قالب وردپرس درنا توس
Home / Tips and Tricks / How to use Maltego to create an entire network with only one domain name fingerprint «zero byte :: WonderHowTo

How to use Maltego to create an entire network with only one domain name fingerprint «zero byte :: WonderHowTo

Hackers rely on good data to launch an attack, and reconnaissance is the level of hack in which they must learn as much as possible to develop an action plan. Technical details are a critical part of this image, and with OSINT tools like Maltego, a single domain name is all it takes to query the technical details of an organization from IP address to AS number.

While Maltego is great for human study, it seems like you're researching the technical setup of an organization.

Technical research differs from interpersonal research in that in many cases the information is available with minimal interaction that the researcher needs.

Technically Data Targets

When performing technical reviews, tools such as Maltego make searching for clicks difficult to determine about your goal. Based on the web domain, links to other websites or technologies become visible. While some information may seem magical to the average user, OSINT research can embed these widely dispersed technical details into an extensive contextual map of the structure of the target network and its interaction with the environment. [19659006] How to Use Maltego to Fingerprint an Entire Network with Only One Domain Name ” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

For a quick overview, you can click the Play button in Maltego to run all the transformations in the domain and many leads to expand to create.

The details we look for when we profile a company's network provide us with more context and information for further use. This can mean anything from an IP address to the MX server that a company uses. Why is that important? The more we know about the goal, the more goals we can train with different cyber weapons in the next phase of our plan.

If we only know details like the MX server, we know which e-mail provider a company uses. Give hackers an edge in a phishing attack. All of these details can be useful depending on what you intend and what you want to do with the information. Let's outline the chain we are creating to better understand the network infrastructure of our goal.

Assignable Network Chain

The network details chain is created by all the launches of the domain name and continues in an ordered sequence to derive more abstract information that other objects can view under the control of the target. In addition to what we need to expand our investigation, we can begin to tie our brand to the services they use from third parties. In this way, a hacker can learn what he internally does and what he outsources and provides the context for other more specific tactics.

To extract most of the information possible through the network details of a target domain, we must include a "skeleton" of hard details that we can associate with the target. This gives us more about our attack surface and allows us to expand on these hard facts to create an expanded picture of the organization.

Starting with the target domain, we can find the web site hosted on port 80, and others can find web sites that use the same tracking code to identify web real estate owned by the same organization. Next we can see the MX (mail exchanger) and the NS (name server) associated with the domain. It will display the organization's email address and hosting services. From here we can locate the DNS server that points to the site in question and discover all other domains that use the same DNS server. This shows us other sites that own or run the same organization, or other domains that are hosted by the provider to which they outsource web hosting.

Larger organizations can assign a netblock to the various websites and services they offer online, with IP addresses all assigned to the same organization. Above, the AS number (autonomous system number) can be discovered, which is a collection of network blocks, all working with the same external routing policy. This usually belongs to the Internet Service Provider or a larger company and can be used to find other Netblocks owned by the same company.

Down the Chain & Backup Again

Setting up the chain from domain to AS number is helpful for We organized our investigation by giving us a "backbone" for building our intelligence data. If we go all the way to the AS number, we can start to look at the chain and expand what we originally found. This means starting with the AS number, identifying more netblocks in the AS, finding IP addresses in the netblock, and extracting these IP addresses to connected websites or services online.

What you need

The community edition of Maltego is free and will be installed on Kali Linux by default. If you already have Kali Linux, you can check it out immediately, or you can download it to Kali by typing apt-get install Maltego into the terminal window. You can also download it for any operating system from the website, and after the free registration, you can run it on any computer, as long as you have Java installed.

Step 1: Select the Destination and Discover the Website

In this example, we use the Gap website, which is from a quick Google search on the gap.com domain. Start Maltego and wait for the main window to open. Then click on the logo icon in the upper left corner and select "New".

This opens a blank canvas and allows us to add our first entity. To do this, you can refer to the Entity Palette on the left and type "domain" in the search bar to invoke the domain entity. Once we see the icon, we can drag and drop it onto the screen to begin the investigation.

Once the icon is on the canvas, double-click the text portion of the icon to enter the domain name of your target. In this case, we use "gap.com" to begin our survey on Gap's network.

Step 2: Find More Sites with Tracking Codes

The first tracking level that we will examine is the tracking code that an organization uses to provide analytics for its web domains. Often we are able to link different domains together because they use a common tracking code. The tracking codes can vary from Google Analytics codes to Amazon Affiliates codes and can be used to identify monetization or tracking information.

To find the tracking codes associated with a website, they must first be converted to a web domain. You can do this by right-clicking on the domain entity and typing "Website" in the search bar to see all the domains that point to the resolution of a site. You can do any of the three, but a simple "Quick Lookup" should work well. This should resolve our domain to a website, and from here we can right-click and enter "To Tracking Codes" to execute the tracking code transformation.

While our gap example did not produce any results, it ran against Tesla's website (tesla.com). Below we see the result of the transformation that shows two other associated domains. To find these domains from the found tracking code, we can right-click on the tracking code and then click on "other sites with the same code" to search for other sites with the same tracking code.

These links can be invaluable in finding other domains of the same party, in some cases domains that may not be officially recognized. This allows an attacker to discover linked parts of an organization, ironically tracking how those organizations track users, and that most organizations use a single tracking code to make the analysis in an organization easier.

Step 3: Revealing Name & MX Server

A domain's NS and MX servers can alert us to information about which mail service an organization uses and where its services are hosted. Some organizations will host these servers internally, but the majority does not and uses a third-party service. For a hacker, this information is useful because it can provide valuable pretexts, such as calling the company from the specific service provider they use for the Internet or web hosting.

