Internet Forensics (Part 3) Robert McArdle ©2014 In#this#third#part#of#our#look#at#Internet#Forensics#we#will#be#once# more#concentra7ng#on#the#Maltego#tool#–#this#7me#looking#at#some# addi7onal#uses#of#the#tool,#and#how#it#can#be#extended#to#add# addi7onal#transforms.# # NOTE:#Once#more#the#videos#in#the#lecture#may#be#recorded#on# older#versions#of#Maltego#from#what#you#are#using.#They#may#look# slightly#different,#but#the#func7onality#should#be#the#same# 1# Internet Forensics (Part 3) Robert McArdle ©2014 Ok#–#lets#start#with#one#more#advanced#feature#of#Maltego.#We’ll# step#through#how#to#import#a#CSV#file# # Doing#this#is#very#straight#forward,#and#we#will#show#a#video#of#one# such#an#example.# # From#the#main#menu#of#Maltego#(top#leM#corner)#select#ImportO >Import#Graph#From#Table/# # This#will#in#turn#step#you#through#a#wizard#to#import#the#CSV#file.# Each#column#in#the#CSV#can#be#assigned#a#par7cular#Maltego#En7ty,# or#can#be#ignored#completely.#The#same#can#also#be#done#to#assign# columns#to#links.#Lastly#you#can#map#out#how#you#would#like# individual#en77es#you#have#been#imported#to#be#linked#together.# # Impor7ng#CSV#files#like#this#can#quickly#show#off#a#range#of# rela7onships#which#were#not#obvious#from#looking#at#the#CSV#file# itself.# 2# Internet Forensics (Part 3) Robert McArdle ©2014 One#thing#a#lot#of#people#do#not#realise#about#Maltego,#is#that#it#is#actually#really#useful#–# even#when#you#are#not#using#any#Transforms.# Maltego#also#gives#us#the#ability#to#create#our#own#links,#without#any#need#of#transforms.# This#can#be#really#useful#–#as#you#can#s7ll#use#all#of#Maltego#various#views#to#look#at#the# data.# # Lets#take#a#simple#example#by#star7ng#with#a#person#object#with#the#name#Robert# McArdle.#Through#your#analysis#you#may#have#discovered#that#I#do#lectures#for#University# College#Dublin,#but#there#is#no#obvious#transform#to#make#that#link.#Simply#create#an# en7ty#for#UCD#(for#example#a#domain).#Next#unselect#everything,#and#drag#a#link#from#the# Person#to#the#domain#object.#You#can#also#label#the#link#so#you#remember#what#it#is#later# on.#In#fact#you#can#use#Link#Selec7on#to#select#the#link#and#add#addi7onal#notes.# # Another#really#good#feature#of#Maltego#is#the#ability#to#cut#and#paste#text#from#the# clipboard#into#maltego,#and#it#will#create#an#En7ty#for#it.#It#also#does#its#best#to#guess#the# en7ty#type.#E.g.#If#you#paste#in#127.0.0.1#it#will#create#a#IP#en7ty.#Some7mes#you#will#paste# in#something,#and#it#will#get#misrecognised#as#another#en7ty#type#–#e.g.#“Chaos#Computer# Club”#is#recognised#as#a#Person#not#a#Phrase.# # If#we#want#to#be#specific#when#we#are#cubng#and#pas7ng#we#can#add#the#maltego#type#to# the#text#we#are#pas7ng#e.g.#maltego.Phrase#Chaos#Computer#Club.#Alterna7vely#you#can# right#click#an#en7ty#and#change#its#type.# # So#there#you#go#–#now#you#can#draw#your#own#graphs!## # In#fact#people#found#this#ability#so#useful#that#Paterva#have#just#released#a#new#applica7on# called#Maltego#Case#File,#which#can#be#downloaded#from#their#site.#This#tool#is#designed# for#law#enforcement#in#par7cular,#for#mapping#out#rela7onships#between#criminals.# # Just#as#you#can#create#your#own#links,#you#can#also#design#your#own#En77es#in#the#manage# tab.#Each#en7ty#can#have#an#associated#Icon#and#can#even#inherit#from#an#exis7ng#en7ty.# For#example#you#could#create#an#en7ty#called#Command#&#Control#server,#which#inherits# all#the#transforms#from#an#IP#Address#en7ty.# # Info:* Maltego#Casefile#O#hgps://www.paterva.com/web6/products/casefile.php# 3# Internet Forensics (Part 3) Robert McArdle ©2014 You#may#have#no7ced#that#I#appear#to#have#some#transforms#and#en77es#in# my#version#of#Maltego#in#the#screenshots,#that#are#not#present#in#the# versions#you#are#using.#There#is#a#very#simple#reason#for#this.# # Maltego#was#designed#to#be#easy#for#anyone#in#the#world#to#extend.#Anyone# can#easily#create#new#Transforms#or#En77es#and#publish#them#for#others#to# use.#Gebng#these#new#plugins#could#not#be#easier.#First#click#the#Manage#tab# at#the#top#of#the#Window.## # Lets#start#of#by#finding#some#new#Transforms.#You#can#easily#import#new# Transforms#for#Maltego#if#someone#provides#you#with#a#Seed*server*to#sync# up#from.