Skip to main content


Showing posts from 2013

Christmas special. Another useful Paterva tradition.


It's that time of the year again. When going grocery shopping feels like scene from The Walking Dead. Human meat density coefficient just waaay to high. Going to the office feels like a scene from The Walking Dead (but another episode). Not fun either way.

Since we moved to Cape Town about 3 weeks ago we still don't have formal offices and as such I am working from home (Andrew is back up in Gauteng spending time with family). I suspect many of you are doing the same - still very much connected, online and reading those emails marked as 'I'll get back to that when I am not so busy'.  Pro tip - start with 'Sorry for not getting back to you earlier'. It's already weird. Just face it.

Every year we run a Christmas special. And it's really a special - not a silly 10% off. In 2011 it was 50% off. In 2012 it was 33% off. This year -2013 - it's 50% again. We're all for consistency.  That means you get the commercial version at $380. Remember -…

Maltego CaseFile v2 released!

Maltego CaseFile version 1 was really cute. You could draw pretty pictures with it and show it to your friends. We even made a Game of Thrones graph with it - because we had friends that did not read the books and only started watching it at Season 3. And we were tired of explaining all the intricate relationships to them.

We didn't give CaseFile a lot of attention. In a way it was like washing your elbows. You wash your face and under your arms and so on.. but you don't actively think about washing your elbows. It's not like you would tell your child "Hey Pietie - make sure you wash your elbows tonight OK?". And so it was with us and CaseFile.

We released Maltego Tungsten at BlackHat USA in August this year. For the next couple of months CaseFile would sit next the Tungsten on the website. It would look at Tungsten with envy. Tungsten was shiny and new. It had nice shoes and a pretty dress. It was all grown up. CaseFile was left behind and it seemed that nobody…

Andrew makes a blog entry! Also the story of KingPhisher!

Hi Interwebtonians,

It has been absolutely ages since I have written a blog post - and its not from the lack of prodding from Roelof. We have genuinely just been busy!

Predominately I want to show you some of the work we had to do for Blackhat 2013 - my first BH talk ever! My section of the work was what we ended up calling 'KingPhisher' as well as the multi-threaded Python script to crawl websites for some parts of 'Teeth' (Roelof's offensive Maltego transforms).

    Video: [HERE]
    Download: [HERE]

A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email…

New version of CaseFile, Tungsten updates, prices

Hello people of the Interweb. We have some news for you.

CaseFile v2
We're happy to announce that very soon, we'll have a new CaseFile version coming out. It will contain all the graph sharing goodness you've come to expect of Maltego Tungsten, but in a CaseFile package. This means teams of analysts working with offline data can share graphs in realtime and even chat with each other.

CaseFile is like Maltego - but without transforms. We've realized that not all analysts need transforms - why do you have to pay for it? CaseFile used to be a glorified sketching application (selling at $200) with seamless compatibility with Maltego. Now, with real time graph sharing it's a lot more. We will be releasing CaseFile v2 very soon. Hereby a splash screen candidate of v2:

Tungsten update
We've created a new update for Tungsten - it solves a couple of pesky bugs we've had in the past, plus allows for better compatibility with XMPP servers (your own, public, or dedicated…

Vegas feedback, Tungsten release, Teeth install, KingPhisher etc etc.

After what seems to be a lifetime we're back safe and sound in South Africa. It's been a long trip - after Blackhat/Defcon we traveled a little further north west to conduct (another) four day training course.

Blackhat training
We trained two courses at Blackhat - back to back. In total - 42 students. It was fun. We mostly had skilled students and it's always great to see their 'AHA!' moments - when all the pieces come together and they understand our vision.

A pivotal moment for me personally was when I complained that my feet hurt on day 3 of BH training and the training room cleaner (an elderly man that's been in the war in Sarajevo) told me 'you're getting paid for this yes?'.  He survived a war and was cleaning rooms in a hotel in Las Vegas at minimum wage and I was complaining that my feet hurt. Perspective++.

Blackhat talk
The day after training we had our talk. All the demos worked (a special thanks to the networking guys for those 2x Ethernet…

UK based Magicians / Illusionist

A quick post.

I love to watch Derren Brown's shows. I wondered if he was on social media in a private capacity so started mapping relationships between people he works with. In the process I saw a large cloud forming around UK based illusionists, mentalists and 'magicians' and decided to focus on them.

If you ever seen a closed hyper connected community of people - here is the map:

BlackHat 2013, Tungsten preview, Trees

Hi all,

We decided to do a quick recap of what's happening around the Paterva office the last couple of weeks. 'Why?' you ask. Well - we recently had some visitors to our offices - they only followed our blog and not our Twitter account (@paterva if you wondered) and they were clearly uninformed about what we're up to.

Blackhat 2013 We recently showed Maltego to a group of hard core pen testers. Initially they were quite doubtful about how useful Maltego could be for them ('yes it makes pretty pictures - so what') - but after about 45 minutes we won them over and by the end of the day they bought licenses for the entire team and were making plans to integrate Maltego with their own tools. It yet again illustrated to us that it's not the tools you have but how well you know and use them. This is why we train at BlackHat USA in Las Vegas. At the end of every class students walk out saying 'We never knew you could do this with Maltego' and 'We neve…

TRX - Framework for writing Python transforms with the TDS

Hi there people from the Interwebs,

We wrote a 'framework' for writing Python transforms with the Maltego TDS. It's called TRX and it's pretty light, easy to use and very hip. It should see you writing kick ass transforms in no time - a complete transform could look as simple as this:

def trx_DNS2IP(m):
  TRX = MaltegoTransform()
    DNSName = socket.gethostbyname(m.Value)
  except socket.error as msg:
  return TRX.returnOutput() 

The document nicely explains the differences between local transforms and TDS transforms and also includes a complete entity reference guide as well as addressing the confusion between V2 and V3 entities - a must read for any transform developer. The document also takes a look at the future of the TDS.

Here is the index of the document - click to read.

Finally the framework / source code can be found [here]. …

Maltego Tungsten...

Video of alpha release -- soon...


Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to

Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. O…

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:

Somehow related - the zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the …