Finding this information is easy. Right-click on the domain entity we created earlier and type "mx" in the search bar to view the transformations that will resolve the MX server. Click this button to display the MX information, which often indicates which provider the organization uses.

To view the site's NS records, we can right-click the domain and type "ns" to see transformations that deal with name servers. Select "By DNS name – NS (name server)" to get the name server information. This can provide information about whether the organization is using a third-party service to host their domain.

Step 4: Identifying DNS servers

How to learn about the DNS servers that an organization uses (including the previously mentioned MX and NS) , we can use a cluster of transformations that has been developed for it. This transformation set will execute ten different transformations, all of which contain more information about the DNS details of the domain. The following shows the specific transformations that are performed in the group.

To run the entire group, right-click on the domain unit we added earlier, and then select "PATERVA CTAS" to run the to show different groups of transformations. You can select the "Run All" icon next to the "DNS from Domain" transformation set to execute all the transformations it contains.

Once these transformations are complete, the results can be quite dramatic. Below is the result of this domain on a single domain, gap.com. With these pulls, we found 183 DNS records alone, with additional NS and MX records. We can also see other sites associated with the domain.

Once we've collected all the DNS addresses, we can move to the next one

Step 5: Finding the IP Addresses

Well Since we have a set of DNS records, we can resolve them to the IP addresses they point to in order to learn more about the services used by the organization. Many larger organizations will host their own services, and this is an opportunity during Recon where we can begin to figure out which parts are hosted internally or externally.

Step 6: Find IP Network Blocks

Network blocks are large blocks of IP addresses that are typically assigned to a single entity.When we can identify a netblock that belongs to our target organization, we can do everything e Scan IP addresses within the range to find services we have not discovered yet.

To discover netblocks that the target organization can own, you can select a previously discovered IP address, and right-click it to select one of the three Maltego transformations to search for netblocks by typing "netblocks "in the search bar. You can use the "To Netblocks [Using routing info]", which finds the netblock to which an IP address belongs, by looking up the routing table information of the IP.

Step 7: Identify the AS number

Once we have a block that belongs to our target organization, we can proceed to our last layer, which identifies the AS number. An AS number is used by large organizations such as Internet service providers or large enterprises to identify network block areas with similar routing protocols.

If we can identify an AS number of our target, we can find all the network blocks in that knowledge. They are also part of our goal. Then we can discover all DNS names in each of these network blocks so that we can resolve those DNS names into IP addresses of other targeted services.

Right-click the node that belongs to the destination Click "To AS Number" to display the AS number associated with the netblock.

Next, you can view the owner of the AS number from the right – Click on the AS number and select "To company" to enter the Name of the organization that owns the AS number. This may be the Internet service provider that the company uses or, in large organizations, the company itself.

In our example, we have a netblock Found a DNS name at Gap.com and identified that it belonged to AS number 40526. We can see through the selection of company owners information that this AS number is registered to Gap, Inc. so that we can accept all netblocks within it, and any IP addresses in these areas are also our target and not a third party.

Step 8: Backing Up the Chain

Taking advantage of what we found in Maltego, we can reboot the chain to recover the data we discover, enrich. Once we have reached the AS number, we can find all the network blocks in the AS number to display DNS names and IP addresses within these ranges. If we go up the chain, we can take the IP addresses and resolve them to Web domains, so we can start again with a new set of goals.

The purpose of this process is to follow a cycle, follow goals from the top after the end of the chain while adding new DNS names, IP addresses, netblocks, AS numbers, web domains, and websites like you they discover. After a few exploratory rounds, the results can be quite overcrowded and it can be difficult to identify relationships within the data. Below is the result of tracking our DNS servers down to the Netblock level, and things are already confusing.

This default view is not available from afar, so we can do a few things with the data to make relationships more obvious. First, we can change the view to a more compact format by selecting the Organic view in the upper-left corner. This arranges the graph to save space and visualize relationships by spatially separating entities that are closely related.

This view should be more compact, but we can make relationships even more explicit by selecting the down arrow "Manage View" icon at the top left. This allows us to change the view to "Ball Size by Diverse Descent".

According to Maltego, "With different decent sizes, the number of inbound links that the entity has is larger, but incoming links are weighted higher with other grandparents . "This is explained in the figure below from the Maltego user manual.

Different lineages weight entities higher with different grandparents. Image via Paterva

Once applied to our graphics in our organic view, it suddenly becomes much more apparent when an entity is strongly linked and likely to be of interest. Now we can focus our attention on the larger entities and examine the connections between them.

The Automated Attack Stage

Through senior network fingerprinting with Maltego, an attacker can gain intimate details about a target's network in minutes experience. From the email service and hosting provider to the complete list of all IP addresses assigned to the company's AS number, it's quick and easy to find them in just a few clicks. With this information, a hacker can switch to active intelligence methods and load the discovered IP addresses into automated vulnerability scanners to discover and exploit all vulnerable devices.

Hackers know this by building a map of the technical details that will attack a network as easily as the weakest link to identify and exploit. Knowing where to launch an attack is virtually impossible without Recon, and Maltego can allow anyone to gather the information needed to choose the most efficient target instead of fumbling in the dark.

I hope you enjoyed this guide to the OSINT network fingerprint with Maltego! If you have questions about this tutorial or are using Maltego for OSINT research, do not hesitate to leave a comment or contact me on Twitter @KodyKinzie .

Miss: Use Face Recognition to Perform OSINT Analysis for Individuals and Businesses

Title image and screenshots of Kody / Null Byte (unless otherwise noted)

Source link