Skip to main content

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:



Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.



We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.
RT

Comments

Popular posts from this blog

Maltego 4 CE / Kali Linux release is ready for download!

Hi there,

We're happy to announce that Maltego 4 is now (finally) ready for the masses! We're releasing the community (free) edition today and the Kali distros have been updated by the kind people from Offensive Security (thanks Dookie/Muts!).  In other words - we're ready to roll on a major upgrade of your favorite information visualization tool.


(click on the image above to see our very grown-up/proper promotional video of Sandra the 15 year old Dachshund and Maltego/Kali Linux. !(We plan to screen this at our booth at a major conference.))

Our decision to make CaseFile free with the release of Maltego 4 had some interesting side-effects. In CaseFile importing data from CSV/XLS was enabled. So too printing. And reporting. So when we made CaseFile free it did not make sense to limit the Kali/CE releases - you'd simply open CaseFile, import the data and save the graph - then open in CE.

So - bottom line - reporting/printing/CSV import is now enabled in the free release…

Abracadabra! It's Sho(dan) time!

Shodan -- used by pentesters, stalkeˆWˆWˆWresearchers and data scientists everywhere to analyze information about computers on the Internet. From webcams to SCADA to looking at where various SSL information in certificates can tie organisations together. It is a common tool used by many different people. We really wanted to get some Maltego goodness on that!

TL;DR -- You can get the Shodan transforms in the transform hub right now. To use all of the different transform options (or you can stick with the free options) you can simply click on settings in the transform hub after installing to add your API key.

There have been transforms written for Shodan before, but we really felt like they needed refreshing. So we took it upon ourselves to look at the information provided by Shodan and decide how we could integrate it into the needs of Maltego users. We first started by looking at what information was readily and easily available and then if it was useful in an n-th order graph. This is…

Visualising the Bitcoin Blockchain in Maltego

This post will provide a quick overview of our new Maltego transforms for visualizing the Bitcoin blockchain. There are 11 new transforms in the seed which use Blockchain.info’s API to query data from the blockchain.

(Screenshot's in this post are taken with the Maltego 4 beta release.)
Before we begin, it is important to have an understanding of how Bitcoin and their transactions work so I will start with an overview of some of the main concepts:
Bitcoin Overview
Bitcoin address: Bitcoin addresses are transaction endpoints that are used to send Bitcoin to another person. A person can generate as many addresses as they want and people should (which they often don’t) use a new address for every transaction that is made. An address is represented with a 26-35 sequence of alphanumeric characters and looks like this: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2. For a more in-depth explanation of Bitcoin addresses you can have a look at the Bitcoin Wiki here.
Bitcoin wallet: A Bitcoin wallet is …