m3guidetransforms.pdf

PATERVA

2011/01

Maltego transforms A reference guide

RT

January 2011 Maltego 3 User Guide - Transforms Version 3.0

Maltego Transforms a reference guide Page 2

Table of Contents

1 Introduction ...................................................................................................................................................................... 7

2 Search engine transforms ........................................................................................................................................... 8

2.1 General notes when using search engine transforms ........................................................................................................... 8

2.2 Problems with parsing results ........................................................................................................................................................ 9

3 Infrastructure ................................................................................................................................................................ 10

3.1 Internet Autonomous System (AS) ............................................................................................................................................. 10

3.1.1 To Netblocks in this AS [Robtex]........................................................................................................................................ 10

3.2 NS (Name Server) .............................................................................................................................................................................. 11

3.2.1 To Domains [DNS] .................................................................................................................................................................... 11

3.2.2 To IP Address [DNS] ................................................................................................................................................................ 11

3.2.3 To Web site [Query port 80] ................................................................................................................................................ 12

3.3 Domain ................................................................................................................................................................................................... 13

3.3.1 To MX (mail server) [DNS] ................................................................................................................................................... 13

3.3.2 To NS (name server) [DNS] .................................................................................................................................................. 14

3.3.3 To DNS Name [Attempt zone transfer]............................................................................................................................ 15

3.3.4 To DNS Name [Find common DNS names] .................................................................................................................... 16

3.3.5 To DNS Name [Name Schema] ............................................................................................................................................ 17

3.3.6 To Domain [Find other TLDs] ............................................................................................................................................. 18

3.3.7 To Email address [From whois info] ................................................................................................................................ 19

3.3.8 To Email addresses [PGP] ..................................................................................................................................................... 20

3.3.9 To Email addresses [using Search Engine] .................................................................................................................... 20

3.3.10 To Emails @domain [using Search Engine] ................................................................................................................... 21

3.3.11 To Entities (NER) [Alchemy and OpenCalais] via whois .......................................................................................... 22

3.3.12 To Files (Interesting) [using Search Engine] ................................................................................................................ 22

3.3.13 To Files (Office) [using Search Engine] ........................................................................................................................... 23

3.3.14 To Person [PGP] ........................................................................................................................................................................ 24

3.3.15 To Phone Numbers [using Search Engine] .................................................................................................................... 25

3.3.16 To Phone numbers [From whois info] ............................................................................................................................. 26

3.3.17 To Website DNS [using Search Engine] ........................................................................................................................... 26

3.3.18 To Website [Quick lookup] ................................................................................................................................................... 27

3.3.19 To Website [using Search Engine] ..................................................................................................................................... 27



3.4 An IP version 4 address ................................................................................................................................................................... 29

3.4.1 To DNS Name [Other DNS names] ..................................................................................................................................... 29

3.4.2 To DNS Name [Reverse DNS] .............................................................................................................................................. 30

3.4.3 To Domain [Sharing this MX] .............................................................................................................................................. 30

3.4.4 To Domain [Sharing this NS] ............................................................................................................................................... 31

3.4.5 To Email address [From whois info] ................................................................................................................................ 32

3.4.6 To Entities (NER) [Alchemy and OpenCalais] via whois .......................................................................................... 32

3.4.7 To Geo location [whoisAPI] .................................................................................................................................................. 33

3.4.8 To Netblock [Blocks delegated to this IP as NS] .......................................................................................................... 34

3.4.9 To Netblock [Natural boundaries] .................................................................................................................................... 34

3.4.10 To Netblock [Using routing info] ....................................................................................................................................... 35

3.4.11 To Netblock [Using whois info] .......................................................................................................................................... 36

3.4.12 To Telephone Number [From whois info] ..................................................................................................................... 37

3.4.13 To Website where IP appears [using Search Engine]................................................................................................ 37

3.5 MX record (mail exchange record) ............................................................................................................................................. 39

3.5.1 To Domain [DNS] ...................................................................................................................................................................... 39

3.5.2 To Domains [Sharing this MX] ........................................................................................................................................... 39

3.5.3 To IP Address [DNS] ................................................................................................................................................................ 40

3.6 DNS name server record ................................................................................................................................................................. 41

3.6.1 To Domain [DNS] ...................................................................................................................................................................... 41

3.6.2 To Domains [ Sharing this NS] ............................................................................................................................................ 41

3.6.3 To IP Address [DNS] ................................................................................................................................................................ 42

3.6.4 To Netblock [Blocks delegated to this NS] ..................................................................................................................... 42

3.7 Netblock ................................................................................................................................................................................................. 43

3.7.1 To AS number ............................................................................................................................................................................ 43

3.7.2 To DNS Names in netblock [Reverse DNS] .................................................................................................................... 44

3.7.3 To Entities (NER) [Alchemy and OpenCalais via whois............................................................................................ 45

3.7.4 To Geo location .......................................................................................................................................................................... 45

3.8 URL ........................................................................................................................................................................................................... 46

3.8.1 To Email Addresses [Found on web page] ..................................................................................................................... 46

3.8.2 To Entities (NER) [OpenCalais and Alchemy API] ...................................................................................................... 47

3.8.3 To Phone number [Found on this web page]................................................................................................................ 48

3.8.4 To URL [incoming links found to this web page] ........................................................................................................ 49

3.8.5 To Website [Convert] .............................................................................................................................................................. 50



3.8.6 To Website [Links on this web page] ............................................................................................................................... 50

3.9 Website ................................................................................................................................................................................................... 51

3.9.1 Mirror: Email addresses found ........................................................................................................................................... 51

3.9.2 Mirror: External links found ................................................................................................................................................ 52

3.9.3 To Domains [DNS] .................................................................................................................................................................... 52

