next »

[Maltego Forum]

Maltego Forum » Development » User Transforms
Updated Facebook Transforms (Jan 2010)

[singe]

Since Paterva can't release FB transforms due to legal silliness, here are the ones I made. Please read the disclaimer. They have been updated to work with FB's current code as of Jan 2010, and I did some stuff like deobfuscating the JavaScript they use to allow BeautifulSoup to do it's job nicely, so they have and should continue to be easy to update.

They currently don't support cookies and could do with that being added if anyone feel up to it, I tried to comment lots to make it easy.

Either way it's attached, what follows is the readme.txt file:
 ------------------------------------
| Matego - Facebook Transforms |
 ------------------------------------

Disclaimer (NB):
----------------

This code is for research and demonstration purposes only. It should not be used as it will violate Facebook's Terms of Service and could result in your account being shut down. The author accepts no liability or responsibility for the code or it's uses. The author also waives all intellectual property rights to the code. The code was authored by the individual author only, and neither his employer nor Paterva were involved in it's creation or release. The code is released in the public interest to help other's understand the implications of their privacy settings on Facebook, however, the author reserves the right to additional defences.

Pre-requisites:
---------------

* A licensed copy of Maltego, check http://www.paterva.com/maltego/
* Python (2.6 recommended)
* The following python libraries
    - pymaltego-singe This should be distributed along with this code.
    - mechanize
    - BeautifulSoup
    - urllib2
    These are all easily available and support the easy install method i.e. run the following in the extracted directory for each dependency "sudo python setup.py install"
    Note: for installing pymaltego-singe, make sure you are in the trunk/ directory or you will get a 'pymaltego' not found error.
* A facebook account - bear in mind as this is a violation of FB's ToS your account could get suspended. Additionally, having two FB accounts is a violation of the ToS.
* Suggested prerequisites:
    - an anonymising proxy e.g. Tor (scraping may not work correctly in foreign characters)
    - an anonymous FB test account

Installing:
-----------

1) Place the transforms somewhere on your filesystems.

You will need to create at least four local transforms:
* Phrase -> FacebookAffiliation (from_phrase_to_facebook.py)
* E-Mail -> FacebookAffiliation (from_phrase_to_facebook.py) (uncomment the limit = 10 line at the top before use)
* FacebookAffiliation -> (Friends of) FacebookAffiliations (from_fb_to_friends.py)
* FacebookAffiliation -> Person (from_fb_to_person.py)

For each transform:
2) In Maltego click Tools -> Manage Transforms
3) Click 'New Local Transform'
4) Complete the details on the first page e.g.
    Display Name : To Facebook
    Description : Search for an e-mail address on Facebook and return found Facebook accounts
    Author : singe
    Input Entity Type : EmailAddress
5) Click Next and complete the details on the next page e.g.
    Command : /usr/local/bin/python
    Parameters (optional) : <path to the local transform e.g. /home/foo/bin/maltego/facebook/from_phrase_to_facebook.py>
6) Click Finish

Usage
-----

Quite simple: add an appropriate entity, run the transform.

[AndrewMacPherson]

Hi Guys,

Just a quick headsup.

• This will run on both the commercial and the community edition
• to install the pymaltego-singe you need to run 'python setup.py install' from the trunk directory, not the one above

I also seem to be having the following error:

andrew@PickledOrange:~/fb/maltego-facebook/maltego-facebook$ ./from_phrase_to_facebook.py "Andrew"
D: Got login page
D: Logged In
D: First search completed
<MaltegoMessage><MaltegoTransformExceptionMessage><Exceptions><Exception>global name 'limit' is not defined</Exception></Exceptions></MaltegoTransformExceptionMessage></MaltegoMessage>

Look forward to the fix!

-AM

[AndrewMacPherson]

Sorry guys, that was a stupid mistake, within the from_phrase_to_facebook.py simply change this line:

#limit = 10

to

limit = 10

-AM

[singe]

Sorry, my bad on the install instructions for pymaltego-singe, have updated the README above to mention it.

Also my bad on commenting out the limit, however, note that leaving it as "limit = 10" will only return 10 results when searching for facebook accounts. You may want more, in which case increasing this number is a good idea.

If we find any more obvious dork moves I'll release a new version, but waiting for them to cumulate a bit.

[AndrewMacPherson]

Please note the facebook login URL has changed to https://login.facebook.com/login.php

Change line 30 from:

response = mech.open("https://www.facebook.com/login.php")

To

response = mech.open(https://login.facebook.com/login.php ")

[bulgin]

I seem to have made a mistake in creating this transform in the commercial version of Maltego, and now I cannot delete it from the Manage transforms tab.

I am asked if I want to delete, I say yes, but it remains.

Is there something I'm missing here?

[FAS2]

bulgin, manually delete it in, C:\Documents and Settings\YOUR USERNAME\Application Data\.maltego\v3.0CE\config\Maltego\TransformRepositories\Local

singe,

For, "from_fb_to_friends.py" what is the, input entity type and or transform set? I get a popup error about "uid" even if I set phrase and am searching the profile id. Thank you.

[sevol]

hi, im having trouble setting up this transform. for the command line option what do i put in? im running on ubuntu 10.10 and the /usr/bin/local/python folder does not exist. thanks

[AndrewMacPherson]

Hi Sevol,

Simply do 'which python' to see where it is, most likely /usr/bin/python/

[Don Weka]

Hi,
Thank you for this update!
I keep having trouble with the transform. I run it under Linux Ubuntu 10.04, pyhton 2.6.5.
The script from_phrase_to_facebook can log in using Facebook credentials, then performs the search with the given Phrase. But the response it gets contains no data about de search result. Instead, it is always something like below, as if facebook detected that it is a script that does the query:

Code:

<script>window._is_quickling_index="";</script><script type="text/javascript">function incorporate_fragment(a,b){if(b&&a.pathname=='/')return;var d=/^(?:(?:[^:\/?#]+):)?(?:\/\/(?:[^\/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?/;var c='';a.href.replace(d,function(e,h,i,g){var f,j;f=j=h+(i?'?'+i:'');if(g){g=g.replace(/^(!|%21)/,'');if(g.charAt(0)=='/')f=g.replace(/^\/+/,'/');}f=b+f;if(f!=j)window.location.replace(c+f);});}if(window._is_quickling_index!==undefined)incorporate_fragment(window.location,window._is_quickling_index);</script><script type="text/javascript">/* <![CDATA[ */if (top != self) { try { if (parent != top) { throw 1; } var disallowed = ["apps.facebook.com","\/pages\/"]; href = top.location.href.toLowerCase(); for (var i = 0; i < disallowed.length; i++) { if (href.indexOf(disallowed[i]) >= 0) { throw 1; } } } catch (e) {setTimeout(function() {var fb_cj_img = new Image(); fb_cj_img.src = "http:\/\/error.facebook.com\/common\/scribe_endpoint.php?c=si_clickjacking&m&t=5531";}, 5000); window.document.write("<style>body * { display:none !important; }<\/style><a href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display: block !important; padding: 10px\"><i class=\"img spritemap_2rry0p sx_0fdace\" style=\"display:block !important\"><\/i>Go to Facebook.com<\/a>");/* fH5gK8gD */ }}/* ]]> */</script><script>window.location.replace("http:\/\/www.facebook.com\/search.php?q=username%40domain.com&n=-1&k=100000020&type=users");</script>

Furthermore, the keywords like "UIFullListing_Table" don't exist anymore in the source html of the result page...
Does someone have an update?

Thanks
Don