Maltego: Going Remote..

Today we are going to talk about TDS (Transform Distribution Server) transforms, as we discussed in earlier posts these bad boys run on a remote server and allow you to easily share your transforms with anyone (well people you want to).

There are some considerations you need to bear in mind when building TDS transforms.

The server you are hosting them on needs to have all the dependencies required to run (common sense really)
If you are hosting transforms that are public and they spam the crap out of someone else’s systems you are probably the one going to get the blame
Use a local development server to test them before pushing to live and think about using a private code repository (trust me it’s painful otherwise)

You also need to think about what you want your TDS transform to do, for example TDS transforms (Public ones) are great for web-based queries (API calls etc) but you probably wouldn’t want to run anything that was CPU intensive or needed an asset uploaded from your local machine in order to work. You can purchase an internal TDS server from Paterva which might remove some of these restrictions (not sure how they work to be honest).

I’ve not written a lot of TDS transforms (at the moment) but in this post we are going to take the GetRobots local transform we’ve been working on and move it to a TDS server. In order to use TDS transforms you need the following:

I’m not going to cover building a web server to host the WSGI application as the documentation linked above does a pretty good job (it worked for me so you should be fine). What we are going to look at today is how to take the local transform and convert it to a TDS transform and what that means in terms of code changes (it’s not that much actually).

So going back to the very first iteration of the GetRobots transform, lets just have a look at the code we wrote.

#!/usr/bin/env python

# Maltego transform for getting the robots.txt file from websites

from MaltegoTransform import *
import os
import requests

website = sys.argv[1]
m = MaltegoTransform()
robots = []

try:
  r = requests.get('http://' + website + '/robots.txt')
  if r.status_code == 200:
    robots = str(r.text).split('\n')
    for i in robots:
      m.addEntity('maltego.Phrase', i)
  else:
    m.addUIMessage("No Robots.txt found..")
except Exception as e:
  m.addUIMessage(str(e))

m.returnOutput()

Only 24 lines of code, the good news is that we are not going to have to change a lot to make this a TDS transform. Lets jump straight in and see what the TDS version will look like.

import requests
from Maltego import *

robots = []

def trx_GetMeRobots(m):
  TRX = MaltegoTransform()
  try:
    website = m.Value
    TRX.addUIMessage(str(website))
    url = 'http://' + website + '/robots.txt'
    TRX.addUIMessage(str(url))
    r = requests.get(url)
    if r.status_code == 200:
      robots = str(r.text).split('\n')
      for i in robots:
        ent = TRX.addEntity('maltego.Phrase', i)
      else:
        TRX.addUIMessage("No Robots.txt found..")
  except Exception as msg:
    TRX.addUIMessage("Error:"+str(msg),UIM_PARTIAL)
         
  return TRX.returnOutput()

See told you it wasn’t that bad, lets look at the important changes.

from Maltego import *

Here we have change the Maltego module we import, the TDS based transforms use a different Python library (which has better functionality in some areas).

def trx_GetMeRobots(m):

For the TDS transforms we use a Python function, the name is of your choice but you need to ensure you have the ‘(m)’ defined as this is used to pass the entity value(s) from your Maltego graph into the transform.

TRX = MaltegoTransform()

We’ve used TRX as the variable for the MaltegoTransform() call rather than ‘m’ as we already used ‘m’ in the function and it helps me remember its a TDS transform. Again we use a try/except loop and as you can see the only real difference is that I’ve added some ‘UIMessage’ updates along the way (which was more for debugging).

TRX.addUIMessage(str(website))
TRX.addUIMessage(str(url))

So hopefully by this point you should have the following:

  • A web server configured to work with the TDS package
  • Your new TDS transform written

The next part is to tweak the TRX.wsgi code to make use of our new transform. The code is below:

import os,sys

# To run in debug, comment the next two lines and see 
# end of this file

os.chdir(os.path.dirname(__file__))
sys.path.append(os.path.dirname(__file__))

from bottle import *
from Maltego import *

# Transform Libraries goes here:
from GetRobots import *


##### TRANSFORM DISPATCHER starts here -->

#-----> GetRobots - Collect contents of robots.txt from a website
@route('/GetRobots', method='GET')
def GetMeRobots():
  if request.body.len>0:
    return(trx_GetMeRobots(MaltegoMsg(request.body.getvalue())))


## ---> Start Server
## To start in debug mode: Comment the line below...
application = default_app()

## ... and uncomment line below
#run(host='0.0.0.0', port=9001, debug=True, reloader=True)

Most of the code above is the default so I’m just going to cover the bits I’ve changed. The first bit is this:

from GetRobots import *

Essentially this imports our GetRobots code so it’s available to be called by the transform dispatcher. Next we create a new route so we can call the transform from within Maltego.

#-----> GetRobots - Collect contents of robots.txt from a website
@route('/GetRobots', method='GET')
def GetMeRobots():
if request.body.len>0:
return(trx_GetMeRobots(MaltegoMsg(request.body.getvalue())))

The ‘@route(‘/GetRobots’, method=’GET’)’ statement is the URL that you want to reference your transform on, the default for the ‘method’ is “ANY” but I’ve changed it to “GET” so it’s not as open. The ‘def GetMeRobots():’ function is just to hold our call to the transform, the first line of the function ‘if request.body.len>0:’ makes sure that we only perform the call to the transform if the body length isn’t blank (or zero).

The important part of the next line of code is the call to your transform (based on function name) ‘return(trx_GetMeRobots(MaltegoMsg(request.body.getvalue())))’. You need to ensure that the name of the function, in this case ‘trx_GetMeRobots’ matches then name of your function for your transform.

Still with me? So we now have the following all setup and ready to roll.