3.9.4 To IP Address [DNS] ................................................................................................................................................................ 53

3.9.5 To URLs [show Search Engine results] ............................................................................................................................ 53

3.9.6 To Website [Incoming links to site] .................................................................................................................................. 54

3.9.7 To Website [Replace with thumbnail] ............................................................................................................................. 55

3.9.8 To Website title ......................................................................................................................................................................... 55

4 Personal ........................................................................................................................................................................... 57

4.1 Document .............................................................................................................................................................................................. 57

4.1.1 Parse meta information ......................................................................................................................................................... 57

4.1.2 To URL [Show SE results] ..................................................................................................................................................... 58

4.2 Email ........................................................................................................................................................................................................ 59

4.2.1 To Domain [DNS] ...................................................................................................................................................................... 59

4.2.2 To Email Addresses [PGP (signed)] .................................................................................................................................. 59

4.2.3 To Email Addresses [PGP] .................................................................................................................................................... 60

4.2.4 To Email Addresses [using Search Engine] ................................................................................................................... 60

4.2.5 To Person [PGP] ........................................................................................................................................................................ 61

4.2.6 To Phone number [using Search Engine] ....................................................................................................................... 61

4.2.7 To URLs [Show search engine results] ............................................................................................................................ 62


4.2.9 Verify email address exists [SMTP] .................................................................................................................................. 63

4.3 Person ..................................................................................................................................................................................................... 64

4.3.1 To Email Address [PGP] ......................................................................................................................................................... 64

4.3.2 To Email Address [Verify common] .................................................................................................................................. 65

4.3.3 To Email Address [using Search Engine] ........................................................................................................................ 66

4.3.4 To Person [PGP (signed)] ...................................................................................................................................................... 67

4.3.5 To Phone Number [using Search Engine] ...................................................................................................................... 67


4.4 Phone Number .................................................................................................................................................................................... 70

4.4.1 To Email Address [using Search Engine] ........................................................................................................................ 70

4.4.2 To Phone Number [using Search Engine] ...................................................................................................................... 70



4.4.3 To URL [Show Search Engine results] ............................................................................................................................. 71


4.5 Phrase ..................................................................................................................................................................................................... 72

4.5.1 To Email Addresses [using Search Engine] ................................................................................................................... 72

4.5.2 To Entities (NER) [Alchemy and OpenCalais] .............................................................................................................. 73

4.5.3 To Files (Interesting) [using Search Engine] ................................................................................................................ 74

4.5.4 To Files (Office) [using Search Engine] ........................................................................................................................... 75

4.5.5 To Telephone numbers [using Search Engine] ............................................................................................................ 76

4.5.6 To Tweets [Search Twitter] ................................................................................................................................................. 77


4.5.8 To related phrase ..................................................................................................................................................................... 79

4.6 Twit .......................................................................................................................................................................................................... 80

4.6.1 To Twitter Affiliation [Convert] ......................................................................................................................................... 80

4.6.2 To URL(s) [Found in these Tweets] .................................................................................................................................. 80

4.7 Affiliation Twitter ........................................................................................................................................................................... 82

4.7.1 To AffTwitter [Get details of ID holder] .......................................................................................................................... 82

4.7.2 To AffTwitter [This person received Tweets from ?] ................................................................................................ 82

4.7.3 To AffTwitter [This person wrote Tweets to ?] ........................................................................................................... 83

4.7.4 To Person [Convert] ................................................................................................................................................................ 84

4.7.5 To Tweets [That this person wrote] ................................................................................................................................. 84

4.7.6 To Tweets [Written to this person] .................................................................................................................................. 85

4.7.7 To followers of this person ................................................................................................................................................... 85

4.7.8 To friends of this person ....................................................................................................................................................... 86

5 Maltego 3 Client Transforms - Overview ........................................................................................................... 88

5.1 Infrastructure ...................................................................................................................................................................................... 88

5.1.1 Internet Autonomous System (AS) ................................................................................................................................... 88

5.1.2 Domain Name System server name .................................................................................................................................. 88

5.1.3 Internet Domain ........................................................................................................................................................................ 89

5.1.4 IP version 4 address ................................................................................................................................................................ 90

5.1.5 Location on mother earth ..................................................................................................................................................... 91

5.1.6 DNS mail exchange record .................................................................................................................................................... 91

5.1.7 DNS name server record ....................................................................................................................................................... 91

5.1.8 Netblock ....................................................................................................................................................................................... 92

5.1.9 URL ................................................................................................................................................................................................. 92



5.1.10 Website ......................................................................................................................................................................................... 93

5.2 Personal ................................................................................................................................................................................................. 93

5.2.1 Document..................................................................................................................................................................................... 93

5.2.2 Email .............................................................................................................................................................................................. 94

5.2.3 Person ........................................................................................................................................................................................... 94

5.2.4 Phone Number ........................................................................................................................................................................... 95

5.2.5 Phrase ............................................................................................................................................................................................ 95

5.2.6 Twit ................................................................................................................................................................................................ 96

5.2.7 Affiliation Facebook ............................................................................................................................................................. 96

5.2.8 Affiliation LinkedIn .............................................................................................................................................................. 96

5.2.9 Affiliation Twitter ................................................................................................................................................................. 97



1111 IntroductionIntroductionIntroductionIntroduction

This document serves as a reference guide of transforms that are currently in use in Maltego. The last section of this document gives a summary of all transforms.



2222 Search engine transformsSearch engine transformsSearch engine transformsSearch engine transforms

There are couple of transforms that use search engines - all of them very similar. The basic recipe with these

transforms is as follows:

1. Expand the question. The question is the input from the GUI - be that a person's name, a domain or an

phone number. When looking at a person's name for instance the name 'Kosie Kramer' will be

expanded to searches like '"Kosie Kramer"', '"K Kramer"', 'Kramer Kosie' etc. In the case of a telephone

number the search will be expanded to include most telephone notations used.

2. Assign confidence levels. Because a search for '"Kosie Kramer"' is more likely to return good results -

rather than a search for 'KramerK' the confidence level for the first search would be higher. The

confidence levels are also used to assign preference to certain file types when doing searches on

documents (these are configurable in the transform). In the same way a XLS file containing the word is

likely more interesting than a PDF file.

3. Perform each search. The searches are performed and the snippets are obtained. It is important to note

that only snippets are parsed. For parsing the entire page you need to dump to URL and process the

URLs separately. Various search engines have various snippet lengths.

4. Parse for output entities. Depending on what output is required the snippets are parsed for entities - in

some cases the web site's name is all that's required.

5. Calculate weight. The weigh is calculated from various factors - the confidence of the search, the

frequency of the result, the importance of the web site where the result came from, and in some cases a

correlation to the input.

6. Normalise. The weights are now normalised using a fairly interesting algorithm that involves the mean

and standard deviation of the spread of weights. It is important to understand that a search result with

a equal spread of weights are mostly useless.

2.12.12.12.1 General notes when using search engine transformsGeneral notes when using search engine transformsGeneral notes when using search engine transformsGeneral notes when using search engine transforms

Maltego will sometimes give you results that seem plain wrong. You need to keep in mind that the application will

get pretty desperate when it does not get results. So - when you are searching for a person called "Vaxynutus

Grabounill" and that person simply left no marks on the Internet Maltego will eventually go after a search term

"VG" - with a super low confidence - but you will still get some results. These results could seem completely off the

mark, but should have very low weights. Always look at the weights.

Many of the search engine transforms use pop-up transform settings for location and additional terms. If you are

not getting the results you want you should try adding some terms here. You can read all about it in the User guide

in the section about Transform properties.



2.22.22.22.2 Problems with parsing resultsProblems with parsing resultsProblems with parsing resultsProblems with parsing results

Some entities are hard to parse. Telephone numbers are notoriously hard to parse. There is always a trade-off

between missing numbers and parsing non-telephone numbers as phone numbers. With the current transforms

we hope to have reached the optimal balance.

January 2011 Maltego 3 User

Maltego Transforms a reference guide

3333 InfrastructureInfrastructureInfrastructureInfrastructure

3.13.13.13.1 Internet Autonomous System (AS)Internet Autonomous System (AS)Internet Autonomous System (AS)Internet Autonomous System (AS)

3.1.13.1.13.1.13.1.1 To Netblocks in this AS [Robtex]

This transform expands an ASNumber to one or more netblock Entity. This transform is very useful in the

infrastructure foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only

has a single DNSName that points to a single netblock

forward DNS pointing to it, or reverse DNS entr

ASNumberEntity of the netblock. Once we have the AS number we can expand it to all the other netblocks that

Org. X have.

Maltego 3 User Guide - Transforms

Internet Autonomous System (AS)Internet Autonomous System (AS)Internet Autonomous System (AS)Internet Autonomous System (AS)

[Robtex]


re foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only

has a single DNSName that points to a single netblock - the other netblocks have no DNS information (e.g. no

forward DNS pointing to it, or reverse DNS entries in the block). Using this transform we can find the


Version 3.0

Page 10


re foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only

the other netblocks have no DNS information (e.g. no

ies in the block). Using this transform we can find the




3.23.23.23.2 NS (Name Server)NS (Name Server)NS (Name Server)NS (Name Server)

3.2.13.2.13.2.13.2.1 To Domains [DNS]

This transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like

'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these

TLDs and subTLDs are really not that useful it is not r

3.2.23.2.23.2.23.2.2 To IP Address [DNS]

This is a simple transform. It resolves a DNSName to an IPAddress. Enough said.


transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like


TLDs and subTLDs are really not that useful it is not returned.

This is a simple transform. It resolves a DNSName to an IPAddress. Enough said.

Version 3.0

Page 11

transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like




3.2.33.2.33.2.33.2.3 To Web site [Query port 80]

This transform basically converts DNSName to Website. Before simply changing the types the transform will

query port 80 on the DNS Name and see if it can get a proper HTTP response. Currently only port 80 is tested.

In upcoming versions port 443 will also be tested. The transform also populates the server type and the HTTP

ports in the additional fields.



3.33.33.33.3 DomainDomainDomainDomain

3.3.13.3.13.3.13.3.1 To MX (mail server) [DNS]

This transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger

record and is returned as an MXrecord Entity. The IP a

network location of the target as most organizations keep their

used in the infrastructure foot printing of an organization.

The IP Address of this record gives a good indication of the network location of the target as most

organisations keep their mail close to their network. This is normally used in the infrastructure foot

an organisation.


To MX (mail server) [DNS]

his transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger

d as an MXrecord Entity. The IP address of this record gives a good indication of the

network location of the target as most organizations keep their mail close to their network. This is normally

used in the infrastructure foot printing of an organization.

Address of this record gives a good indication of the network location of the target as most

organisations keep their mail close to their network. This is normally used in the infrastructure foot

Version 3.0

Page 13

his transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger

ddress of this record gives a good indication of the

mail close to their network. This is normally

Address of this record gives a good indication of the network location of the target as most

organisations keep their mail close to their network. This is normally used in the infrastructure foot printing of



3.3.23.3.23.3.23.3.2 To NS (name server) [DNS]

This transform determines if an NS record exists for the given Domain. The NS record is the name server

record and is returned as an NSrecord Entity. This is normally used in the infrastructure foot printing of an

organization. A note of caution - it is not uncommon for organizations to outsource their name servers to their

ISP or to the registrar of their domain. Thus - in terms of finding the network (e.g. resolving this to an IP

address) of the target this has limited value - human inspection is advised.



