Maltego In The Enterprise

hear me all right perfect how's everybody doing at b-sides today thank you for coming good good good thank you for uh coming to the last one of the last talks um i'm david bressler and this presentation is about how to leverage uh maltego within an internal enterprise environment okay generally maltego is uh kind of used for gathering information from you know publicly available sources on the internet but let's let's move that functionality into a enterprise environment right so a little bit about me i'm a security consultant for guidepoint security i like to make things break things i have a little alphabet soup um i'm boston link on twitter you can always say hello and all all of my uh my

code that you'll see presented here is on my github account so if you want to just kind of look at the code or kind of play around feel free so how many people know what maltego is awesome and how many people have actually used moles ego perfect how many people have developed transforms for maltego excellent so just to get everybody on the same page um maltego created by paterva out of south africa information gathering uh intelligence type of tool reconnaissance and it's a really nice visual representation of data right i kind of i find it pretty sexy and it's really uh customizable of what data you can uh bring bring in okay so why multi going to enterprise first

of all single tool to gather information from different devices within your enterprise as well as uh how you can do a high-level analysis on that data right you can also write easily write custom transforms with different apis and my main thing is just think outside the box right what type of data would be valuable to to to kind of visualize

so kind of quick rundown multigo transforms their backend code or remote code that gathers the data and outputs it to into a multigo graph at a high level it creates what are called entities and every one of the one of these items you see on this sample graph is an entity right so besides boston.com that's an entity everything else in this graph is an entity and it shows relationships right so i can see these are kind of built-in transforms and going back a bit i kind of jumped i kind of jumped around but um so there are two types of transforms remote and local right and i kind of kind of uh shipped uh built in with remote

so remote transforms pretty much run on remote uh web application servers and think of that as that web server acting kind of as a proxy for your multigo client so every time you you um you right click and say run this transform within multigo your client will actually request that server to run that transform and that server will will you know output that data back to your client local transforms are pretty much the same thing as remote transforms the only thing is they run on your local system totally different right so they're running on your local system that you're running your maltego client on real quick um these are a couple examples of a couple

of transform packs that that i wrote to kind of output attacking ip addresses and if they have any signatures within palo alto so overall if you're trying to develop transforms which transform should you use right that's the big question it really depends on your goal and architecture overall if you're trying to integrate with internal systems and internal tools definitely local transforms all the way or an internal tds server which is that remote web app application server pretty much that runs your transformer for you except for it's not on the internet is in-house on your local lan uh external data sources i'd say you know local or remote i'd probably go with remote transforms just so i don't have

to push out code i could have that code running you know just on an external web server and have multiple people use it so there's several types of of modules you know python modules php modules that help you write um transform packs right my personal favorite is the canary framework it just really it kind of it deals with all the output for you right so i personally i don't like xml i um i'm just not a fan i don't like building my own xml i don't like outputting it don't really like any of that so i i could use canary to actually just focus on the logic of my code and and and parsing that data that i'm trying to

input into a graph it's really scalable and and just really easy to install transforms across the board so uh i'm sorry so overall why integrate other tools right within within within maltego um first of all because it's awesome right second of all you can actually see the value of your data right so say if you have multiple data sets and um you can compare those multiple data sets within one graph and say what relationships do these data sets these different data sets have if any right you can easily pivot from internal data say okay i integrated my ids solution it's it has a signature for this external ip address that's communicating with these hosts on my lan

now let me let me gain more information external information on that external host if any right by by pivoting and utilizing built-in transforms or other transform packs make sense perfect so some of some of my personal projects that at another position that i had that i integrated with paulo ultra networks kind of to give you a nice visual of their top top attacker vulnerability virus whatever it flags out into a multigo graph right for the past 24 hours a little example of that this example top attacker report and you know where it all fits in is remember multiple internal data sets right so if i have this and there are multiple external ips here and even internal ips