  • A web server configured to work with the TDS package
  • Your new TDS transform written
  • A modified TRX.wsgi configured for your new transform
  • So there are two steps left, we now need (using our TDS account) to set up the Seed & Transform. This is a quick process. Log into your TDS account (https://cetas.paterva.com/TDS/)

    Screen Shot 2014-10-08 at 12.23.51

    Select “Seeds” from the menu, then click on the “Add Seed” button.

    Screen Shot 2014-10-08 at 12.24.51

    We need to fill in some basic details.

    Seed Name – A name for your seed, you can create seeds based on the transform roles or environments
    Seed URL – Create a unique name which will act as the path to your transforms. If you want them “private” make the URL suitably long and stupid.
    Transforms – This will be blank at the moment

    Click on “Add Seed” and then all being well you should get a message saying the seed was added successfully. Next we need to add the transform, there isn’t an option for “Home” so you need to click on the hyperlink at the top of the page labelled ‘Paterva Transform Distribution Server 0.1′.

    Screen Shot 2014-10-08 at 12.48.46

    Back on the home page, click on ‘Transforms’, then click on “Add Transform”.

    Screen Shot 2014-10-08 at 12.50.41

    We now need to add in some details, we will do the minimum just to save on time (and me typing).

    Transform Name – The name of the transform. It doesn’t support spaces or non alpha numeric characters.
    Transform URL – This is the URL to YOUR server running the transform and the name of the path to the transform (based on what you entered in the TRX.wsgi file).
    Input Entity – For our purpose that is maltego.Website, you can add your own entities as well
    Owner – This is based on your TDS account details.
    Disclaimer – By default a disclaimer is added but you can add your own text as well.
    Description – An optional area to put a more detail about what your transform does.
    Version – Again optional, good if you are making big changes just so people are aware.
    Author – Again pulls these details from your TDS account.
    Debug – Tick to enable debugging (explains itself really).
    Transform Settings – We haven’t defined any and I haven’t worked out what they are really for.
    Seeds – You need to select the seed you created, this adds the transform to that seed.

    Screen Shot 2014-10-08 at 13.03.14

    Click “Add Transform”, and again you should get a message something like ‘Successfully Added [TransformName]‘

    The final task is to add the Seed into Maltego so it will add the transform and make it available. This is a nice simple process and you just need the full Seed URL, here’s one I built earlier.

    https://cetas.paterva.com/TDS/runner/showseed/49f742b02c27ab2a88b4299a4fb56f31abc6298c

    Load up Maltego and click:

    Manage – Discover Transforms – Discover Transforms (advanced)

    Screen Shot 2014-10-08 at 13.06.23

    You will now get a little wizard which only needs two pieces of information.

    Name – You can call this what you what
    URL – The Seed URL

    Screen Shot 2014-10-08 at 13.08.24

    Click Add and then Next

    Screen Shot 2014-10-08 at 13.08.31

    The wizard will go off and verify all the Seeds are available and then present you with a list.

    Screen Shot 2014-10-08 at 13.08.57

    All you need to do on this is click Next to carry on (they should all be ticked). This will produce a list of all the transforms that will be loaded into Maltego. Scroll through the list and you should be able to see this.

    Screen Shot 2014-10-08 at 13.11.11

    Click Next and it will import tha transforms. All being well you should get a similar window to the one below and that is it.

    Screen Shot 2014-10-08 at 13.12.22

    Now to test it, create a new graph and drag a Website entity onto it, right-click and select.

    Run Transform – Other transforms – GetRobots

    Screen Shot 2014-10-08 at 13.13.25

    The first time you run a TDS transform you will be prompted to accept the disclaimer which if you want it to run you should accept.

    Screen Shot 2014-10-08 at 13.14.41

    This will run the GetRobots transform from the remote TDS server and should produce the same results as the local transform we wrote.

    Screen Shot 2014-10-08 at 13.15.41

    So there you go, your first TDS transform now wasn’t that fun. The final blog post in the Maltego series will go over exporting your entities, transform sets and the such so that other people can use them.

Maltego: Creating entities..

So far in this blog series we have talked about how you can create new Maltego transforms and machines easily. Today we are going to cover creating new entities for you to use and/or abuse.

Creating new entities is (like creating transforms) quite easy and painless, there are a couple of things you need to keep in mind but we will cover those as we go.

To create a new entity within Maltego click:

Manage – Manage Entities

Screen Shot 2014-09-29 at 12.55.55

You will now get the Entity Manager window.

Screen Shot 2014-09-29 at 12.56.36

Once again (like most things in Maltego) you get a ‘New Entity Wizard‘. Lets have a look at the options you have to supply.

  • Display name – This is the name of your entity as it will appear in the ‘Palette‘ within Maltego, try to keep it short and sweet
  • Short description – A quick one liner of what the entity is for
  • Unique type name – Again like your transform make it unique and relevant to the entity type
  • Inheritance
    • Base Entity – Inheritance allows you to create a new entity but ‘inherit‘ the properties of an existing entity. This means if you want to create a new entity for ‘IPv4 Address‘ which has additional fields for your needs you can ‘inherit‘ the base properties and the transforms that can be run against the base entity into your new entity (it’s actually a really cool feature).
  • Icons – For each new entity you create you have to set an icon. You can either use a built-in one or use a new one. For our purpose we are going to use an existing one.

Click on Browse

Screen Shot 2014-09-29 at 12.56.49

Make sure you have selected the ‘Default’ tab at the top, you should now see a whole stack of icons you can pick.

Screen Shot 2014-09-29 at 13.06.17

Pick an icon, any icon and then click on ‘OK’. You should hop back to the Entity Wizard and your Icon image should now be populated with your choice.

Screen Shot 2014-09-29 at 13.12.17

Still with me?? Cool right-click ‘Next’ and we progress onto the next page. This is where we have to define the properties for the entity. If you use Inheritance this is typically grayed out as it will want to use the existing properties from the entity you are inheriting from (but you can add additional ones if you like). Here we need to define the main property for the entity, this is the one that we will set by default each time we return this entity type.

