# Maltego Integration ## Introduction **Maltego** is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks. {% embed url="" %} It allows to transform data using external knowledge and visualize the results in a graph topology. Transforms are small pieces of code that automatically fetch data from different sources and return the results as visual entities in the desktop client. Transforms are the central elements of Maltego which enable its users to unleash the full potential of the software whilst using a point-and-click logic to run analyses. Netcap provides a set of entities and transformations to analyze packet capture dump files in Maltego! The current implementation focuses on behavorial analysis of entities within the traffic dump. ## Installation Ensure netcap **>= v0.5** is installed and can be found in **$PATH**: ``` $ net -version v0.5 ``` Ensure the **net** binary is placed in **/usr/local/bin**: ``` $ which net /usr/local/bin/net ``` {% hint style="info" %} Transformations in maltego have to specify a working directory. Currently /**usr/local** is used for this so make sure the current user has sufficient right to enter the directory. No data will be written there, all logs from transformations that invoke the netcap core are written into dedicated directories for each processed pcap file. {% endhint %} Next, download install the maltego transformations and enities for netcap: Currently there are **20 entities** and **42 transformations** implemented. You can download them here: {% file src="" %} Import them into Maltego in the "**Import / Export Config**" tab under "**Import Config**". ## Loading PCAP files into Maltego To load a pcap file into maltego you have two options: 1\) Drag and Drop the file into a maltego graph. The files type will be **maltego.File** by default, and the path to the file on disk is set as a note on the entity. Now, change the entities type to **netcap.PCAP**, and double click it to open the detail view. Copy the filesystem path from the **Notes** tab into the **path** property of the PCAP entity. 2\) Create a new **netcap.PCAP** entity and set the **path** property to the path of your pcap file on disk ## Running Transformations Right click an entity and start typing **Get** into the search bar to see all available transformations for the selected type. Alternatively you can also use the **Run View** in the **Windows** tab to see and launch available transformations with a single click. Transformations are usually bound to specific entities. For example, the **netcap.DeviceProfiles** entity, which represents the device profiles that have been derived from an input PCAP file, currently only offers the following two transformations: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XD2kpH4yKjc6gO7FF%2F-M5Xfon6c4TAO_Kbh1IN%2FScreenshot%202020-04-22%20at%2011.50.20.png?alt=media\&token=976aeee8-59c2-492f-ae58-cc4e0136ccf8) **GetDeviceProfilesWithDPI** enables deep packet inspection, which requires to install dependencies and can slow down the processing drastically. When not using DPI the transformations making use of this data will simply return no results. To add the actual devices to the graph, use the **GetDevices** transformation. ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XD2kpH4yKjc6gO7FF%2F-M5XenFiN06my_CIY5Mu%2FScreenshot%202020-04-22%20at%2011.50.26.png?alt=media\&token=68241782-d6ca-44cb-8b42-30a01004acf9) This bring the first usable entities to the graph, of type **netcap.Device**. A device has contacts and addresses it has been using to access network services by itself. When selecting a device entity, you will see the following transformations: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XD2kpH4yKjc6gO7FF%2F-M5XfSCvVACoq0Ki1VfO%2FScreenshot%202020-04-22%20at%2011.50.07.png?alt=media\&token=d23176db-7d49-426b-b3f3-da6215f6a93f) The generated entities will be of type **netcap.IPAddr** and contain information about the host, as well as a set of transforms to further drill down and investigate. When selecting an entity of type **netcap.IPAddr**, the following transformations are offered: ![netcap.IPAddr