next »

[Maltego Forum]

Maltego Forum » General » General Discussions
Network mapping?

[kleanchap]

I am a new user to Maltego.  I have printed the user guide which I will read.  Most of it seems to mention social network mapping etc.  I have seen references of Infrastructure mapping etc.  What is the source of information for Maltego to draw the network map?

Typically, during security assessment we do a ping sweep of a LAN by LAN and draw up the architecture.  We also collect tcpdump data and look for non-LAN related traffic and draw the routing paths.  If I use the tcpdump data, can Maltego draw the network map for the local LANs?

What is the format of data that Maltego is looking for?

PS - We do have lot of syslog and application log data.  Will this data help with my efforts to draw up and understand our infrastructure?

[AndrewMacPherson]

Good day,

The core of Maltego is taking one entity and producing one or more entities from that by means of a transform.

For example, if you took a domain (paterva.com) and ran the "To NS record [DNS]" transform (you can think of a transform as a script that you execute and the results of that script are the entities -the stuff in the palette- returned) you would get the following:

ns1.linode.com
ns4.linode.com
ns3.linode.com
ns2.linode.com

Similarly if you run the "To MX record [DNS]" transform you would also get the mx records ''branching'' off from the original domain.

You could then take the NS/MX records returned and take those to IP address by running the "To IP Address[DNS]" transform and then look for shared NS/MX record transforms on those.

That was just an example to demonstrate the idea behind Maltego, to provide a graphical interface to correlate data. If you had 1000 domains and 600 of them had the MX records that pointed to the same IP address, it would be a painstaking task for you manually find which domains had an mx record pointing to the same IP address.

Now with regards to your question, the "source" of the information that Maltego will use to draw a network map is the transforms that you pick to run. For example if you wanted a network map of all the NS records for a specific domain and then to find out which of these NS records were shared by other domains you would use:

Domain->To NS record
NS Record->To Domains [ Shared NS ]

Maltego can definitely integrate with your assessment overview of doing a ping sweep, but the transforms to do that are not written. This is where version 2.0.2 (CE and Commercial) comes in, it allows you to write your own transforms (referred to as local transforms). You can essentially integrate with any datasource,script or application and splice the results of those back into Maltego, local transforms can be written in any language and the specification (essentially a guide for writing local transforms) will step you through the process! The specification will also explain the format for a Maltego local transform.

The specification can be found here: http://ctas.paterva.com/view/Specification

Additional you can also look at purchasing a local Maltego Server with the SQL-TAS module for integration with your syslog and application data.You can view the documentation for the SQL-TAS here: http://ctas.paterva.com/view/SQL-TAS , but basically it integrates with the following SQL Databases: MySQL, MSSQL, DB2, Oracle and Postgres and should you wish to use another kind you can simply contact us.

Alternatively you can write local transforms to integrate with your log data, but the SQL-TAS is a much more elegant and extensible solution, although it is more costly.

I hope this answers your questions, and if you need anything else just contact us on the forum or irc or any of the other methods!

-AM