Screen Shot 2014-09-29 at 13.14.37

A lot of the fields are set by default but we can go through them just so you know what they are for.

  • Property display name – This is the name of the property when you open the entity. I tend to keep it the same as the Display name as I set as this is the main property and it just makes sense to me to have them the same.
  • Short description – This is a short description of the entity property (rather than the description of the entity)
  • Unique property name – I have a habit of setting this to the same as the entity unique type name (when using Canari) but this is what you will need to call in your transform code when setting the value.
  • Data type – By default this is a ‘string’ value, however you can set the following types:
    • string
    • int
    • date
    • double
  • Sample value – If you drag your entity into a graph, this is the value that will get set and display for this property.

We will just tweak a couple of values before moving on.

Screen Shot 2014-09-29 at 13.24.01

Now we are done, click on ‘Next’ and lets carry on. We can now add our new entity into an existing or new category.

Screen Shot 2014-09-29 at 13.24.27

You can add your new entity into one of the existing categories which are listed below (and are the ones listed in your palette within Maltego).

  • Devices
  • Infrastructure
  • Locations
  • Penetration Testing
  • Personal
  • Social Network

For our purpose we are going to create a new category called ‘MyFirstTransform‘. If you want to create a new category just type it into the box.

Screen Shot 2014-09-29 at 13.26.50

Click Finish.

All being well in your ‘Palette‘ pane on the right you should see the new category called ‘MyFirstTransform‘ and in the entity list you should see the ‘Robot Entry‘ entity.

Screen Shot 2014-09-29 at 13.27.41

Before we move on I just want to cover creating additional properties for our new entity. This is handy if you want to use more than one property in executing a transform or storing in your entity. From within the Entity Manager click on the 3 little blue dots on the right of the new entity.

Screen Shot 2014-09-29 at 13.30.57

Click on the ‘Additional Properties‘ tab at the top, you will see the original property that we created so we are going to add another (just for giggles). Click on ‘Add Property‘ in the top right.

Screen Shot 2014-09-29 at 14.20.09

We are going to add a new property for the dynamic property we called in the origin GetRobots-mk2 transform. Type the following into the available fields.

Name – properties.orgurl
Display Name – Original URL
Type – String

Screen Shot 2014-09-29 at 14.21.59

The field name is used for the unique name, and display name is the “friendly description”.

You may notice that the list of available types is a lot longer then when we created the entity. I’m not sure why but it is, ‘string’ for example has to options:

  • string
  • string[]

The ‘string’ type is for a single string value, while the ‘string[]’ allows you to provide a range of string values (like the ‘ports’ property in the Website entity).

Click OK to add the new property and then click OK again to return to the Entity Manager.

Screen Shot 2014-09-29 at 14.26.11

Awesome, isn’t this fun. Now we need to tweak our existing transform to make use of the new entity. Lets have a look at the code again to refresh our memory.

#!/usr/bin/env python

# Maltego transform for getting the robots.txt file from websites

from MaltegoTransform import *
import requests

m = MaltegoTransform()
m.parseArguments(sys.argv)

website = m.getVar('fqdn')
port = m.getVar('ports')
port = port.split(',')
ssl = m.getVar('website.ssl-enabled')
robots = []

try:
  for c in port:
    if ssl == 'true':
      url = 'https://' + website + ':' + str(c) + '/robots.txt'
      r = requests.get(url)
      if r.status_code == 200:
        robots = str(r.text).split('\n')
        for i in robots:
          ent = m.addEntity('maltego.Phrase', i)
          ent.addAdditionalFields("url","Original URL",True,url)
      else:
        m.addUIMessage("No Robots.txt found..")
    else:
      url = 'http://' + website + ':' + str(c) + '/robots.txt'
      r = requests.get(url)
      if r.status_code == 200:
        robots = str(r.text).split('\n')
        for i in robots:
          ent = m.addEntity('maltego.Phrase', i)
          ent.addAdditionalFields("url","Original URL",True,url)
      else:
        m.addUIMessage("No Robots.txt found..")
except Exception as e:
  m.addUIMessage(str(e))

m.returnOutput()

To make use of the new entity we just need to change two lines of code (there are two instances of this though). The original lines code of code that define your entity returned is below:

ent = m.addEntity('maltego.Phrase', i)
ent.addAdditionalFields("url","Original URL",True,url)

We simply need to change this to our new entity type and property values.

ent = m.addEntity('adammax.robotentry', i)
ent.addAdditionalFields("property.orgurl","Original URL",True,url)

This is what the code should look like now.

#!/usr/bin/env python

# Maltego transform for getting the robots.txt file from websites

from MaltegoTransform import *
import requests

m = MaltegoTransform()
m.parseArguments(sys.argv)

website = m.getVar('fqdn')
port = m.getVar('ports')
port = port.split(',')
ssl = m.getVar('website.ssl-enabled')
robots = []

try:
  for c in port:
    if ssl == 'true':
      url = 'https://' + website + ':' + str(c) + '/robots.txt'
      r = requests.get(url)
      if r.status_code == 200:
        robots = str(r.text).split('\n')
        for i in robots:
          ent = m.addEntity('adammax.robotentry', i)
          ent.addAdditionalFields("property.orgurl","Original URL",True,url)
      else:
        m.addUIMessage("No Robots.txt found..")
    else:
      url = 'http://' + website + ':' + str(c) + '/robots.txt'
      r = requests.get(url)
      if r.status_code == 200:
        robots = str(r.text).split('\n')
        for i in robots:
          ent = m.addEntity('adammax.robotentry', i)
          ent.addAdditionalFields("property.orgurl","Original URL",True,url)
      else:
        m.addUIMessage("No Robots.txt found..")
except Exception as e:
  m.addUIMessage(str(e))

m.returnOutput()

Save the changes and then within Maltego run the GetRobots transform again, and you should see your new entity spring into life (fingers crossed).

