We’ve been delving rather deeply into reconnaissance tools lately and I wanted to cover at least one last one before moving on to the next phase of a pen test,Scanning”.  Maltego CE (CE for Community Edition, this means “free”) is an absolutely fantastic tool for performing reconnaissance work on any object you can think of: person, organization, etc.

First, you need to download and install Maltego from the web site. Now, if you’re running Windows, then you’ll have two choices: pick the “EXE+java” option if you don’t already have a Java Runtime Environment (JRE) installed on your machine. If you do, pick the “EXE” (only) option. You can determine if you already have a JRE installed by opening a command prompt and you get a response back when you type “java” and hit “Enter”.

If you’re running Ubuntu or Backtrack, you’ll want to install the “deb” version onto your machine (Ubuntu/Debian and Backtrack all install .deb files). Same checks above apply for Linux to determine if you have Java already installed.1


Next, fire up Maltego and login to the Community Server.



      Step 1: You’ll be prompted to login to the Community Server. Create an account or login with one you’ve already created.

       Step 2: Then, you will be presented with a blank canvas for you to start mining data with. Maltego is not the most intuitive interface but once you learn how it works, it becomes rather easy to navigate, so let’s go over the basics here and you’ll soon be mastering it on your own.



For our first example, let’s say we wanted to find the phone number of an employee of a certain company. First, we’ve got to become familiar with Maltego’s palette of “entities” we can use to search for information on the Internet. This palette is located on the left side of the screen and is divided up into 2 sections: “Infrastructure” up top and “Personal” down bottom. These are all the different types of entities we can have Maltego go mining data for.

So, if we wanted to find EMPLOYEE INFORMATION for a particular domain, we’d start with the “domain” entity under the “Infrastructure” section of the Palette to start searching data. Why? Because we’re going to use this entity to specify the web domain (usually of the target company) we’d like to find Employee Information about.

       Step 1: Click on the “Domain” entity and drag it to the canvas in the middle of the screen. You will be presented with a Domain entity on the canvas, prepopulated with “” in it. However, this is a default entity and you will need to fill in some information for Maltego to start mining data. Click on the entity to highlight it.

You will see it change from this:



To this:




Now, you need to modify the “Domain Name” property of this object to make sure you are searching for employees/MX Records/etc for YOUR TARGET web site. So, on the very right-hand side of the screen, towards the bottom, you will see the “Property View” box. In it, you will find the “Domain Name” property of the “Domain” entity you created. Click in the value side (where you see “”) and change it to your target.



For our example, we’ll stick to a public-facing, public service web site, like “”.



   Step 2: Now, right-click on the domain entity and follow the menu system thusly:

  Run Transforms à All Transforms à To Email Addresses [Using Search Engine]

          This will now start searching the Internet for any and all email addresses that are associated with that domain. From here, once enumerated, you can run transforms on the email entities to dig even further and find more information.

For example,

   Step 3: Right-click on an email address that Maltego found and follow the menu system thusly:

Run Transforms à All Transforms à To Phone Number [Using Search Engine]

Important Note: Once I ran this transform on my sample data, Maltego’s mining of search engine data turned up a wrong number associated with my email. HOWEVER, by reviewing the “Detail View” snippet on the right-side of the screen, I was able to call up the specific web page, review it and find the exact number I did, in fact, want to use. So, you can’t always trust initial data from tools such as these. However, if used judiciously, you can get the targeted information you want.



Now, let’s look up some information that would be important to us when running a pen test or security assessment: We’ll look up their mail servers (MX records in DNS) and their name servers (DNS).

Right-click on the “Domain” entity on the canvas and navigate the menus like so:

Run Transform à DNS from Domain à To DNS Name – MX (mail server)



Maltego will begin to search their DNS records for the mail servers that are designated for this domain. After it has completed its survey, you should be presented with something that looks like this:



Once you’ve collected that information, you can run transforms on those entities as well. For instance, you can click, drag and highlight all those mail servers and then right-click and navigate the menu system like so:

Run Transform à Resolve to IP à To IP Address [DNS]



You will then be presented with information like the following:



Congratulations! You now have assets that you can use in your next phase of testing: “Scanning”.

Let’s take a look at the target’s name servers and see what kind of information we can glean from them (through reconnaissance) that we can use in “Scanning”.

Some more information that would be important to us would be the IP blocks (or blocks of network addresses) that the target manages. Getting those IP’s would be useful, if we are not provided them prior to our engagement.

Right-click on the “Domain” entity on the canvas and navigate the menus like so:

Run Transform à DNS from Domain à To DNS Name – NS (name server)


After Maltego runs and collects the information for you, it presents it to the users thusly:



Once you have the name servers on the canvas, you can then run transforms on them to collect information (data mine). For instance, one really useful transform you can run on the name servers is collecting the netblocks that have been delegated to those name servers.

To collect information like this, highlight the name servers, right-click and navigate the menus to:


Run Transform à Info from NS à To Netblock 




This will display the blocks of IP addresses delegated to those name servers. If these blocks are too big, you can run another transform on them to cut down on the amount of information displayed. The menu navigation to do this is:

Run Transform à All Transforms à Netblock to Netblock


You will be prompted for a size to display. I usually pick something fairly middle-of-the-road, like “125” or “250” and that will bring things down to a manageable form.

Once you have a good-sized chunk of data (Netblocks), you can run the “To IP Address” transform on it to convert those blocks of IP Addresses down to single IP’s. This will make it easier for you to dig for other information on those IPs.

Running that transform on the Netblocks results in something that will look like this:




Congratulations! You’ve now gone and enumerated all the IP’s in that space.

Now you can use that to translate it to machine and owner information.

Maltego is much more powerful than this, however, and can take a few weeks to really master its intricacies. I highly recommend that you practice using this tool to perfect (and streamline) your reconnaissance skills.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s