3.3.33.3.33.3.33.3.3 To DNS Name [Attempt zone transfer]

This transform attempts a zone transfer (AXFR) on the Domain. If possible it extracts the Cnames and A records

from the zone as DNSName. If a zone transfer is possible then all the DNS names associated with the domain

are returned, and there is no need to brute force it anymore. The results of a successful zone transfer normally

results in a very happy analyst as resolving these DNS names to IPAddress gives a very good indication of the

network location of the target.



3.3.43.3.43.3.43.3.4 To DNS Name [Find common DNS names]

This transform attempts to find DNS names for the specified Domain. This is done by testing a list of DNS

Names and seeing if they exist. The list of names that are tested for can be configured inside the transform. The

specified domain is appended to the name and tested. If it exists it is returned as a DNS Name.



3.3.53.3.53.3.53.3.5 To DNS Name [Name Schema]

The transform will try several word lists (think Lord of the Rings names, planet names, colours, TLDs etc.) as

DNS names. If it finds a match in a specific word list it will try the entire word list. In this way it will try to

determine the naming schema for the domain. Note that the transform can take a while to complete - especially

when it finds a match in a long word list. The test depth per word list can be set in the transform. In the screen

shot below we see how different TLDs exists inside the domain.



3.3.63.3.63.3.63.3.6 To Domain [Find other TLDs]

This transform will try to find domains with different TLDs by looking it up at ServerSniff

(www.serversniff.de). If you provide the domain 'funstuff.com.my' the transform will attempt to find

'funstuff.co.uk' and 'funstuff.com'. This is useful when trying to find all the domains of an organization in the

infrastructure foot printing phase. A note of caution - this transform is very heavy in terms of processing

power. It is also relatively slow (appreciate the fact that there are many millions of domains). Also results are

not guaranteed to include all known domains but it is a good trade off between speed/accuracy.



3.3.73.3.73.3.73.3.7 To Email address [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for email

addresses. The whois information itself is stored as a property of the supplied domain ('Domain Whois'). You

should always manually inspect this data to give context to results - or see if the parsing of the email address

failed.



3.3.83.3.83.3.83.3.8 To Email addresses [PGP]

This transform queries a public PGP key server and asks the question - "show me all the email addresses that

ends in the supplied domain name' - results are returned as email address entities. Keep in mind that this

information might be outdated. The transform is useful for finding email addresses at a domain - an added

bonus is that we know these people communicate encrypted to others.

3.3.93.3.93.3.93.3.9 To Email addresses [using Search Engine]

This transform searches for the domain and shows related email addresses.



3.3.103.3.103.3.103.3.10 To Emails @domain [using Search Engine]

This transform will search for email addresses containing the domain name.



3.3.113.3.113.3.113.3.11 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform performs NER (Named Entity Recognition) on the whois information extracted from the

domain and proceeds to extract person names, companies/organizations, phone numbers and locations from

the text. Please note that NER is not perfect - just go ask General Failure.

3.3.123.3.123.3.123.3.12 To Files (Interesting) [using Search Engine]

This transform will search for the locations of interesting files hosted on web sites inside the domain. The

priority for each file type can be configured as shown below:

Properties



3.3.133.3.133.3.133.3.13 To Files (Office) [using Search Engine]

This transform will search for the locations of interesting documents (think Office[tm]) hosted on web sites

located on the domain. The priority for each file type can be configured as shown below:



3.3.143.3.143.3.143.3.14 To Person [PGP]

This transform contacts a public PGP key server and returns Person Entities with email addresses that are

located within the given domain.

This transforms queries one of the public PGP key server and ask the question 'who do you have in your

database with email addresses that ends in the supplied domain?'. Results are returned as Person entities. The

key servers limit the results - if there are too many results the server returns no results. This transform is

useful when enumerating people working at a company. Keep in mind that the information might be outdated.



3.3.153.3.153.3.153.3.15 To Phone Numbers [using Search Engine]

This transform will search for the given domain on search engines and shows the related phone numbers.



3.3.163.3.163.3.163.3.16 To Phone numbers [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for phone

numbers. The idea with the transform is to provide the phone number of the owner of the domain. The whois

information itself is stored as a property of the domain ('Domain Whois'). You should always manually inspect

this data to give context to results - or see if the parsing of the phone number failed (it is difficult to correctly

parse all forms of phone numbers).

3.3.173.3.173.3.173.3.17 To Website DNS [using Search Engine]

This transform will query search engines for websites and return them as website entities.



3.3.183.3.183.3.183.3.18 To Website [Quick lookup]

This transform will do a quick look up to see if the DNS entry www.domain exists. This transform is useful

when dealing with a large amount of domain and you only need to quickly see which of them have web sites

(e.g. not try to find all possible DNS names).

3.3.193.3.193.3.193.3.19 To Website [using Search Engine]

This transform will search for the domain name and then show the web sites where the domain name occurs.



3.43.43.43.4 An IP version 4 addressAn IP version 4 addressAn IP version 4 addressAn IP version 4 address

3.4.13.4.13.4.13.4.1 To DNS Name [Other DNS names]

This transform queries two different 'historical' DNS databases

with the IP Address. These databases are populated using various techniques. The transform is useful to find

co-hosted sites - e.g. the website (or MX, NS) of companyA could resolve to 1.2.3.4 and co

address are www.companyB.com and/or companyAB.co

entries for the resultant DNS names are is now pointing to other IP addresses (other than the supplied one).

This simply means that changes have been made to DNS, and that the provider's database is ke

information. Sometimes this is useful (as you can see that a change was made), sometimes it is annoying.