Screen Shot 2014-09-29 at 14.35.50

So there you go, the basics behind creating your own entities. Next time we are going to talk about exporting all the Maltego goodness we have created.

Maltego: Rise of the Machines…

In this episode of Maltego loving (or learning if you prefer that) we are going to talk about Maltego Machines. Maltego machines in the simplest form are a collection of transforms that execute in order, each one feeding off the entities generated from the last transform.

Maltego Machines to start with may seem complicated especially when you are trying to get them to run in parallel, but they are incredibly useful and powerful so it seemed worthy to give them their own blog post.

The official documentation for Maltego Machines can be found HERE.

To start with we are going to create a simple Maltego Machine to run the ‘GetRobots-mk2′ transform we created in the earlier blog posts. In reality a Machine to run one transform is a bit of a waste but it’s a good place to start. To find the Machines within Maltego click.

Machines – New Machine

This will launch a wizard that we can use to create our first Machine.

Screen Shot 2014-09-25 at 07.18.06

Lets fill in the details;

Display Name – The display name for our Machine.
Unique ID – This is the same principle as with Transforms, make it unique and relevant.
Author – That will be you.
Description – Write something in that will make sense if anyone else uses your Machine.

Screen Shot 2014-09-25 at 07.20.39

Click Next….

Now we get a choice of the type of Machine we want to create. There are two main types (excluding blank, which we will come back to).

Macro – These Machines will execute once (and only once) when you start them.
Timer – These are my favourite Machines, once started they execute in a timed loop (defined by you) and will keep running until you stop them.

Screen Shot 2014-09-25 at 07.21.01

Select Macro and click Next…

Screen Shot 2014-09-25 at 07.24.38

Now we get to the good part, the next window is the main Machine ‘editor’, this is where you can add your transforms and make sure the Machine compiles properly. You will also notice that they have pre-loaded the Machine with some example transforms so you have an idea of what it should look like.

There are three options along the top which we will talk about first.

Format – This essentially formats your code so it looks pretty.
Toggle Comment – Will either comment a line or un-comment it (saves you typing 2 //’s).
Compile – Checks your code and makes sure that it is all happy.

Screen Shot 2014-09-25 at 07.26.13

On the right hand side of the window is the list of transforms available for your Machine, you can add local transforms or remote transforms (TDS), but bear in mind if you want to share your Machines you need to make sure that everyone has the transforms you used available (more on exporting stuff from Maltego in the next post).

Screen Shot 2014-09-25 at 07.48.14

Right let’s get on with the actual coding of the Machine shall we, first off we are going to remove all the stuff that Maltego puts in there by default (that’s not actually needed).

//Welcome to Maltego Machines!

//Each machine starts with a statement like this
machine("adammax.macgetrobots",
displayName:"Get Robots.txt",
author:"@catalyst256",
description: "A simple 1 transform Maltego machine to uses \
the GetRobots-mk2 transform.") {

//A macro machine has a start function like this
start {

}
}
//Of course there is much more you can do with machines... Have fun!

Right so we now have a basic (yet empty) Machine so lets add in our transform. In the space between ‘start {‘ and the following ‘}’ expand ‘Local’ on the right hand side and then double-click on GetRobots-mk2. Your code should now look like this.

//Welcome to Maltego Machines!

//Each machine starts with a statement like this
machine("adammax.macgetrobots",
displayName:"Get Robots.txt",
author:"@catalyst256",
description: "A simple 1 transform Maltego machine to uses \
the GetRobots transform.") {

//A macro machine has a start function like this
start {
run("adammax.GetRobotsMk2")

}
}
//Of course there is much more you can do with machines... Have fun!

Notice the lack of formatting?? Click on the Format button at the top of the window and magically your code will now look like this.

//Welcome to Maltego Machines!

//Each machine starts with a statement like this
machine("adammax.macgetrobots",
displayName:"Get Robots.txt",
author:"@catalyst256",
description: "A simple 1 transform Maltego machine to uses \
the GetRobots transform.") {

//A macro machine has a start function like this
start {
run("adammax.GetRobotsMk2")

}
}
//Of course there is much more you can do with machines... Have fun!

Ok so we’ve added the transform, we sorted the formatting so now we just need to check to make sure it will compile. Click the green tick at the top of the window and the compile debug screen will appear at the bottom of the window. If we haven’t made any horrible mistakes (just copy and paste the code if you have a problem), you should get this wonderful message.

Compiling machine...
Success

OK so now we have the Machine written (yes thats it), click on Save….

We can now run the Machine, create a new graph and add a Website onto it, right-click and under Machines you should see our newly created Machine. But wait what black magic is this? How does the Machine know it can run on that entity type?? So I have no fancy answer for this, other than it takes the first transform in the Machine and based on what entity it is designed to run on will then appear when you right-click on that entity type.

Screen Shot 2014-09-25 at 08.15.08

When a Machine is running you get a window in the top right of your Maltego screen that will show the status of the Machine and once it has completed will update and tell you how many entities returned.

Screen Shot 2014-09-25 at 08.15.30

Lets now have a look at some of the more “advanced” Machines that are available. We will look at some of the built-in Machines and work through how they work. Click on

Machines – Manage Machines

Screen Shot 2014-09-25 at 08.23.46

As you can see there are already some pretty cool machines available by default. Lets open one up and see what makes it tick.

Double click on the ‘Footprint L1′ Machine, and the Machine editor will open up.

Screen Shot 2014-09-25 at 08.25.20

Now these Machines are read-only so we can’t make changes to them, we can however (if so inclined) copy and paste them into a new Machine.