#For#this#example#we#are#going#to#use#transforms#that#work#with# Shodan.#Shodan#allows#you#to#search#computers#on#the#internet#based#on# the#header#responses#they#give.# # To#import#these#transforms#select#“Discover#Transforms”,#and#add#the#seed# hgps://cetas.paterva.com/TDS/runner/showseed/shodan,#and#follow#the# wizard.## # We#will#also#need#to#add#the#en77es#created#for#those#transforms#–#you#can# download#them#from#hgps://maltego.shodan.io/#(note#the#video#shows#the# older#webpage#of##hgp://maltego.shodanhq.com/#)#and#import#them.#On#the# leM#are#op7ons#to#import#and#Manage#En77es.## # For#a#quick#test#I#selected#an#IP#address,#before#using#the#transform#from# Shodan#called#getHostProfile#to#map#it#to#the#soMware#running#on#that# machine.# # There#are#other##transform#servers#–#and#I’ll#add#links#at#the#end#of#these# notes.## # Further*Info* hgps://maltego.shodan.io/#* 4# Internet Forensics (Part 3) Robert McArdle ©2014 Some of the other seeds of transforms are free, but there are also commercial offerings The SocialNet library of transforms from Packetninjas is excellent when it comes to looking at just about any social network. It does not come cheap however, costing several thousand dollars per year. Further Info hgp://packetninjas.net/tools/socialnet.html 5# Internet Forensics (Part 3) Robert McArdle ©2014 We’ve#men7oned#a#lot#of#useful#tools#related#to#Internet#Forensics#and# OSINT#–#Maltego,#Robtex,#Pipl#and#of#course#Google# # All#of#this#is#really#only#the#7p#of#the#Iceberg#when#it#comes#to#OSINT# however.# # As#well#as#tes7ng#out#these#tools#I#highly#recommend#you#check#out#the# resource#on#hgp://www.ukOosint.net#.#This#site#gathers#together#links#for# everything#from#looking#up#owners#of#aircraM,#to#court#proceedings,# reverse#phone#lookups#and#more# # Also#on#this#page#of#the#notes#you#will#find#links#to#other#resource#for# maltego,#including#several#tutorial#videos#put#together#by#Paterva# themselves.# # There#are#several#features#of#Maltego#that#we#have#not#covered#in#detail# so#far#–#and#2#in#par7cular#are#worth#men7oning.#They#are#covered#well# in#the#official#Paterva#maltego#videos.#The#first#of#these#are#Maltego# Machines.#If#you#ever#find#yourself#running#the#same#series#of#transforms# in#order#a#lot,#machines#allow#for#the#automa7on#of#these#using#a#simple# sort#of#scrip7ng#language.#The#other#feature#is#Collabora7on#–#this#allows# mul7ple#people#to#work#on#the#same#graph#at#the#same#7me,#by#means# of#communica7on#over#an#encrypted#Jabber#server.# # Video*Tutorials* Patervas#Official#Videos#O# hgp://www.youtube.com/user/PatervaMaltego?feature=watch# # * Seeds* ShodanHQ#Transforms:# hgps://cetas.paterva.com/TDS/runner/showseed/shodan#(transforms#to# integrate#with#ShodanHQ#(hardware#fingerprin7ng),#good#for#SCADA)# # Local*Transform*Libraries* Facebook#Transforms:#hgps://github.com/cmlh/MaltegoOFacebook# Sploitego:#hgps://github.com/allfro/sploitego# * More*En>>es* Shodan#En77es#O#hgp://maltego.shodan.io/# CaseFile#En77es#–#Simply#export#these#aMer#installing#Casefile# * 6# Internet Forensics (Part 3) Robert McArdle ©2014 We’ll#wrap#up#this#lecture#by#reminding#you#once#more#of#the#5# Golden#Rules#to#get#the#most#out#of#Maltego.# 7# Internet Forensics (Part 3) Robert McArdle ©2014 For#this#exercise#we#will#see#can#you#figure#out#how#you#could# determine#some#of#the#sites#that#a#certain#organisa7on#has#looked# at.# 8# Internet Forensics (Part 3) Robert McArdle ©2014 Answers* * Example#with#NAMA.ie# # • #Transform#domain#to#MX#records,#and#take#those#MX#records#to# IPs.#Its#likely#for#a#larger#organisa7on#that#their#mail#servers#are#on# the#corporate#network.# • #Map#these#to#Netblocking#using#Whois#records,#which#will#result# in#2#netblocks.# • #Expand#these#netblocks#out#to#all#IPs#in#those#netblocks.# • #For#each#IP#try#the#following#two#func7ons#to#see#what#sites#were# accessed# • #To#Website#Where#IP#appears# • #To#Wikiedits# • #Use#the#detail#view#to#quickly#browse#and#remove#false#posi7ves.# It#should#be#obvious#that#137.191.233.1#appears#to#be#gateway# server,#and#you#can#see#several#of#the#sites#accessed#by#NAMA# employees.#Try#pubng#the#slider#to#full#and#running#on#this#IP# again.# 9#
© Copyright 2024 ExpyDoc
