Maltego là gì? Link Analysis và Threat Intelligence Chi Tiết
Maltego là powerful data mining tool cho link analysis và threat intelligence. Nó cho phép users visualize relationships giữa entities như domains, IP addresses, emails, people, và organizations. Đây là standard tool trong cybersecurity professional toolkit.
Maltego được phát triển bởi Paterva ( headquartered ở South Africa), nổi tiếng trong penetration testing và OSINT (Open Source Intelligence) communities.
Maltego Use Cases
1. Threat Intelligence
- Trace threat actors’ infrastructure
- Map attack campaign infrastructure
- Track malware distribution networks
- Correlate IOCs (Indicators of Compromise)
2. Digital Forensics
- Investigate email impersonation
- Trace source of attacks
- Find connections between suspects
- Map criminal infrastructure
3. Penetration Testing
- Reconnaissance phase automation
- Discover external infrastructure
- Map target organization’s footprint
- Find relationships between assets
4. OSINT Research
- Background checks on individuals
- Corporate due diligence
- Brand protection research
- Competitive intelligence
Maltego Editions
| Edition | Price | Features |
|---|---|---|
| Community | Free | Limited transforms, basic graphs, Hub items |
| Classic | ~€999/year | Full transforms, bigger graphs, team sharing |
| XL | ~€2,499/year | Advanced transforms, API access, custom transforms |
| Enterprise | Custom | All features + support + training |
Entities trong Maltego
DNS Entities
- Domain: example.com
- DNS Name: mail.example.com
- IP Address: 192.168.1.1
- MX Record: mail server info
- NS Record: nameserver info
Contact Entities
- Email Address: john@example.com
- Person: Name with possible affiliations
- Phone Number: Phone records
Web Entities
- URL: https://example.com/page
- Website: Domain with web presence
- Link: URL relationships
Infrastructure Entities
- AS Number: Autonomous System
- Netblock: IP range
- Location: Geographic location
- Company: Business entity
Transforms trong Maltego
Transforms là operations that take an entity và discover related entities. Maltego has hundreds of transforms từ built-in sources và community Hub.
Built-in Transforms
| Transform | Function |
|---|---|
| To DNS Name → DNS Name → MX | Find mail servers for domain |
| To Domain → To Website | Find associated websites |
| To Person → To Email Addresses | Find person’s email addresses |
| To IP Address → To City | Geolocate IP address |
| To Domain → To Registrant | Find domain registration info |
Popular Hub Transforms
- Shodan: Find设备 exposed on internet
- Have I Been Pwned: Check if email in breaches
- VirusTotal: Scan and research IOCs
- Hunter.io: Find email addresses by company
- Fullcontact: Person enrichment
Sử Dụng Maltego – Examples
1. Investigate a Domain
- Drop Domain entity for target.com
- Run “To DNS Name” transform → find subdomains
- Run “To Website” transform → find web servers
- Run “To Registrant” transform → find registration details
- Run “To MX” transform → find mail servers
- Continue expanding relationships
2. Track Threat Actor Infrastructure
- Start with known malicious IP
- Run “To DNS Name” → find hosted domains
- Run “To Domain → To Registrant” → find registrant
- Run “To Email Address → To Person” → find actor’s identity
- Build comprehensive infrastructure map
3. Email Investigation
- Start with phishing email address
- Run “To Person” → find associated name
- Run “To Phone Numbers” → find linked phones
- Run “To Domains” → find owned domains
- Cross-reference với breach databases
Maltego CE (Community Edition) Limitations
| Limitation | Impact |
|---|---|
| 30 results per transform | Can’t see complete datasets |
| No API access | Can’t automate workflows |
| Limited transforms | Missing many commercial sources |
| No team sharing | Can’t collaborate easily |
| No persistence | Data lost on close (free) |
Maltego Trong Security Workflow
Reconnaissance Phase
# Example: Passive reconnaissance for pentest 1. Start with target company domain 2. Discover subdomains (DNS enumeration) 3. Find associated IP ranges 4. Discover email patterns 5. Map employee names to emails 6. Find social media accounts 7. Document findings in graph
Threat Intelligence Investigation
# Example: Investigate malware campaign 1. Start with malicious URL from sandbox 2. Run transforms to discover infrastructure 3. Map all domains hosted on same IP 4. Find registrant details for campaign domains 5. Track historical changes (passive DNS) 6. Correlate with other known campaigns 7. Create IOCs for team
Incident Response
# Example: Investigate phishing attack 1. Extract sender email and domain 2. Find all domains registered by same entity 3. Map infrastructure (IPs, nameservers) 4. Correlate with other phishing campaigns 5. Identify attacker's real identity if possible 6. Create blocks/bounces based on findings
Maltego Alternative Tools
| Tool | Focus | Price |
|---|---|---|
| Maltego | Link analysis, all sources | €999+/year |
| ivre | Network recon, command-line | Free |
| Crunch | Data correlation, OSINT | Free |
| Obsidian | Personal knowledge graph | Free (self-hosted) |
Advanced Maltego Techniques
Machine Transforms
Machine transforms run automatically across entire graphs, helping discover patterns that manual transforms might miss.
- Run all transforms on all entities
- Discover hidden relationships
- Automate large-scale investigations
Custom Transforms (API)
Create custom transforms using Maltego API to integrate proprietary data sources:
# Example: Create custom transform server
from flask import Flask, jsonify
from maltego_trx.entities import Domain
from maltego_trx.transform import DiscoverableTransform
app = Flask(__name__)
class MyCompanyDomains(DiscoverableTransform):
@classmethod
def create_entities(cls, request):
company = request.Value
domains = my_company_database.get_domains(company)
for domain in domains:
ent = Domain(domain)
request.responseEntity.addLinkToParents(ent, "owned by")
request.responseEntity.addEntity(ent)
app.run(port=8080)
Pastebin Hunter
Search Pastebin for leaked credentials, sensitive data. Integrates với Maltego để track leak sources.
# Maltego transform to search Pastebin # Useful for: breach investigation, credential stuffing detection 1. Start with email address 2. Run transform to search Pastebin for leaks 3. Find all pastes containing that email 4. Analyze leaked data types 5. Correlate with other compromised accounts
Maltego for Defenders
- Brand monitoring: Track domain squatting, impersonation
- Supply chain security: Map vendor relationships
- Attack surface analysis: Discover external-facing assets
- Fraud investigation: Track scammer infrastructure
- Due diligence: Research partners/vendors
Privacy và Legal Considerations
Legal Boundaries
- Only use on systems you have permission for
- Public data only for OSINT
- Check terms of service for data sources
- Don’t use for stalking or harassment
Data Handling
- Don’t upload sensitive data to cloud services
- Encrypt findings at rest
- Handle PII carefully
- Document data sources for evidentiary value
Kết Luận
Maltego là powerful link analysis tool essential for cybersecurity professionals. Nó excels at visualizing complex relationships between entities, making it invaluable for threat intelligence, forensics, và OSINT research.
While Community Edition có limitations, it’s still powerful enough for many use cases. For advanced needs, Classic hoặc XL editions provide access to more transforms và API capabilities.