Lets work through the code and see what this Machine does.

machine("paterva.footprint.level1",
displayName:"Footprint L1",
author:"Roelof Temmingh",
description: "This performs a level 1 (fast, basic) footprint of a domain.") {

start {
//do all the DNS enumeration
log("Performing DNS enumeration",showEntities:false)
status("Phase 1 - DNS enumeration")
paths {
run("paterva.v2.DomainToWebsite_DNS")
run("paterva.v2.DomainToDNSName_DNSBrute",slider:500)
run("paterva.v2.DomainToDNSName_ZT",slider:10000)
run("paterva.v2.DomainToSOAInformation")
run("paterva.v2.DomainToWebsiteDNS_SE",slider:255)
}

//here we end up with DNS names (and MX,NS,websites)
//take it to IP address and Netblock
log("Resolving to IP",showEntities:false)
status("Phase 2 - Resolve DNS names")
run("paterva.v2.DNSNameToIPAddress_DNS")

//we now have IP adddresses
status("Phase 3 - Netblocks and AS")
log("Computing netblocks",showEntities:false)
run("paterva.v2.IPAddressToNetblock_Cuts")
log("Looking up AS",showEntities:false)
run("paterva.v2.NetblockToAS_SS")

}
}

Right you ready for this..

So the first few lines of this Machine detail the information about the Machine, which is the same as we have in ours.

machine("paterva.footprint.level1",
displayName:"Footprint L1",
author:"Roelof Temmingh",
description: "This performs a level 1 (fast, basic) footprint of a domain.")

We then move into the core of the Machine, the first function is a ‘log’. Log is used send a message to the GUI within the Machine window.

log("Performing DNS enumeration",showEntities:false)

With this particular ‘log’ function we post the message “Performing DNS enumeration” to the GUI, the ‘showEntities:false’ means that once run it won’t log the list of entities to the GUI. If you set this to ‘showEntities:true’ then it will list the entities that the transform will run against.

Next we can see a ‘status’ function.

status("Phase 1 - DNS enumeration")

The ‘status’ function within a Maltego Machine sets the contents of the status function (“Phase 1 – DNS enumeration”) as the label on the Machine window. This is useful if you are running lots of different stages of transforms and want to be able to track the current running set of transforms.

We can now move onto the main body of this Machine.

paths {
run("paterva.v2.DomainToWebsite_DNS")
run("paterva.v2.DomainToDNSName_DNSBrute",slider:500)
run("paterva.v2.DomainToDNSName_ZT",slider:10000)
run("paterva.v2.DomainToSOAInformation")
run("paterva.v2.DomainToWebsiteDNS_SE",slider:255)
}

The are two ways you can run transforms in a Machine, you can either run in parallel or in series. The use of ‘paths’ means that these transforms will run in parallel. Basically this means that each of the 5 will run at once against the base entity (so that’s 5 transforms run from within 1 Machine). and each transform will return their own entity type into the graph.

The ‘slider’ function within the ‘run’ sets the maximum number of entities that can be returned by the transform. If you are using the community edition of Maltego like me (still looking for donations of a full license) that is 12. The transform below when run will only return 500 entities.

run("paterva.v2.DomainToDNSName_DNSBrute",slider:500)

We can now move onto the second block of code.

//here we end up with DNS names (and MX,NS,websites)
//take it to IP address and Netblock
log("Resolving to IP",showEntities:false)
status("Phase 2 - Resolve DNS names")
run("paterva.v2.DNSNameToIPAddress_DNS")

Again we use ‘log’ and ‘status’ to provide output to the Machine window, we then run another transform which will take the DNS entity returned from the first block of code and run this transform against them.

run("paterva.v2.DNSNameToIPAddress_DNS")

The last block of code is below.

//we now have IP adddresses
status("Phase 3 - Netblocks and AS")
log("Computing netblocks",showEntities:false)
run("paterva.v2.IPAddressToNetblock_Cuts")
log("Looking up AS",showEntities:false)
run("paterva.v2.NetblockToAS_SS")

This takes the IP addresses from the last transform and then runs two more transforms (with ‘log’ and ‘status’ messages) in sequence.

So now we know some more functions of Machines, lets update ours to do a little bit more. We are going to add some ‘log’ and ‘status’ messages. Have a look at the code below (which you can copy and paste over the original Machine we did).

//Welcome to Maltego Machines!

//Each machine starts with a statement like this
machine("adammax.macgetrobots",
displayName:"Get Robots.txt",
author:"@catalyst256",
description: "A simple 1 transform Maltego machine to uses \
the GetRobots transform.") {

//A macro machine has a start function like this
start {
log("Hunting for Robots.txt",showEntities:true)
status("Connecting to Website")
run("adammax.GetRobotsMk2")

}
}
//Of course there is much more you can do with machines... Have fun!

Below is a screenshot of what the Machine window now shows.

Screen Shot 2014-09-25 at 12.06.30

There is a lot more to Maltego Machines that I haven’t covered but hopefully you will have a good idea of what they can do and how to go about coding them. Have a look at the other built-in Machines and the documentation I’ve linked at the top of the post is very good.

Enjoy

Maltego: Enhance your….entity

So over the weekend I started off my series on how you can create your own Maltego transforms, quickly and without much effort. Today I wanted to expand on that and look at how we can expand on the original ‘GetRobots’ transform to make use of some of the additional properties within an entity.

If you remember our GetRobots transform made use of two builtin Maltego entities. The starting entity (the one you run the transform on) was the Website entity. The Website entity has two additional properties that can be set.

These are:

  • Ports
  • SSL Enabled

Screen Shot 2014-09-21 at 09.04.00

By default these are set to Port 80 and SSL isn’t enabled. The ‘Ports’ property allows you to enter an array of different ports that your target website might be running on, the ‘SSL Enabled’  is essentially a True or False option. In order to make use of these values (or allow for them to be changed) we need to change our original transform slightly.

NOTE: The python code is this transform might not be pretty but its more to show you how to call the additional properties rather than impress you with my Python skills.

