyze information about computers on the Internet. From webcams to SCADA to looking at where various SSL information in certificates can tie organisations together. It is a common tool used by many different people. We really wanted to get some Maltego goodness on that!

TL;DR -- You can get the Shodan transforms in the transform hub right now. To use all of the different transform options (or you can stick with the free options) you can simply click on settings in the transform hub after installing to add your API key.

There have been transforms written for Shodan before, but we really felt like they needed refreshing. So we took it upon ourselves to look at the information provided by Shodan and decide how we could integrate it into the needs of Maltego users. We first started by looking at what information was readily and easily available and then if it was useful in an n-th order graph. This is…

Visualising the Bitcoin Blockchain in Maltego

This post will provide a quick overview of our new Maltego transforms for visualizing the Bitcoin blockchain. There are 11 new transforms in the seed which use’s API to query data from the blockchain.

(Screenshot's in this post are taken with the Maltego 4 beta release.)
Before we begin, it is important to have an understanding of how Bitcoin and their transactions work so I will start with an overview of some of the main concepts:
Bitcoin Overview
Bitcoin address: Bitcoin addresses are transaction endpoints that are used to send Bitcoin to another person. A person can generate as many addresses as they want and people should (which they often don’t) use a new address for every transaction that is made. An address is represented with a 26-35 sequence of alphanumeric characters and looks like this: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2. For a more in-depth explanation of Bitcoin addresses you can have a look at the Bitcoin Wiki here.
Bitcoin wallet: A Bitcoin wallet is …