next »

[Maltego Forum]

Maltego Forum » Support » Help!
Phone number transform pulling back incorrect details?

[autom8on]

Hello all,

Just got my licence today for Maltego - so I''ve been having a bit of a play...

One problem I''ve noticed relates to the information that the phone number transform is returning.

<snip long explanation about Maltego pulling some other guy''s phone number and e-mail address out of a page that also contained my details>

Is this expected behaviour, or should it be pulling back the right details? (I can''t really think whether I''d actually want it to create entities for every person on that page, or just pull back the appropriate details for me) Can anyone explain (in idiot-proof language) what the transforms are doing?

Cheers,

Steve.

[AndrewMacPherson]

Hi again Steve,

Fantastic that you are spicing up the forums

Firstly, while running all transforms might make very large graphs, it often creates an "information overload" where it becomes very difficult to differentiate between the right and wrong "paths".

However, let me run you through the transforms that you ran (ie, "all transforms" ran all of the below):

* To Domain [DNS] - this will return the dera.gov.uk, the domain for your email address
* To Email Addresses [PGP] - This will naturally look you up on PGP keyservers to find additional email addresses
* To Email Addresses[SignedPGP]  - This will look for other email addresses that your email address has signed on the PGP keyservers
* To Person [PGP] - this will return a person with the name stored on the keyservers

* To Social Networks [Rapleaf] - this will query rapleaf.com for social network data (facebook,linkedin,etc) relating to this email address
--- this transform will need to have its disclaimer accepted, view it by selecting tools->Manage Transforms --

* To URLs [Dump from SE] - this transform will return the URLs for any entity that has collected them (via search engines) - this cannot be used at this stage since you have none

* To Website [SE] - This transform will query a search engine (by default yahoo), and analyse the results to return websites where that search term was used [ in this case that term is your email address ]

* Verify Email Addresses [SMTP] - This transform will try communicate with the SMTP server to verify that the email address exists - this transforms disclaimer will also need to be accepted as it is not a "passive" transform, it connects to the smtp server.


The Two you are really after:

* To Email Addresses [SE] and To Phone Numbers [SE] - this transform will query the search engine again and analyse the SNIPPETS returned, ie, not the entire page but just the snippet returned for either email addresses and telephone numbers.

As a side note, telephone numbers are VERY difficult to parse as there is no standardised format or length and it varies from country to country, we try very hard to parse these, but in some cases it is just not possible.

If you were looking to parse all of the email addresses and telephone numbers out of that page this is what i would do:

Take either the phone number, or websites returned and select the "To URLs [Dump]" Transform, this will then give you a URL entity, "Quelle".

Now that you have this URL you can select the "To Email Addresses [ on URL ] or To Phone Numbers [ on URL ]", which will parse out of the page rather than the snippet.

I hope this clears up your confusion, if you would prefer we can perhaps chat about it over IM

p.s. perhaps if you are a bit worried about your email address being listed you can remove it from your post, since this explanation should cover what you were asking about.

-AM

[autom8on]

Hi again Steve,

Hi Andrew,

Fantastic that you are spicing up the forums

Hehe, I''ll take that as a compliment, I think... ;-p

Firstly, while running all transforms might make very large graphs, it often creates an "information overload" where it becomes very difficult to differentiate between the right and wrong "paths".

Yeah - I''ve been playing with some of the technorati blog stuff - ending up with colossal graphs. I think I need to get a machine with a much higher resolution display and more processing power - my laptop just isn''t handling that much data well...

* To Social Networks [Rapleaf] - this will query rapleaf.com for social network data (facebook,linkedin,etc) relating to this email address
--- this transform will need to have its disclaimer accepted, view it by selecting tools->Manage Transforms --

Thanks for pointing that out. It appears that the transform was already enabled - though using a default Rapleaf API key. I tried to sign up for my own API key, but the site is currently down for maintenance. I''ll get one later...

Speaking of API keys - I''ve signed up for a Technorati key already. Are there any others I ought to get?

* To Email Addresses [SE] and To Phone Numbers [SE] - this transform will query the search engine again and analyse the SNIPPETS returned, ie, not the entire page but just the snippet returned for either email addresses and telephone numbers.

OK. I''d assumed it was querying the actual URL rather than just taking the snippet of info from the search engine results.  Actually, it highlights something interesting - I''m a brainwashed Google user - so I always tend to search there and nowhere else. If you query for the e-mail address on Google - the first hit contains my old phone number in the snippet of information that is returned. However, with Yahoo, although it points to the same URL (third hit), the information held within the snippet is completely different. With Yahoo it has the e-mail address twice - with Google it has the e-mail address once and the phone number once.

Similarly, for the IETF attendance page, Yahoo''s snippet contains none of my information - it just points at the start of the page (hence the inclusion of the first e-mail address/phone number in my graph). However, Google''s snippet contains my phone number, fax number and e-mail address...

As a side note, telephone numbers are VERY difficult to parse as there is no standardised format or length and it varies from country to country, we try very hard to parse these, but in some cases it is just not possible.

Yeah - a total nightmare. I remember looking into it back when Evolution was still around...

I hope this clears up your confusion, if you would prefer we can perhaps chat about it over IM

Yeah - that clarifies that, thanks. Though I''m sure I''ll come up with plenty more dumb questions soon... ;-)

I''ll sort myself out and get on the irc channel.

p.s. perhaps if you are a bit worried about your email address being listed you can remove it from your post, since this explanation should cover what you were asking about.

Yeah - you probably have a point. I sanitised it somewhat now... ;-)

Thanks,

Steve.