September 22, 2014, 12:58:26 pm
Maltego Forum

Username
Password

Pages: [1]
Print
Author Topic: NMap Local Transforms  (Read 64201 times)
AndrewMacPherson
Administrator
Full Member
*****
Posts: 132


« on: May 11, 2009, 07:16:12 am »

Hi everyone,

Herewith attached are the NMap local transforms that where presented at Blackhat Amsterdam. These transforms require the following libraries:

  • EasyDialogs: http://code.google.com/p/easydialogs-gtk/ (linux), http://www.averdevelopment.com/python/EasyDialogs.html (windows) - This library is used for the popup dialogs when asking for ports etc.
    The easydialogs-gtk is already included in the attached linux archive for those that don''t wish to ''install'' the lib
  • netaddr: http://code.google.com/p/netaddr/ this library is used to get the correct netblock cidr notation
    Thenetaddr is already included in both the attached archives for those that don''t wish to ''install'' the lib
  • MaltegoTransform: The standard Maltego python lib found in the forum (not konrads oo version)
    This is already included and thus does not need to be downloaded.

The transforms are as follows:

nmapPorts.py
This transform does a basic port scan on the following ports: 22,21,25,80,443,3306. This will be performed on an IP address and will return the same IP address with an additional field of "open ports"

nmapPorts-ask.py
This transform will do the same as the one above but instead of using default ports will ask via a dialog popup for the ports you wish to scan.

nmapPortsNetblock.py
This transform will do the same as the above(including asking for the ports to scan) but will return the IP addresses from the netblock with the open ports found.

nmapVersion.py
This will perform a light version scan on an IP address using the ports found with the nmap portscans (above) and return a Service in the format of Port/Banner as well as populate the service fields "banner" and "port"

nmapDumpPort.py
This will "dump" (no processing) the ports from a service.

nmapDumpBanner.py
This will "dump" (no processing) the banners from a service.

Using the transforms
These transforms are intended to be used as a good way to gain valuable service level information on a system. An example of how we would usually do it is like so:

* Add a Netblock/IP Addresses to the graph of the required network
* Run either the default portscan, or ones that let you specify the ports you wish to analyse
* Take the returned IP Addresses (the same ones you just selected if you had just used IP Addresses) and run a version scan against them
* Dump both the ports and the banners from the service.

You will now notice that various ports/banners will start "linking", this is usefull when say 80 of the 85 machines are all running "apache 1.3.4.5" and 5 of the machines are running different apache versions, it could indicate a problem with the patching process, or that these machines are running different configurations and thus useful to find out why.

I have attached both the windows(zip) and linux(tar.gz) versions of the NMap transforms.

If you have any questions regarding these either post a reply here or contact me at andrew <awithcirclething> paterva <period> com

-AM

* nmapTransforms.tgz (949.85 KB - downloaded 1898 times.)
* nmapTransforms.zip (940.21 KB - downloaded 1985 times.)
Logged
yop
Newbie
*
Posts: 1


« Reply #1 on: May 14, 2009, 10:00:42 am »

thank you for your work, i have tested nmap transforms under ubuntu 9.04 with python 2.6 and maltego ce

It work fine

 Smiley
Logged
fn-eagle
Newbie
*
Posts: 1


« Reply #2 on: June 10, 2009, 02:43:11 pm »

Could somebody plase explain how to add the local transforms in the GUI. I know that I can use the wizard under Tools->Options but have no clue how.
Are there any differences for the Windows and Linux version? Thanks!
Logged
AndrewMacPherson
Administrator
Full Member
*****
Posts: 132


« Reply #3 on: June 11, 2009, 05:57:15 am »

Hi Fn-eagle,

The wizard is the same in the Linux and Windows version, click on Tools->Manage Transforms (not options) and then click "New Local Transform" at the top of the page. The wizard is pretty straight forward, but you can see an example of the values here: http://www.paterva.com/forum/index.php/topic,113.0.html

-AM
Logged
SimonAHunt
Newbie
*
Posts: 2


« Reply #4 on: February 20, 2010, 06:19:12 am »

Hi All,

I am not sure if i am being a complete newbie here, but i have got the transforms up and running.  I see the return of value in the logs, but it does not create the ports in the Maltego view.

In the transform manager i do not see an output type against the local transform.  Am i missing something when i set them up?

Thanks

Si
Logged
AndrewMacPherson
Administrator
Full Member
*****
Posts: 132


« Reply #5 on: February 20, 2010, 09:00:42 am »

Hi Simon,

The nmap transforms simply return the IP address again, but with additional values of the ports, simply click on the IP Address to see the available ports. These values are then used in the further transforms (services,etc)

Hope this helps!

-AM
Logged
SimonAHunt
Newbie
*
Posts: 2


« Reply #6 on: February 20, 2010, 04:26:19 pm »

Hi Simon,

The nmap transforms simply return the IP address again, but with additional values of the ports, simply click on the IP Address to see the available ports. These values are then used in the further transforms (services,etc)

Hope this helps!

-AM

Thanks for the quick answer on this.

Simon
Logged
mulkmac
Newbie
*
Posts: 2


« Reply #7 on: June 14, 2010, 11:01:44 pm »

I have added a simple transform (modified from AndrewMohawk's existing code) to do an nmap ping scan of a network block to enumerate active hosts. It can be installed and used in the same way as the other nmap transforms. I hope someone finds it useful!!

* nmapPingscanNetblock.py (1.92 KB - downloaded 895 times.)
Logged
mulkmac
Newbie
*
Posts: 2


« Reply #8 on: June 21, 2010, 08:15:39 pm »

I found a small problem in my script with some versions of nmap. I have attached the updated version. If you used the old script I posted and Maltego added all of the IP addresses that you scanned (rather than just the ones that are up), this should fix it...

* nmapPingscanNetblock-v2.py (2.01 KB - downloaded 818 times.)
Logged
Pages: [1]
Print
Jump to: