Thursday, February 28, 2013

Maltego Tungsten...

Video of alpha release -- soon...

RT

Friday, February 22, 2013

Pretty pictures: Appendix D (Mandiant) in Maltego

Out of pure curiosity and quite per chance we decided to load all the DNS names (FQDNS) from the Mandiant APT1 report (appendix D) into Maltego, resolve them to IPs, extract the domains and so on and so forth.

OK right, we'll come clean - also to do some marketing - with such sensational list of DNS names who can resist! And it was not out of curiosity - someone suggested it. Plus we wish Mandiant had put some Maltego graphs in that report because it would help us sell licenses. And it would make the report look pretty and actually - BTW- it's really useful to see patterns.

And indeed there are some interesting patterns. It seems some of the domains have been scrubbed (or perhaps they were never in use, we would not know without looking at historical DNS and that seems like lots of work) with all of the names now pointing to 0.0.0.0:



Below is a very different section of the graph showing shared infrastructure. Perhaps these were used at the same time, for the same purpose. Only the people that registered the domains would know. Which might be the APT1 group. If they're really a group. And we don't really care...

Here's a graph that clearly shows multiple IPs in use, and obvious collusion between domain owners.



We've also looked at countries, NS records, netblocks, AS numbers, whois details (some are interesting!) etc. It's hard to conclude anything from the info without knowing how the data was obtained. There are some patterns for sure. Names pop up more than once. Some address schema.

In the end we can only hope that you enjoyed our marketing material.
RT

Tuesday, February 19, 2013

CCC: China! C300!! Collaboration!!!

It's seems we should call it Cebruary as everything that happens this month seems like it's C-ish.

[C]hina

China is in the news with the Mandiant APT paper (I am not going to bother linking it, it's everywhere). An interesting read for sure - kudos to everyone involved. We are never keen to pick sides but found the Bloomberg TV spot (on the same topic) that shows Maltego quite interesting. Here's a screen shot and a link:


Somehow related - the gov.cn zone leaked a few weeks ago and we thought it would be interesting to see how these DNS names resolve to IP addresses. From the IP addresses we went to netblocks, from there to country. And that's where we stopped. The most interesting points to note were:

1. There were quite a few DNS names that resolved to internal IP addresses (mostly 10.*, but some 172.16s as well). Before you freak out - no - we're not showing the DNS names corresponding to these blocks. You can go do that yourself. And yes, these could be the same as your grandma's internal IP range at home.


2. Almost all of the infrastructure is located in China (no surprise), but there were two or three IPs in the US (surprise). Initially we thought that was a bug in the IP2Location transform. So we checked it by hand. Sure enough - it's in the US.

Of course this is where we stopped because we are civilized, suit-wearing responsible adults. But someone (you know who you are) did not. They proceeded to nmap all of these in Maltego. And then mailed us the graph (while it's interesting, we did not ask for this). It even prompted Roelof to Tweet the following:


Of course the graph is interesting. It shows that, if you were to do a conventional infrastructure over-the-Internet attack [that's like...so 90s - Ed], it looks like there's a nice cosy attack surface  [it's a giant honeypot - Ed]. In the graph below we ONLY look at port 23 (telnet) and 22 (SSH):


Why is this picture so blurry? Ag no man - don't be silly! We're pretty sure the Americans/pick a 1st world country are not sitting on their hands either and have pictures just like this on their pretty 4K projectors. In fact - we would just love to see the (translated!) Chinese intelligence reports on US based attacks...

[C]anon [C]300

Canon South Africa was nice enough to let us use their spare C300 for a week. A week! It meant we had to do a lot of videos in a short space of time. We ended up doing three. One we are keeping for the BlackHat CFP prize. The other two we put out on the Interwebs. The first one is just a recap of navigation in Maltego. We did this as our nerves were getting pretty thin with people navigating Maltego with scroll bars. The video was shot at a dairy that's across the street from our office (no really). What made the video really interesting was the fact that a black swan chased Andrew around. Here is a still of Andrew gracefully defending himself with a metal table. For more - click on the video below:


The second video was a lot more serious. Andrew wore a suit. OK, he didn't but the video was a lot darker and moody. We looked at how you could use Maltego with Machines that run perpetually to create a type of intelligence dashboard. Furthermore we showed how you can easily create alerts in Maltego - in our case when two people phoned that same 3rd party. Here's a still from the video:


Why does Andrew start with 'Hi James'? It's a tricky question. Ask him next time you see him. It's a nice video and although we released it on a Friday afternoon we almost have a thousand views on it today.

Thanks to Canon for letting us use their C300! Now we just need to convince the guys at RED to do the same...

[C]ollaboration

Last Friday we went to the developer's cave to get a demo of collaboration. It's VERY freaky to see how a Maltego graph updates on a untouched computer. It's also quite fabulous and it's going to change everything. Oh, and we also support real time chat right inside the client. Best part - NO SERVER required. Unless of course you're paranoid and don't believe us that the messages are 256 bit AES encrypted with an user chosen passphrase. Then you are welcome to buy your own comms server.

As soon as we have something that is barely stable we'll show you. It's SOOOO cool!! [OK we can all see you're really excited about it, but please contain yourself - Ed]

[C]heers!
 RT