Fingerprinting A Network With Standard Transforms
There are over 150 Standard Transforms that come with Maltego. Download them from the Transform Hub for free.
After Installing you can find some examples of what types of transforms can be run in the Transform Manager:
Install the Transforms from Home > Transform Hub
To see the Transforms installed, starting from the top menu bar go to:
Transforms > Transform Manager > Transform Servers > Paterva CTAS (Standard Transforms)
Transforms > Transform Manager > Transform Servers > Maltego* (Standard Transforms)
After reviewing the Transforms we can start by dragging a Domain Entity from the Entity Palette and running:
Standard Transforms > DNS from Domain > To Website [Quick lookup]
Standard Transforms > Resolve to IP
Standard Transforms > DNS from IP
DNS Protocol can translate Domain Names into machine readable IP Addresses.
It makes it possible to type a Domain Name into a web browser’s address bar instead of an IP Address.
Using Standard Transforms > All Transforms on a DNS Name Entity we can see the related:
- DNS Names
- IP Addresses
Try running Standard Transforms > DNS from IP on an IP Address Entity.
Different DNS Names can be discovered from different Entities.
Standard Transforms can determine the location of an IP Address.
Standard Transforms > IP owner detail > To Location [city, country]
More elaborate networks like SpaceX have more infrastructure to scan and higher security.
Create the Domain Entity spacex.com
Run Standard Transforms > DNS from Domain
Run Standard Transforms > All Transforms on the Domain Entity space.com
Run Standard Transforms > DNS from IP on the Website Entity www.spacex.com
The results are different from the Doman Entity scan.
Select the DNS Names found from the Domain Entity spacex.com.
From these DNS Name Entities run the Transform:
Standard Transforms > Resolve to IP
This returns the IP Addresses of the selected DNS Names.
Select all Entities on your graph (Ctrl + A) and run:
Standard Transforms > To Website Title
Standard Transforms > To Website [Quick lookup]
Standard Transforms > To Website using IP [Bing]
This will return the Website URLs and Website Titles.
Digging deeper, we can check some of these URLs in a web browser.
Stargate.spacex.com is protected by a Paloalto Networks Global Protect Portal.
Auth.spacex.com is SpaceX’s Multi-Factor Authentication login.
Mail.spacex.com redirects to a login portal.
Iss-sim.spacex.com is a SpaceX ISS Docking Simulator.
To find emails in an organization take full advantage of Maltego’s Search Engine integration and do some Search Engine Dorking.
Drag a Phrase Entity from the Entity Palette and input:
The * means ANY string before , The “” means search EXACTLY for this string. This is a Regular Expression.
Running All Transforms > To Email Addresses [using Search Engine] will return any email containing @spacex.com.
To find MX Servers on a Domain Entity run:
Standard Transforms > DNS from Domain > To DNS Name MX [mail server]
Run Standard Transforms > All Transforms to return the IPs and DNS Names of the MX Entities.
Netblocks are a range of IP addresses. They are useful for gaining information about how a target has set up their network.
Select all Entities on your graph (Ctrl + A) and run All Transforms > To Netblock [Using routing info]
For bigger Graphs, expand your view to full screen (Alt + Enter) and switch to circular view from the top menu under “View”
SpaceX has their Mail Server & login portal in the same Netblock along with some DNS Names & IP Addresses.
They also have their Stargate login portal (Paloalto) & Multi Factor Authentication login portal on this Netblock.
Associated websites like SpaceX Shop, Returns, Rideshare, ISS Simulator are hosted on different Netblocks
Autonomous Systems (AS) are a group of IP Networks that are assigned numbers, each number has a specific routing policy.
This Netblock’s AS Number is 27277 is Located in Los Angeles, California, owned by Space Exploration Technologies.
All Transforms > To AS Number