OK, so in the GitHub repo (found HERE), you will see I’ve created a new file called GetRobots-mk2.py this is the same base code as the original transform but with some tweaks. So lets go through them;

from MaltegoTransform import *
import requests

m = MaltegoTransform()
m.parseArguments(sys.argv)

So first off we removed the 'website = sys.argv[1]' line and replaced it with 'm.parseArguments(sys.argv)'. This is essentially telling the transform to make use of all the entity properties (regardless of how they are set). We now need to call these properties and store them in variables so we can use them.

website = m.getVar('fqdn')
port = m.getVar('ports')
port = port.split(',')
ssl = m.getVar('website.ssl-enabled')
robots = []

Now you may be wondering where I got the value names from, there are two places you can look. The first is this PDF from Paterva which explains the core entities and the values available which you can find HERE.

The second is from within Maltego (this is the way I tend to do it), click on Manage – Manage Entities scroll down to the Website entity, click on the three little blue dots on the right, then click on the ‘Additional Properties’ tab on the top.

On the left you will see a list of properties, if you select one the top right window will change to show you the details for that property. The ‘Name’  value is the important value and when you are pulling out these properties in your transforms it’s the one that will case you headaches (well it does me anyway).

Screen Shot 2014-09-22 at 20.59.29

So back to the code. We use the ‘getVar’  and the associated entity name (for that property) to store the values in a variable. The ‘ports’  properties is stored as a list so we can iterate over it later, the ‘ssl-enabled’  is a boolean so will return either True or False.

The rest of the code is tweaked slightly to make use of these new variables, which you can see below.

try:
for c in port:
if ssl == 'true':
url = 'https://' + website + ':' + str(c) + '/robots.txt'
r = requests.get(url)
if r.status_code == 200:
robots = str(r.text).split('\n')
for i in robots:
ent = m.addEntity('maltego.Phrase', i)
ent.addAdditionalFields("url","Original URL",True,url)
else:
m.addUIMessage("No Robots.txt found..")
else:
url = 'http://' + website + ':' + str(c) + '/robots.txt'
r = requests.get(url)
if r.status_code == 200:
robots = str(r.text).split('\n')
for i in robots:
ent = m.addEntity('maltego.Phrase', i)
ent.addAdditionalFields("url","Original URL",True,url)
else:
m.addUIMessage("No Robots.txt found..")
except Exception as e:
m.addUIMessage(str(e))

We’ve added two extra components, first we create a ‘for’ loop and iterate through each value stored in ‘ports’. This allows our transform to cater for multiple (or single) ports. We then throw in some ‘if’  logic to see if the ‘ssl-enabled’  property is set. If it is we change the url to be ‘https’ and chuck in the port number for good measure. Like I said, it’s not pretty but it works.. :)

The final addition piece to the puzzle is we have declared some additional properties in the ‘Phrase’  which if you check yourself will see don’t exist. The ‘Phrase’  entity has only one value, but Maltego allows you to create dynamic values which you can then use later on in other transforms. To do this, we changed the way we create the entity, in order to use some of the more ‘advanced’ features of ‘addEntity’ we created a variable called ‘ent’  which then allows use to add additional properties among other things.

ent = m.addEntity('maltego.Phrase', i)
ent.addAdditionalFields("url","Original URL",True,url)

The ‘addAdditionalFields’ function has these options (taken from Paterva’s documentation).

addAdditionalFields(fieldName=None,displayName=None,matchingRule=False,value=None)
Set additional fields for the entity
fieldName: Name used on the code side, eg displayName may be “Age of Person”, but the app and your transform will see it as the fieldName variable
displayName: display name of the field shown within the entity properties
matchingRule: either “strict” for strict matching on this specific field or false
value: The additional fields value

If you install the new transform following the previous posts instructions and run it you will see that the new additional property is created as a ‘Dynamic Property’.

Screen Shot 2014-09-22 at 21.26.12

Screen Shot 2014-09-22 at 21.33.21

If you were to then write a new transform for our new ‘Phrase’ entity you would call the dynamic property using.

ent.addAdditionalFields("url","Original URL",True,url)
url = m.getVar('url')

Hope that all makes sense?? Next time we are going to look at Maltego Machines

Maltego: My First Transform

On Friday I posted a challenge on twitter called “Transform Friday”, you suggest a Maltego transform and I would have a go at writing it. There is no real reason behind the challenge other than I like writing Maltego transform and its a nice way to write something different to the normal packet related ones I do. My plan was to write them without using Canari (native Maltego transforms) and make them all available as TDS transforms (no installation required).

Screen Shot 2014-09-21 at 08.41.28

The first challenger soon steeped up and much to my surprise it was Paterva (yes thats right the people that make Maltego).

Screen Shot 2014-09-21 at 08.41.44

However it was then suggested to me that it would be quite cool if I wrote up how you (yes you) could create your own Maltego transforms. Now this is where I need to apologise, I’ve spent the last two years telling you all about the awesome (well I think they are awesome) Maltego transforms I’ve created but I’ve never told you how. Part of the reason behind this blog was to share information and try in some way to save you the pain I’ve suffered, that’s why I wrote the Scapy guide after all.

So this will be the first in a series of blog posts about creating Maltego transforms. Today we are going to cover some of the basics and write a nice and simple transform (that’s useful at the same time), and then over the coming weeks we will cover more advanced topics, like setting additional properties, changing link colour and finally creating TDS transforms.

There is a GitHub repo available with the code snippets in so you can follow along or just download the completed ones (link available towards the bottom).

The transforms will be written in Python (as that’s the only one I can do) but Paterva do cater for a range of languages to be used as well as having some documentation available. Links for all the resources will be available at the bottom of this post and in the GitHub repo. I should at this point say the documentation for developing with Maltego is actually pretty good and this is not supposed to be a replacement, but more a compliment to what the guys at Paterva already provide.