An IP version 4 addressAn IP version 4 addressAn IP version 4 addressAn IP version 4 address

To DNS Name [Other DNS names]

This transform queries two different 'historical' DNS databases to see what other DNS names are associated

P Address. These databases are populated using various techniques. The transform is useful to find

e.g. the website (or MX, NS) of companyA could resolve to 1.2.3.4 and co

address are www.companyB.com and/or companyAB.com. In certain cases you will find that the forward DNS


This simply means that changes have been made to DNS, and that the provider's database is ke


Version 3.0

Page 29

to see what other DNS names are associated

P Address. These databases are populated using various techniques. The transform is useful to find

e.g. the website (or MX, NS) of companyA could resolve to 1.2.3.4 and co-hosted on that IP

m. In certain cases you will find that the forward DNS


This simply means that changes have been made to DNS, and that the provider's database is keeping the old




3.4.23.4.23.4.23.4.2 To DNS Name [Reverse DNS]

This transform uses stock standard reverse DNS to determine the DNS name associated with the IP Address.

Note that not all IP addresses will reverse resolve. It is the responsibility of the owner of the netblock where

the IP resides (or whoever this task was delegated to) to populate the records. Also note that reverse DNS

entries do not have to match forward DNS - e.g. www.abc.com can resolve to 1.2.3.4 but 1.2.3.4 does not have to

resolve to www.abc.com.

3.4.33.4.33.4.33.4.3 To Domain [Sharing this MX]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other

domains as an MX record. This type of 'reverse MX lookup' cannot be performed using standard DNS queries

and is very useful to find other domains associated with the IP number. In most cases one would work from the

actual DNS name of the MX record, but if you only have the IP address available there is no standard way of

knowing if the IP address is an MX for a domain or not. This transform gives you the ability to do this.



3.4.43.4.43.4.43.4.4 To Domain [Sharing this NS]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other

domains as an NS record. This type of 'reverse NS lookup' cannot be performed using standard DNS queries

and is very useful to find other domains associated with the IP number. In most cases one would work from the

actual DNS name of the NS record, but if you only have the IP address available there is no standard way of

knowing if the IP address is an NS for a domain or not. This transform gives you the ability to do this. Unlike the

'reverse MX lookup' the 'reverse NS lookup' does not always imply that the domains found have a close

relationship with the IP address as many companies and organizations outsource their DNS service.



3.4.53.4.53.4.53.4.5 To Email address [From whois info]

This transform performs a recursive whois query on the IP address (obviously not the domain!) and parses the

output for email addresses. The idea with the transform is to provide the email address of the owner of the

network where this IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub

leased and that the whois information might not reflect this. This can easily lead to false positives. The whois

information itself is stored as a property of the IP address entity ('IP whois'). You should always manually

inspect this data to give context to results.

3.4.63.4.63.4.63.4.6 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform obtains whois information of IP number and then parses it for entities using NER.



3.4.73.4.73.4.73.4.7 To Geo location [whoisAPI]

This transform uses an API of Name Intelligence to provide the geographical location of the IP address. The

location has 3 levels of detail - these are comma separated. The first is the country, the second is the region and

the last is the city. Keep in mind that this level of detail is not always available. In fact - the API does not

guarantee that it will return any result - it's a case of best effort. We have also seen that this data can be

extremely misleading - where the location of the registrant (rather than the resource) was returned. For bulk

look ups you should consider getting your own API key.



3.4.83.4.83.4.83.4.8 To Netblock [Blocks delegated to this IP as NS]

This transform queries Robtex's database to determine which networks have their reverse DNS delegated to

this IP address. This is a very useful transform in the infrastructure foot printing process. Keep in mind that the

IP address needs to that of a name server (that handles the reverse zones). In many cases this transforms

provides better information than simply looking at routing or whois information. This is because organizations

might have a full class B network but are only using three or four class C networks within the bigger block. In

many of these cases they will only have reverse DNS information populated for these smaller blocks - and you

can find these smaller blocks using this transform.

3.4.93.4.93.4.93.4.9 To Netblock [Natural boundaries]

This transform returns a netblock (IP range) by simply looking at the natural network boundary of the IP

address. The size of the network is determined by a transform setting ('Block size'). The size is set by default to

256 - meaning that the corresponding class C network will be returned. This size can be set to any power of

two - e.g. 1,2,4,8,16,32,64,128,256 etc. As this transform is not doing any lookups it is very fast and by setting

the block size small (making some assumptions) you can quickly get a rough idea of networks involved.

The transform can be set to ask for the network size by marking the property as a pop up:



3.4.103.4.103.4.103.4.10 To Netblock [Using routing info]

This transform will determine what network (range of IP addresses) the IP number resides in by looking at

routing information on the Internet. This does not mean that the entire resulting network belongs to the owner

of the IP address (keep in mind that in many cases it might be hosted environment). See also the other

ToNetblock transform for making more precise estimations of network sizes and/or owners.



3.4.113.4.113.4.113.4.11 To Netblock [Using whois info]

This transform determines the associated network (IP range) of an IP address by doing a recursive whois

lookup and parsing the resultant information. Keep in mind that in many cases smaller blocks of IP addresses

are sub leased and that the whois information might not reflect this. This can easily lead to false positives. The

whois information itself is stored as a property of the IP address entity ('IP whois'). You should always

manually inspect this data to give context to results.



3.4.123.4.123.4.123.4.12 To Telephone Number [From whois info]

This transform performs a recursive whois query on the IP address and parses the output for telephone

numbers. The idea with the transform is to provide the phone number of the owner of the network where this

IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the

whois information might not reflect this. This transform is useful when you have a list of networks and want to

see which ones belong to the same organization. The whois information itself is stored as a property of the IP

address entity ('IP whois'). You should always manually inspect this data to give context to results.