transformations](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XD2kpH4yKjc6gO7FF%2F-M5XdRgKRJe1lBrsszv-%2FScreenshot%202020-04-22%20at%2011.49.53.png?alt=media\&token=d22caf3e-84c1-4777-a780-1fa1619d406d) ## Configuration Netcap offers an **OpenFile** maltego transform, which will pass filetypes except for executables to the default system application for the corresponding file format. On macOS the open utility will be used for this and on the linux the default is gio open. You can override the application used for this by setting **NC\_MALTEGO\_OPEN\_FILE**. ## Examples Search for DHCP information from the selected hosts: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xh6xSqodfmoX_fH7i%2F-M5XhHXTxQ-07HJGtQLH%2Fdhcp.mov.gif?alt=media\&token=845f7d08-120a-40f4-93d6-6d8bfaa7b6f3) Add Server Names provided as SNI on the TLS handshake: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XhNNG6azBoZB58X4x%2F-M5Xhaq2Un74mbFGA4tD%2Fsnis.mov.gif?alt=media\&token=d58d97a6-a9e8-401b-82bc-632dc5bed942) Use Deep Packet Inspection to list all identified application categories: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XhNNG6azBoZB58X4x%2F-M5XhpGDioQY16Px9mQd%2FdpiCategories2.mov.gif?alt=media\&token=c82f5118-18a3-4d18-bc40-603d729dd727) Extraction of a POP3 authentication token: ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XlkVYIeMq16dnJ9-G%2F-M5XmdbCPzyLQcI9jkm8%2FmailToken.mov.gif?alt=media\&token=803c8bf6-c0f1-48cd-92cd-2400466670c9) ## Gallery When working with larger amount of nodes, the organic topology can be useful: ![Graph during an investigation (organic topology)](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4pT3gid3DGbx3WBNAB%2F-M4pT4QzVTRyAYY_MIhK%2Fscreenshot-2020-03-25-at-01.22.54.png?generation=1586813755426131\&alt=media) Example of interaction with a PHP webshell: ![PHP webshell interaction](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4pT3gid3DGbx3WBNAB%2F-M4pT4R0oxG4V3OIhy5P%2Fscreenshot-2020-03-25-at-15.00.45%20\(1\).png?generation=1586813755697939\&alt=media) Example of an exploit abusing a HTTP parameter command injection vulnerability: ![HTTP parameter command injection](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4pT3gid3DGbx3WBNAB%2F-M4pT4R2VkF2sr1iKZSE%2Fscreenshot-2020-03-25-at-15.00.55.png?generation=1586813755109325\&alt=media) Graph during an investigation where the attacker has been identified and further information is gathered: ![Dataset investigation](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4zi4EuuxESi0rl7ybp%2F-M4zlcbKtUlsLz79kL2e%2FScreenshot%202020-03-25%20at%2000.20.06.png?alt=media\&token=b2339db3-8f70-44b5-ac66-d985f0f14c44) ![Dataset investigation](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4zi4EuuxESi0rl7ybp%2F-M4zm2PH-Rh4-kt99rX5%2FScreenshot%202020-03-24%20at%2023.52.23.png?alt=media\&token=521f5aaa-5ae0-4e1e-914d-4ee32682fae8) ![Flow Graph](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M4zi4EuuxESi0rl7ybp%2F-M4zloIdCPwzDrcwoYtu%2FScreenshot%202020-03-25%20at%2020.19.15.png?alt=media\&token=af1d4501-31a5-4767-bcbb-2a3aa3b634ac) ## Detail Views ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5XD2kpH4yKjc6gO7FF%2F-M5Xh0dpS4dTdt0bzCF-%2FScreenshot%202020-04-22%20at%2011.54.48.png?alt=media\&token=3019f4a1-1469-4460-ad18-092f49dcc932) ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xi8v3ibRXDunBi3nl%2F-M5XiU2R3LIJMsfM4GOX%2FScreenshot%202020-04-22%20at%2012.01.05.png?alt=media\&token=e06c5b29-fcd0-43ad-97fb-b00ed8326a3c) ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xi8v3ibRXDunBi3nl%2F-M5XimlxAjqbP6NdGMv0%2FScreenshot%202020-04-22%20at%2012.04.55.png?alt=media\&token=7ccea911-600a-4695-bc46-7ee3b4c838aa) ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xi8v3ibRXDunBi3nl%2F-M5XipirHhG9fK26tfBE%2FScreenshot%202020-04-22%20at%2012.02.08.png?alt=media\&token=69e58de9-be4c-46bb-b8c2-44942c13a960) ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xi8v3ibRXDunBi3nl%2F-M5XiuwQt33Bk69C3g6r%2FScreenshot%202020-04-22%20at%2012.02.03.png?alt=media\&token=ce2400e5-04fd-42d1-b658-ed1fd3a35830) ![](https://3338746466-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-La-SRWxzIGdy_3ynMZH%2F-M5Xi8v3ibRXDunBi3nl%2F-M5Xj0MFh3cX41uaEuLY%2FScreenshot%202020-04-22%20at%2012.03.33.png?alt=media\&token=6226d7d6-b69e-4779-bff4-9e58160eb532)