i can say all right if i have a full packet capture solution within my environment and i have that integrated into multigo i can just pivot from one of these ips and say are any other signatures or any other you know flags or files or anything else involved with those sessions right going to nw maltego nw multigo was a integra one of my first projects that um integrated net witness within maltego that allowed you to actually query the net witness api for metadata pulled out of network sessions so a quick example of that i don't know how well that looks to you guys well so i started with the internal ip address and it flagged a um emerging threat

snort signature within that witness i queried on that alert to say in that session that that that got that created that alert what file types were in that and this is the output of the file types which you can't really see is pretty blurry but it's java jar files um windows executables and whatnot and a few images as well further i pivoted from from that alert to the external ip address right within that same session along with any other internal hosts that may have been communicating with that ip and then keep on going to what other alerts may have been flagged in in those other sessions to that to that external ip address and this you see is a black hole exploit

kit alert with a pdf file associated with now remember multiple data sets if if i pull all these all these files from this this these sessions out of net witness or any pretty much any packet capture solution you have i always like to run it through the cuckoo sandbox so i wrote another integration to remember one tool multiple data sets to actually point to a file and say run this through cuckoo the cuckoo sandbox for analysis and let me know when that analysis is finished so it would output the analysis id and you can query down and say all right is any signatures associated with this file what type of files were possibly dropped on that were dropped on that system

within that analysis or did this file try to communicate with any extra any external ips okay wrapping wrapping it all together if it did communicate with any external ips you can always pivot back and go say back into your net witness transforms and run more queries to see on the actual sessions all right so perfect

so when i was writing this this talk and kind of putting all my ideas together i said you know kind of want to do a demo i don't really have all these you know production systems on hand because i just recently switched swish jobs but i wouldn't have them on hand anyway so i said you know what let me just let me just let me especially at b-sides right yeah let me vpn into work um so you know i just downloaded a quick nexpo's um community edition kind of just next post community edition because i work with an expos a lot as well and i can leverage it in my daily work and i started to to write some some

transforms for the nexpose api so nextigo pretty much allows you to launch a vulnerability scan from a host that that you've been doing some reconnaissance on within multigo it allows you to display port services service versions or fingerprints vulnerabilities metasploit modules exploit db exploits all right just made this public on my github account as well so you can always uh download that so that being said let's get into the demos

all right i don't know how well this is going to work but all my transformers pack transform packs utilizes the community uh canary framework so within the canary framework once you install it and install a transform pack you're gonna have a configuration file directory within your home directory right so right there canary what that what that holds is your transform pack configuration files so if if any of the transform packs need you know ip addresses or whatever you know any any any configuration um that's where it's going to be be stored right just quick note on that and without those configuration files none of this will work perfect

so real quick

i'm just i'm just in kind of my home segregated lab right now so right here so now my new this new transform pack gives you ability all right well i got all this other information i got dns information i got whois information i got all this other you know kind of passive passive active reconnaissance information on a host now what if you what if you added an active vulnerability scanning yeah sure it's not perfect it probably won't identify all the vulnerabilities what vulnerability solution does but hey i i i find it kind of useful so i could just launch this scan hit the wrong button

so i can just wants to scan and what that and what that's going to do going to create a site within uh an expose and actually start the scan obviously so

so we see the scans running right here and what what that transform is doing right now is that it's it's it's polling nexpose's api and saying what's the status of the scan what's the status of the scan and once the scan completes it's going to output a scan entity right now no just keep diploma

so to kind of save time i don't really want to wait here and for that scan to be done so this is what the output is going to look like right now i can pivot off of this site this scan site and say all right this graph is just going to look horrible because it's my resolution but hey i could either do two vulnerabilities or open boards right start with vulnerabilities and this box is a is metasploitable too so it's pretty vulnerable as you can see it's uh it got a lot so kind of to drill down a little more i want to i want to differentiate the vulnerabilities um that that have publicly available exploits

against the vulnerabilities that do not right so i'm just going to run pretty much is do any of these vulnerabilities have explicit uh metasploit modules or or exploit db exploits right and multico is just going to do its magic transforms are running on the back end