3.4.133.4.133.4.133.4.13 To Website where IP appears [using Search Engine]

This transform will search for the IP Address and show the sites where it occurs.



3.53.53.53.5 MX record (MX record (MX record (MX record (mail exchange recordmail exchange recordmail exchange recordmail exchange record

3.5.13.5.13.5.13.5.1 To Domain [DNS]

This transform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk'

would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs

are really not that useful it is not returne

3.5.23.5.23.5.23.5.2 To Domains [Sharing this MX]

This transform is used on a MX record. It determines which other domains use this DNS Name as an MX record.

This is very useful in the infrastructure footprint of an organization as it c

organization uses. If company X's Domain all have MX records pointing to a single DNS name this transform can

find all (or most) of these domains.


mail exchange recordmail exchange recordmail exchange recordmail exchange record))))

sform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk'


are really not that useful it is not returned.

To Domains [Sharing this MX]

MX record. It determines which other domains use this DNS Name as an MX record.

This is very useful in the infrastructure footprint of an organization as it can reveal other domains that the


Version 3.0

Page 39

sform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk'


MX record. It determines which other domains use this DNS Name as an MX record.

an reveal other domains that the




3.5.33.5.33.5.33.5.3 To IP Address [DNS]

This transform resolves a MX record to an IP address using plain old DNS.



3.63.63.63.6 DNS DNS DNS DNS name servername servername servername server recordrecordrecordrecord

3.6.13.6.13.6.13.6.1 To Domain [DNS]

This transform extracts the domain from a NS record entity. The domain in a DNS Name like 'mx.google.co.uk'



3.6.23.6.23.6.23.6.2 To Domains [ Sharing this NS]

This transform runs on an NS record. It de

This is very useful in the infrastructure footprint of an organisation as it can reveal other domains that the

organisation uses. If company X's Domains


recordrecordrecordrecord


le.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs


To Domains [ Sharing this NS]

NS record. It determines which other domains use this DNS Name as a name server.


Domains all have NS records pointing to a single DNS name this transform

Version 3.0

Page 41


le.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs

this DNS Name as a name server.


all have NS records pointing to a single DNS name this transform



can find all (or most) of these domains. A word of caution - if the target is hosting its name servers at an ISP

then you will end up with a list of domains that hosted by the ISP - normally not the most exciting result.

3.6.33.6.33.6.33.6.3 To IP Address [DNS]

This transform resolves a NS record to an IP address using plain old DNS.

3.6.43.6.43.6.43.6.4 To Netblock [Blocks delegated to this NS]

This transform works on NSrecords. It determines if the particular name server has any Netblock reverse DNS

delegated to it. This is useful for finding Netblock of an organization. What's interesting about the results of this



transform is that an organization might have a class B network (a fairly large

using a couple of class Cs (smaller netblocks) within that block. In many cases they will only populate the

reverse DNS of these smaller blocks and delegate it to

smaller blocks.

3.73.73.73.7 NetblockNetblockNetblockNetblock

3.7.13.7.13.7.13.7.1 To AS number

This transform determines the Autonomous System (AS) number of the supplied network. This is useful for

determining if two (or more) networks are related. If two networks are in the same AS (e.g. have the same AS

number) we can say they are at least loosely routed to the same destination. If the networks belong to an

organization (as opposed to belonging to an ISP that is splitting

them to clients) we get a good indication that both networks belong to the same organization.


organization might have a class B network (a fairly large netblock), but, in reality are only


reverse DNS of these smaller blocks and delegate it to their name servers. The transform will show these


ore) networks are related. If two networks are in the same AS (e.g. have the same AS


organization (as opposed to belonging to an ISP that is splitting the network into smaller networks and leasing


Version 3.0

Page 43

etblock), but, in reality are only


their name servers. The transform will show these


ore) networks are related. If two networks are in the same AS (e.g. have the same AS


the network into smaller networks and leasing




3.7.23.7.23.7.23.7.2 To DNS Names in netblock [Reverse DNS]

This transform will ask for all historical DNS records on file for the supplied network. It gets a bit messy - what

happens when you have a class B network? As such the providers have limitations. Robtex wont return reverse

DNS entries for networks larger than 2048 IPs (that's 4 class Cs) and Serversniff won't be impressed if you run

a block larger than a class B. Keep in mind that you need to adjust your slider accordingly (if your slider is on

the first notch and you reverse a class C you'll only get 12 entries back). Also - note that this information comes

from a database - so it might not always be up to date. The transform can take a while to run - so be patient. It

still beats doing it manually...



3.7.33.7.33.7.33.7.3 To Entities (NER) [Alchemy and OpenCalais via whois

This transform obtains whois information of netblock (well the first IP in the block), then parses it for entities

using NER.

3.7.43.7.43.7.43.7.4 To Geo location

This transform takes the first IP number in the range and performs the 'IP address to Geo location' on it. The

transform uses an API of Name Intelligence to provide the geographical location of the IP address. The location

has 3 levels of detail - these are comma separated. The first is the country, the second is the region and the last

is the city. Keep in mind that this level of detail is not always available. In fact - the API does not guarantee that

it will return any result - it's a case of best effort. We have also seen that this data can be extremely misleading -

where the location of the registrant (rather than the resource) was returned. For bulk lookups you should

consider getting your own API key.



3.83.83.83.8 URLURLURLURL

3.8.13.8.13.8.13.8.1 To Email Addresses [Found on web page]

This transform will connect to the website wher

URL and parse it for email addresses. Results are returned as email address entities. The transform is useful

when you are looking for results on a specific page, not an entire site.


