BlackHat EU (2010)

� What’s up with version 2?

� What to expect for v3

� Cool stuff we’ve been working on server side◦ NER

◦ Facebook (POC)◦ Facebook (POC)

� Demos

� Started with POC for CanSecWest 2007

� V0: May 2007 (called Evolution)◦ Non commercial

� V1: May 2008 ◦ Non commercial◦ Non commercial

� V2: May 2009 (called Maltego)◦ 32K lines of code (client only)

◦ Commercial and community editions

� V3: Who knows when◦ 77K lines of code and growing...

� Usage in a week◦ Downloads: 550

◦ Splash Page: around 4300

◦ Transforms: 58 000

� A copy is downloaded every 3 hours

� A client is started every 2.3 minutes

� A transform is run every 11 seconds

� Commercial clients:◦ MajorMajorMajorMajor OS developer, book store, router developer, registrar, buy & sell portal, search engine provider, social network

◦ 3 and 4 letter agencies from all over (.gov and .mil)

◦ Banks ++

◦ Many dodgy people with Gmail accounts....

� Unique community clients since 2008-08-17: ◦ 27 059

� Since May 2009 there has been no incremental release of Maltego.

� We’ve been working for a year on v3...

� ...”and it’s not over yet!”.

� Release will be done – when the release is ... DONE (time/features/budget)

� Community version will follow soon after that.

� Maltego.blogspot.com – all about progress on v3.

� Look & feel◦ Dynamic graphing

� Entities ++◦ Custom entities◦ Manual linking◦ Book marking / annotations◦ Entity display/edit/more◦ Entity display/edit/more

� Navigation ++◦ EWV fully interactive◦ Transform settings on the fly◦ Detailed view

� Transform control◦ Graph in / out from transforms◦ LRTs

� What is NER?◦ Takes text and marks entities like person names / companies / phone numbers

� Demo:◦ OpenCalais / AlchemyAPI◦ OpenCalais / AlchemyAPI

� Using it in Maltego:◦ Phrase ->◦ Website ->◦ URL ->◦ Entities

� Phrases can get interesting...we can combine with operators like:operators like:◦ Filetype:◦ Site:◦ Etc..

� Can answer the question:

“Who/what/where is connected to phrase X?”

� DISCLAIMER !!

� Maltego shows relationships – getting data as needed from open online sources.

� Mine email addresses at domain (eg people working there)working there)

� Look them up on Facebook based on email address

� Looking sphere of influence amongst friends◦ The Kevin Bacon game

� Any good developer will look for an API.

� Facebook has one!

� Limitations:◦ Runs in the context of the ‘logged in’ user

◦ Cannot search on email address◦ Cannot search on email address

◦ Authentication /session info is needed

� Scraping is against Facebook’s TOU.

� They take it serious!

� Scraping is not cool because:◦ They change their site regularly

◦ If you want to hide via TOR the pages looks different◦ If you want to hide via TOR the pages looks different

◦ FB discourage it by setting cookies for 2038

� Breaks the Mechanize library

◦ Authentication – you need to keep the cookies alive

◦ Cannot log in every time – FB checks for frequency of logins

� Where possible, use FQL (Facebook query language) or the API

� Use mobile sites – like iPhone Touch interface, m.facebook◦ Less complex results◦ Less complex results

◦ Less likely to change

� Use the AJAX call◦ Data comes in cleaner, easier to parse

� Don’t rely on tags, use regex where possible◦ Eg id=/d{3,15}/&

� Cron – keeping cookie alive◦ Runs every 5 minutes, ‘clicks’ on well known links on Touch FB site◦ If it gets 302 it re-logins

� Email to Facebook profile transform◦ Uses cron cookies, run query at iPhone site◦ Uses cron cookies, run query at iPhone site◦ Call /s.php?k=100000020&q=emailaddress on Touch◦ The historical k parameter means we can search for email addresses on mobile!◦ Returns the Facebook unique ID – pick it up with a regex◦ Get detail on the ID using standard FQL

� Get friends◦ With the ID known, exploits the typeahead_friendsAJAX bug.

� Typeahead_friends.php bug:1. Can make AJAX call un-authenticated!

(typeahead_friends.php?u=ID&__a=1)(typeahead_friends.php?u=ID&__a=1)� We don’t need to worry about cookies from cron

2. Get ALL friends of any user� Even if they are hidden

� Recently FB close hole 2, but we can still make AJAX call and get friends if profile settings allows it

� Person name to Facebook profile◦ Can use standard FQL

◦ Get a list of all matching ID

◦ Foreach ID (do FQL lookup)

◦ ‘Page’ through results◦ ‘Page’ through results