next »

[Maltego Forum]

Maltego Forum » Development » User Transforms
NMap Local Transforms

[AndrewMacPherson]

Hi everyone,

Herewith attached are the NMap local transforms that where presented at Blackhat Amsterdam. These transforms require the following libraries:

• EasyDialogs: http://code.google.com/p/easydialogs-gtk/ (linux), http://www.averdevelopment.com/python/EasyDialogs.html (windows) - This library is used for the popup dialogs when asking for ports etc.
  The easydialogs-gtk is already included in the attached linux archive for those that don''t wish to ''install'' the lib
  
• netaddr: http://code.google.com/p/netaddr/ this library is used to get the correct netblock cidr notation
  Thenetaddr is already included in both the attached archives for those that don''t wish to ''install'' the lib
  
• MaltegoTransform: The standard Maltego python lib found in the forum (not konrads oo version)
  This is already included and thus does not need to be downloaded.
  

The transforms are as follows:

nmapPorts.py
This transform does a basic port scan on the following ports: 22,21,25,80,443,3306. This will be performed on an IP address and will return the same IP address with an additional field of "open ports"

nmapPorts-ask.py
This transform will do the same as the one above but instead of using default ports will ask via a dialog popup for the ports you wish to scan.

nmapPortsNetblock.py
This transform will do the same as the above(including asking for the ports to scan) but will return the IP addresses from the netblock with the open ports found.

nmapVersion.py
This will perform a light version scan on an IP address using the ports found with the nmap portscans (above) and return a Service in the format of Port/Banner as well as populate the service fields "banner" and "port"

nmapDumpPort.py
This will "dump" (no processing) the ports from a service.

nmapDumpBanner.py
This will "dump" (no processing) the banners from a service.

Using the transforms
These transforms are intended to be used as a good way to gain valuable service level information on a system. An example of how we would usually do it is like so:

* Add a Netblock/IP Addresses to the graph of the required network
* Run either the default portscan, or ones that let you specify the ports you wish to analyse
* Take the returned IP Addresses (the same ones you just selected if you had just used IP Addresses) and run a version scan against them
* Dump both the ports and the banners from the service.

You will now notice that various ports/banners will start "linking", this is usefull when say 80 of the 85 machines are all running "apache 1.3.4.5" and 5 of the machines are running different apache versions, it could indicate a problem with the patching process, or that these machines are running different configurations and thus useful to find out why.

I have attached both the windows(zip) and linux(tar.gz) versions of the NMap transforms.

If you have any questions regarding these either post a reply here or contact me at andrew <awithcirclething> paterva <period> com

-AM

[yop]

thank you for your work, i have tested nmap transforms under ubuntu 9.04 with python 2.6 and maltego ce

It work fine

 

[fn-eagle]

Could somebody plase explain how to add the local transforms in the GUI. I know that I can use the wizard under Tools->Options but have no clue how.
Are there any differences for the Windows and Linux version? Thanks!

[AndrewMacPherson]

Hi Fn-eagle,

The wizard is the same in the Linux and Windows version, click on Tools->Manage Transforms (not options) and then click "New Local Transform" at the top of the page. The wizard is pretty straight forward, but you can see an example of the values here: http://www.paterva.com/forum/index.php/topic,113.0.html

-AM

[SimonAHunt]

Hi All,

I am not sure if i am being a complete newbie here, but i have got the transforms up and running.  I see the return of value in the logs, but it does not create the ports in the Maltego view.

In the transform manager i do not see an output type against the local transform.  Am i missing something when i set them up?

Thanks

Si

[AndrewMacPherson]

Hi Simon,

The nmap transforms simply return the IP address again, but with additional values of the ports, simply click on the IP Address to see the available ports. These values are then used in the further transforms (services,etc)

Hope this helps!

-AM

[SimonAHunt]

Hi Simon,

The nmap transforms simply return the IP address again, but with additional values of the ports, simply click on the IP Address to see the available ports. These values are then used in the further transforms (services,etc)

Hope this helps!

-AM

Thanks for the quick answer on this.

Simon

[mulkmac]

I have added a simple transform (modified from AndrewMohawk's existing code) to do an nmap ping scan of a network block to enumerate active hosts. It can be installed and used in the same way as the other nmap transforms. I hope someone finds it useful!!

[mulkmac]

I found a small problem in my script with some versions of nmap. I have attached the updated version. If you used the old script I posted and Maltego added all of the IP addresses that you scanned (rather than just the ones that are up), this should fix it...