To Email Addresses [Found on web page]

This transform will connect to the website where the URL (web page) is hosted, download the particular page /



Version 3.0

Page 46

e the URL (web page) is hosted, download the particular page /




3.8.23.8.23.8.23.8.2 To Entities (NER) [OpenCalais and Alchemy API]

This transform performs NER (Named Entity Recognition) on the URL and extracts person names,

companies/organizations, phone numbers and locations from the text. If the URL points to a document, it will

try to convert to text and perform NER on the resultant text. Entities extracted are: location, persons name,

organization or company.



3.8.33.8.33.8.33.8.3 To Phone number [Found on this web page]


URL and parse it for phone numbers. Results are returned as phone number entities. The transform is useful




3.8.43.8.43.8.43.8.4 To URL [incoming links found to this web page]

This transform finds the incoming URLs to an URL by looking on a search engine.



3.8.53.8.53.8.53.8.5 To Website [Convert]

This transform simply extracts that website's name from the URL. This is useful when you have a lot of URLs

(that came from other transforms) and need to see which URLs are on the same site.

3.8.63.8.63.8.63.8.6 To Website [Links on this web page]


URL and look for links from that page. Results are returned as websites entities with embedded URLs. The

transform is useful when you are looking for links on a specific page, not an entire site.



3.93.93.93.9 WebsiteWebsiteWebsiteWebsite

3.9.13.9.13.9.13.9.1 Mirror: Email addresses found

This transform will make a (partial) mirror of the web site and extract all email addresses found on the site.

The slider plays a big role in this transform as it set the time

right) the slider is set, the deeper the mirroring process will go, and hopefully, the more results you'll get. The

process runs via a caching server (that is local on the

transfer to the site twice (if you run the transform again)

get the entire site. Also keep in mind that not all sites are mirror friendly. Flash base


Mirror: Email addresses found


this transform as it set the time-out for the mirroring process. The higher (to the


process runs via a caching server (that is local on the box) which means that you wont be doing the data

transfer to the site twice (if you run the transform again) - expect of course if the first round did not manage to

get the entire site. Also keep in mind that not all sites are mirror friendly. Flash based sites will give problems

Version 3.0

Page 51


out for the mirroring process. The higher (to the


box) which means that you wont be doing the data

expect of course if the first round did not manage to

d sites will give problems



as will sites with exotic JavaScript menus and redirects. Email addresses that are obfuscated using non-

standard techniques will also not be picked up.

3.9.23.9.23.9.23.9.2 Mirror: External links found

This transform will make a (partial) mirror of the web site and extract all external links found on the site -

these will be returned as website entities. The slider plays a big role in this transform as it set the time-out for

the mirroring process. The higher (to the right) the slider is set, the deeper the mirroring process will go, and

hopefully, the more results you'll get. The process runs via a caching server (that is local on the box) which

means that you wont be doing the data transfer to the site twice (if you run the transform again) - expect of

course if the first round did not manage to get the entire site. Also keep in mind that not all sites are mirror

friendly. Flash based sites will give problems as will sites with exotic JavaScript menus and redirects.

3.9.33.9.33.9.33.9.3 To Domains [DNS]

This transform will return the domain of the supplied website. The transform will also return any sub domains

- all the way to the sub TLD. This means that if a web site with the name www.duh.moo.co.za is supplied the

transform will return the domains duh.moo.co.za and moo.co.za, but not co.za (sub TLD) or za (TLD).



3.9.43.9.43.9.43.9.4 To IP Address [DNS]

This is a very simple transform - it simply resolves the website's IP address.

3.9.53.9.53.9.53.9.5 To URLs [show Search Engine results]

When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are

collected within the entity itself. This transform generates separate URL type entities from each result. This

allows you to now perform transforms on each URL - like mining for email address, links or phone numbers.



3.9.63.9.63.9.63.9.6 To Website [Incoming links to site]

The transforms queries search engines to determine what sites links to the supplied website. This is useful in

combination with 'To websites using Mirror' - which will give an idea of what goes into a site (e.g. links to the

site) and what comes out of a site (e.g. links from the site).



3.9.73.9.73.9.73.9.7 To Website [Replace with thumbnail]

This transform will ask Thumbshot.org if it has a small image (thumbnail) of the site's front page and if so it

will change the entity's icon to it. This is useful when working with huge amounts of web sites that appear to

have the same branding - it gives the user the ability to quickly visually see which sites are branded in a similar

manner.

3.9.83.9.83.9.83.9.8 To Website title

This transform will return the title of the site's front page as a web title entity. It will do it's best to follow

JavaScript redirects, 302 redirects and others until it ends on a page with a title. Of course it cannot extract

titles for ALL websites - some do not have titles, are Flash based or performs some exotic Javascripting. The

transform is useful when dealing with loads of web sites that appear to belong to the same organization.

Running this transform and looking at web site titles that match (or simply using Find and looking for

keywords) makes it easy to find and group sites.



4444 PersonalPersonalPersonalPersonal

4.14.14.14.1 DocumentDocumentDocumentDocument

4.1.14.1.14.1.14.1.1 Parse meta information

This transform downloads the document at the specified URL and extracts the meta information from it.

Maltego tries to map the meta data to

not correctly populated within the document itself. Visual inspection of the resultant entities ar

following fields are extracted from the document:

Company->Phrase

Creator->Phrase

Keywords->Phrase

Author->Person

LastSavedBy->Person

AuthorEmail->Email address

AuthorEmailDisplayName->Email address



Maltego tries to map the meta data to Person, Phrase and EmailAddress, but in some cases the information is

not correctly populated within the document itself. Visual inspection of the resultant entities ar

following fields are extracted from the document:

>Email address

Version 3.0

Page 57


and EmailAddress, but in some cases the information is

not correctly populated within the document itself. Visual inspection of the resultant entities are advised. The



4.1.24.1.24.1.24.1.2 To URL [Show SE results]






4.24.24.24.2 EmailEmailEmailEmail

4.2.14.2.14.2.14.2.1 To Domain [DNS]

This transform will simply return the domain of the email address

return kramer.com. This is useful when you have a lot of email addresses and what to see which ones are

located in the same domain.