For the purpose of these blog posts, I’m going to assume that you know what Maltego is and how to use it (even the basics is fine). So before we start writing the transform we are going to talk a little about the two key Maltego things you need for a transform.

Entities & Transforms

Entities

These the building blocks of a Maltego graph, they are both the start and the finish of a transform. The type of entity (e.g. Website) defines what transforms can be run against, once a transform has run then you typically get a different entity type as a result (and the cycle repeats).

For your first transform we are going to use two entities.

  • Website
  • Phrase

The website entity by defaults contains ‘www.paterva.com’ as the default value. You can change this to the website of your choice and you have the option of marking whether the website is “SSL Enabled” or not and the ports it’s listening on.

Screen Shot 2014-09-21 at 09.04.00

The Phrase entity is really simple, it literally a piece of text. It has no additional properties available.

Screen Shot 2014-09-21 at 09.13.28

Transforms

Transforms are where the magic on Maltego occurs, they take your starting entity (in our case website) run some magic (well code) and return the results as another entity.

There are two types of transforms,

  • Local
  • Remote

Local transforms are ones that you have to install locally on your machine. All the components required to run that transform have to be installed on your machine (Python libraries for example). One of the benefits of using local transforms is that it widens your scope for what you can do (I’ll explain that later), but it does limit the portability of those transforms (to a degree) as each person would need to install them (and the dependencies) before they can use them. There are a couple of ways to ease that pain but it’s still a manual process.

Remote transforms run on TDS servers, the code for TDS transforms are executed on the TDS server so you remove yourself from having to worry about dependencies and libraries. The main benefit of TDS transforms is that they are truely portable, however they are limited to what you can do with them (well to my knowledge). For example if you have a custom transform that wants to read a file on your machine (or a local server) there isn’t an easy way to execute that transform as TDS transform because the remote TDS server won’t have access to that file. You would have to somehow get that file to a location that the TDS server could access it.

Your First Transform

So enough about the boring stuff lets get started. Your first transform is nice and simple we are going to use a Website entity and then write a transform to check for the robots.txt file, open it and then return each entry as a Phrase entity.

So the first thing you need is the Maltego Python library which can be found HERE:

Extract the MaltegoTransform.py to your working directory (where you are going to write the transform), for example mine is:

/Users/Adam/Coding/Maltego/MyFirstTransform/

Now create a new file in that directory called GetRobots.py

pwd
/Users/Adam/Coding/Maltego/MyFirstTransform
touch GetRobots.py

Using your editor of choice lets open the file and start coding (I use Sublime Text 3).

First off lets add the Python sheebang and a comment about what this code is for.

#!/usr/bin/env python

# Maltego transform for getting the robots.txt file from websites

Now we need to import the Maltego transform library and the other Python libraries we need.

from MaltegoTransform import *
import sys
import os
import requests

We will be using the ‘requests’  library to make the call to the website to retrieve the robots.txt file. We need the ‘sys’  library as the sys.argv command is used to pass the value of the starting Maltego entity to the transform. So in our case the value of website (e.g. http://www.paterva.com) will be sent to our transform as sys.argv[1].

Our next job is to create a variable to store that entity value in and something to store the output in.

website = sys.argv[1]
robots = []

Now we are going to initialise the Maltego library so we can use it later on.

m = MaltegoTransform()

Still with me??

Ok lets write the code for using ‘requests’ to go and retrieve the robots.txt file (if it exists).

try:
r = requests.get('http://' + website + '/robots.txt')
if r.status_code == 200:
robots = str(r.text).split('\n')
for i in robots:
m.addEntity('maltego.Phrase', i)
else:
m.addUIMessage("No Robots.txt found..")
except Exception as e:
m.addUIMessage(str(e))

m.returnOutput()

Now this isn’t as bad as it looks (promise). Firstly we put everything in a ‘try/except’  bubble so that we have some error handling.

Next we make the initial GET request.

r = requests.get('http://' + website + '/robots.txt')

This adds the value we set on the Website entity and passes into the ‘request.get’  call with the ‘robots.txt’ added on the end.

We then add some logic in place to see if the robots.txt exists or not.

if r.status_code == 200:
robots = str(r.text).split('\n')
for i in robots:
m.addEntity('maltego.Phrase', i)
else:
m.addUIMessage("No Robots.txt found..")

If the status code is 200 (that’s a HTTP OK response), we store the output in the list variable ‘robots’ as text (instead of unicode) and then split into separate list entries based on each new line.

We then iterate through the list and for each line we create a new Maltego entity.

m.addEntity('maltego.Phrase', i)

This is where the magic happens. We initialise the Maltego Transform library earlier as ‘m’, we then use the function ‘addEntity’  to create an entity and set is as ‘maltego.Phrase’. We can then pass ‘i’ (which is from our for loop) as the value to write to that entity.

There are two other statements that use part of the Maltego Transform library in our code.

else:
m.addUIMessage("No Robots.txt found..")
except Exception as e:
m.addUIMessage(str(e))

The ‘addUIMessage’  function allows you to pass text back to the Maltego GUI when the transform is run (or running), it’s ideal for error handling messages which is how we used it here. The ‘else’  statement is if the status.code isn’t 200 (which is usually a bad thing) and would return the message to the Maltego GUI and the ‘except’  statement will return any other error message that occurs (such as the website not being available etc.).

We finish the whole thing off my then calling the Maltego Transform library and telling it to return the output from our transform back into the GUI.

m.returnOutput()

Before we install this transform into Maltego we can actually check to make sure it works as expected. From your working directory simply run:

python GetRobots.py www[dot]paterva[dot]com

If it’s all worked you should see something like this.

Screen Shot 2014-09-21 at 11.14.50

What you might not have realised is that Maltego uses XML a lot of it’s transforms and entities, the Maltego Transform library will automatically wrap your output up in the correct format so that displays properly within Maltego (after all who likes messing with XML).