china

perfect so now i have a fairly fairly big map of or graph of vulnerabilities that have exploits versus vulnerabilities that do not have exploits right

i personally like to keep my maps a little small so for my graphs so what i'm going to do is just copy

so now i have a graph of all the vulnerabilities that pretty much don't have exploits versus once i delete these

versus vulnerabilities i do right and you could have multiple views whatever your preference is to kind of say all right well this is pretty cool i can also select any one of these go into the detail views and kind of see all right what's the skill level of that metasploit module and the actual url so i can just pull that up on the fly same with the exploit db exploits as you can see and same with the vulnerabilities right in addition i mean this all these transform packs will will work with um with uh the comm the community edition of maltego um but the commercial version of multico has a nice in my opinion it really has a nice

nice report export feature where i can just export all that information on that graph and actually have this this as pretty much a record right of any reconnaissance i did on that host or any vulnerabilities that that that were you know found during that scan information is it coming from is it coming from next mexico which information like when you click on the one of the thoughts all this shows this is all coming from an expose next quote yep so next was that uh based on the the the scan we run earlier absolutely what's the what's the real multiple point here just generating this graph exactly maltego is just inputting the data and presenting it in a visual manner

my back-end code is is pulling that data from an expose right

so to kind of

let's kind of move forward clean this up a little bit and also you know we could go back here and just quickly to ports you know enumerate all the open parts on that host i can select the ports kind of all right what services did an expos identify as running on those ports all right

and just represent kind of represent that in in a nice visual manner as well i mean am i in my opinion you know is is this a must-have no not at all but is it a nice to have absolutely right and then further i can um let me just i can actually pivot on the services and say i'll select the services and say show me the the vulnerabilities associated with that with that individual service as well as once that outputs as um shown me the exploits from those vulnerabilities just like i showed you in the other graph cool all right

so

so to kind of put it all together um in my opinion working with multiple internal data sets in a visual manner does multiple things for you and gives i mean there's multiple value to it right you can easily compare the two different data sets or how however many data sets you import into maltego fairly easily and come come up with a you know high level conclusion of what may be happening it could also say if an analyst is using this in an investigation type of manner they can actually pinpoint you know data a lot easier that they actually have to dig dig through a little more um than just looking at kind of multiple tools multiple logs and everything else

because i mean overall nobody really likes looking at something like this you know you could kind of grab it out but i you know this will kind of make at least me look like this you know and i don't like looking like that and that's pretty much it i just want to give a special special thanks to god point security for sponsoring boston b-sides for employing me and uh paterva nadeem dubai he's the man rich popson canary framework and everybody involved in the canary framework and developing with it you know if you're interested in this stuff definitely check it out you know write write some scripts write some transforms and uh questions feedback

personally i've thought of it my my my thoughts are pretty much that will be a pretty pretty highly customized transform set for for that organization right because everybody's inputting different logs and it'll be really hard to release you know just one general transform set i mean yeah you could release maybe like a base yeah exactly and then people can add on to that for you know to customize to their specific environment but i mean some organizations don't have have people to do that right yeah exactly exactly yes

i mean you could export i believe to csv and connect the canary framework actually has multiple um i forget off the top of my head but you can transfer a graph format into i believe csv in another another type of format i mean you can output a image interactive not not that i'm aware of it you know

anybody else yes how complicated is it to write transforms i'll show you i'll show you i'll show you actually it's a good question it really depends what what you're trying to do right um so so this is my github account and these are pretty much my transform packs so i mean if if you know any type of like scripting language it's fairly easy you can just export it to xm you know have the output be xml in xml that multiglo read but utilizing the canary framework i mean it's just it's pretty much a python package and so if i go in here and say well these are all my transforms uh for for next ego

and within that you know it's pretty much just parsing data and outputting it right so it's maybe a little learning curve but it depends where you are with with kind of scripting in general kind of a similar template format like you're always going to have to think about absolutely absolutely if you if you utilize the canary framework yes they will they'll they'll all pretty much look like this anybody else all right that's all i got

thank you