4.2.24.2.24.2.24.2.2 To Email Addresses [PGP

This transform contacts a public PGP keyserver a

address.


This transform will simply return the domain of the email address - e.g. if the input is [email protected] it


To Email Addresses [PGP (signed)]

This transform contacts a public PGP keyserver and retrieves the email addresses of signers for the given

Version 3.0

Page 59

e.g. if the input is [email protected] it will


nd retrieves the email addresses of signers for the given



4.2.34.2.34.2.34.2.3 To Email Addresses [PGP]

This transform will query one of the public PGP key server and will return other email addresses that uses the

same public key. This is very useful to find alternative email addresses for an individual. Keep in mind that this

information might be outdated.

4.2.44.2.44.2.44.2.4 To Email Addresses [using Search Engine]

This transform will search for the email address and show related email addresses.



4.2.54.2.54.2.54.2.5 To Person [PGP]

Most email addresses map 1:1 to a person. Unlike the 'Email address from Name using PGP' this transforms

gives you a clear indication of who the email address belongs to. The transform queries a public PGP key server

to obtain this information.

4.2.64.2.64.2.64.2.6 To Phone number [using Search Engine]

This transform will search for the given email address and show the related telephone numbers.



4.2.74.2.74.2.74.2.7 To URLs [Show search engine results]





This transform will search for the email address and shows the sites where it occurs.



4.2.94.2.94.2.94.2.9 Verify email address exists [SMTP]

Verify Email address must first be activated in Transform Manager by accepting disclaimer. This transform

verifies that an email address really exists. It's one of the more interesting transforms. It works as follows - as a

start the transform finds the right MX (mail server) record for the domain. It then connects to port 25 (SMTP)

of the host. The transforms starts the normal SMTP conversation - it issues a HELO (paterva.com) and a MAIL

FROM ([email protected]) SMTP commands. Before testing for the supplied email

address it issues a RCPT TO with an email address that does not exist (it tests for thisisreallynothere@domain).

If the error message indicates that the address is not there the transform knows that it can test for the supplied

email address. If no error is returned during this 'baseline' test the transform returns 'Inconclusive'.

The transform does not return new entities as a result - it returns the same entity but it adds a label to the

supplied email address indicating if it could verify it. Note that not all mail servers allow you to verify

addresses in this way. Because this transform transacts with the mail server (and this is not considered very

passive) this transform contains a disclaimer that explains the situation.



4.34.34.34.3 PersonPersonPersonPerson

4.3.14.3.14.3.14.3.1 To Email Address [PGP]

This transform queries a public PGP key server to see if the person's name e

entries as email address entities. Some things to keep in mind

are going to get a lot of false positives. Also

transform is useful to get long forgotten email addresses for people with an unique name / surname

combination.


This transform queries a public PGP key server to see if the person's name exists in the key database. It returns

entries as email address entities. Some things to keep in mind - if the name is very common (John Smith) you

are going to get a lot of false positives. Also - the information kept in the database might be out of date.


Version 3.0

Page 64

xists in the key database. It returns

if the name is very common (John Smith) you

the information kept in the database might be out of date. This




4.3.24.3.24.3.24.3.2 To Email Address [Verify common]

This transform will test on common free mail provider for combinations of the person's name. This transform

only works with mail servers that will report failed recipients with a 550 code and verified recipients with a

250 code. Not all mail servers do this - as example Yahoo does not! Also note that this transform makes a TCP

connection to the given entity's MX record!

This transforms uses the techniques used in the EmailAddressToEmailAddress Verify transform. Since this

gives us the ability to verify if an email address exists we can expand the idea to test for combinations of first

name / last name on popular email providers - like Gmail and Hotmail. The providers (domains) where the

transform test is configurable - e.g. you can add/remove domains be changing the 'Domains to check'

additional transform setting. There is one difficulty here - not all mail servers falls for the verification trick. As

such you cannot randomly add domains here - be sure to test if email addresses can be verified using the

verification transform first.



4.3.34.3.34.3.34.3.3 To Email Address [using Search Engine]

This transform searches for the person's most likely email address.



4.3.44.3.44.3.44.3.4 To Person [PGP (signed)]

This transform queries a public PGP key server and asks the question 'show me the names of persons that the

owner of the supplied email address have signed'. This is useful for determining trust relationships between

people. The transform shows you these people communicated encrypted (or at least exchanged keys). Keep in

mind that the information in the database could be outdated.

4.3.54.3.54.3.54.3.5 To Phone Number [using Search Engine]

This transform searches for the person's associated telephone numbers.




This transform shows sites where various permutations of the person's name was found. Youll see a pop up

asking for a Domain or TLD and an additional search term.



4.44.44.44.4 Phone NumberPhone NumberPhone NumberPhone Number

4.4.14.4.14.4.14.4.1 To Email Address [using Search Engine]

This transform searches for the telephone number and returns related email addresses.

4.4.24.4.24.4.24.4.2 To Phone Number [using Search Engine]

This transform searches for the telephone number and ret


Email Address [using Search Engine]


To Phone Number [using Search Engine]


Version 3.0

Page 70


urns related email addresses.



4.4.34.4.34.4.34.4.3 To URL [Show Search Engine results]

This transform just dumps the URLs collected from the search engine. When running any of the search engine

transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This

transform generates separate URL type entities from each result. This allows you to now perform transforms

on each URL - like mining for email address, links or phone numbers.




This transform searches for the telephone

m3guidetransforms.pdf

Documents