Now that we have working code, we can add it into Maltego as our own transform. This is acutally really easy. Within the Maltego GUI, click

Manage – Local Transforms

You should get a popup window like the one below.

Screen Shot 2014-09-21 at 10.33.54

On this first screen you need to enter some details about your transform.

Display name – This is how your transform appears in Maltego
Description – A brief description about what your transform does
Transform ID – A unique reference that Maltego uses (you can’t change it once you’ve created it)
Author – That’s you..
Input entity type – We need to choose ‘Website’, this means that our entity will only run on Website entities (which is good for us)
Transform set – Transform sets are a collection of transforms that relate to an entity type. I’ve chosen ‘none’ just for this example. You can create your own transform sets which we will cover in later posts

Screen Shot 2014-09-21 at 10.34.53

Click Next….

Screen Shot 2014-09-21 at 10.38.51

This is where we set the meat of the transform, as in actually point it to your code.

Command – This is the path to your interpretor so in my case ‘/usr/bin/python’ (I’m using a Mac though)
Parameters – This is where you point it to your actual GetRobots.py file
Working Directory – Set this to your working directory.

Screen Shot 2014-09-21 at 10.40.48

Click Finish….

So you’ve now added your transform into Maltego.. shall we run it??

Drag a website entity onto an empty graph in Maltego. Leave the default http://www.paterva.com address in there for now. Right click on the entity, then select

Run Transform – Other Transforms – GetRobots

Screen Shot 2014-09-21 at 10.45.44

All being well you should get a number of Phrase entities returned containing the same output as when you run your script manually??? (fingers crossed)

Screen Shot 2014-09-21 at 10.48.00

Add some other websites and see what you get back. If like me you are only using the Community Edition of Maltego then don’t be worried if you only get 12 entities returned.

Congratulations you’ve just created your first Maltego Transform.. it wasn’t that hard now was it, so what you waiting for?? :)

In the next post in this series we will explore some more of the features available when returning entites and look at how to use additional properties on an entity when running a transform and how to return additional properties once a transform is complete.

Link to GitHub repo:

https://github.com/catalyst256/MyFirstTransform

Links to Maltego Developer documentation:

http://www.paterva.com/web6/documentation/developer.php – Main Developer Site

http://www.paterva.com/web6/documentation/developer-local.php? – Local Transforms
http://www.paterva.com/web6/documentation/localTransforms-SpecIII.pdf – Local Transform Specifications
http://www.paterva.com/web6/documentation/MaltegoTransform-Python.zip – Python Library

sniffmypackets v2 – Sneak Peak

So this week I started the long awaited (well on my part) rewrite of sniffmypackets. My initial release was more a voyage of discovery rather than a well thought out application but it did teach me a lot about how to write transforms for Maltego (using Canari Framework) so I felt it was best to start from scratch and just reuse chunks of code where it made sense.

I’ve also decided to add more functionality that will make using SmP (sniffmypackets) more than just a Maltego based exercise. There are 3 key features I will be adding.

1. Database Support
2. Web Interface
3. Netflow support

The decision to use a database (MongoDB at the moment) was to allow for the database to exist after Maltego is closed. Every pcap will have a unique Session ID which means that not only can you load a pcap into SmP you can (on a different machine and without the original pcap) then rebuild the contents of the pcap based on the Session ID.

The web interface will mean that other people (who may or may not have Maltego) can then view key information about a pcap or you can just use it as another source of reference.

Both the database and web interface will be able to run outside of the machine running Maltego (so you can centralise it) and I might even include Vagrant machines if you don’t have the capacity to do that.

It does mean that SmP will need a MongoDB backend to run but trust me it will be worth it.

After a conversation I had a few weeks ago with some very clever people I decided to add Netflow capabilities into SmP to give you even more bang for your buck (so to speak).

Below are some screenshots of what it looks like at the minute.

SmP - Overview

SmP - Session Import

SmP-DNS-Screenshot

HoneyMalt – Maltego for Honeypots

So in my normal fashion, the other week I came up for another Maltego/Canari project while still not having completed most of the other projects I’ve started. That being said I like to keep things interesting so today I give you HoneyMalt.

The love child of the Canari Framework, Maltego and Kippo (SSH Honeypot), HoneyMalt allows you to pull data out of your Kippo honeypot (as long as you are using MySQL) and display it in a graph. A bit like this one below.

HoneyMaltScreenshot

Currently HoneyMalt allows you to display the following information:

“Evil” IP address
Geo IP lookup for country code
Session ID
Username/Password combinations
Input (the stuff they type in)
File download info

I’ve also managed to get the hang of Maltego Machines (finally) and all of these transforms run from one machine (who knew that path & paths would give me so much grief). The sneaky use of a Maltego machines and a database means, that if like me you don’t have a full version of Maltego (donations accepted) you can still get the all the entities returned instead of hitting the 15 entity limit on a transform run, it just takes a few iterations of the machine running.

There is a quick Youtube video of what that looks like below.

I’m also in the process of adding some search functions so you can find specific sessions based on IP address, or keyword or url. After that I will be moving onto more honeypots (Dionaea next) to add into HoneyMalt with the sole intent of trying to breaking your machine while Maltego tries to graph it all (only kidding).

With HoneyMalt I’ve also resisted the urge to create loads of new entities so where possible I’ve used the Maltego builtin ones so that you can make use of the existing transform sets which is good for you and means I have less to code (I’m not lazy honest..). Likewise I’ve also resisted the urge to use lots of Python modules so you only need 3 (currently) and 1 of those is Canari.

The GitHub repo has the install instructions and if you get any problems raise an Issue Ticket on the repo. Repo is HERE

Have fun!!!

The ramblings of an IT Geek

Follow

Get every new post delivered to your Inbox.

Join 899 other followers