Before
we attempt to exploit any target, it is wise to do
proper reconnaissance. Without doing reconnaissance, you will likely be
wasting your time and energy as well as risking your freedom. In
previous guides, I have demonstrated multiple ways to perform
reconnaissance including passive recon with Netcraft, active recon with
Nmap or hping3, recon by exploiting DNS or SNMP, and many others.In this
tutorial, we will be using an active tool called Maltego, developed byPaterva,
that can do many of these tasks with one simple scan. There is a
community edition built into our Kali Linux that allows us 12 scans
without purchasing Maltego. It is capable of a significant amount of
information gathering about a prospective target in a single sweep of
the domain.
Using Maltego in Kali to Recon a Target Network
Maltego
is capable of gathering information about either a network or an
individual; here we will focus on the former and leave individual
information gathering for another time. We will be looking at gathering
info on all the subdomains, the IP address range, the WHOIS info, all of
the email addresses, and the relationship between the target domain and
others.
Step 1: Open Maltego & Register
Let’s
start by firing up Kali and then opening Maltego. Maltego can be found
in numerous places in Kali, but the easiest way to get to it is to go to
Applications -> Kali Linux -> Top 10 Security Tools. Then, among
the Top 10, you will find Maltego at number 5, as shown in the
screenshot below.
When
you open Maltego, you will need to wait a brief moment for it to
startup. After it finishes loading, you will be greeted by a screen
asking you to register Maltego.
Go ahead and register and save and remember your password as you will need it again the next time you login into Maltego.
Step 2: Choose a Machine & Parameters
After
successfully registering and logging into Maltego, we will have to
decide what type of “machine” we want to run against our target. In
Maltego’s parlance, a machine is simply what type of footprinting we
want to do against our target. Here, we are focusing on the network
footprinting, so our choices are:
Company Stalker (this gathers email information)
Footprint L1 (basic information gathering)
Footprint L2 (moderate amount of information gathering)
Footprint L3 (intense and the most complete information gathering)
Let’s
choose an L3 footprint that will gather as much information as we can;
this is also the most time-consuming option, so be aware of that.
Step 3: Choose a Target
Now, that we have chosen a type of machine for our footprinting, we will need to choose a target. Let’s choose our friends at SANS, one of the leading IT security training and consulting firms in the world.
Now, click “Finish” and let Maltego do its work.
Step 4: Results
Maltego
will now begin to gather info on our target domain, sans.org, and
display it on screen. In the screenshot below, we can see that Maltego
has already collected the email addresses from the site, while it
collects the nameservers and mail servers.
Finally,
we can click on “Bubble View” when Maltego is done and see all of the
relationships between our target and its subdomains and linked sites.
Maltego
is an excellent tool to do network recon on our potential target,
enabling us to do numerous types of recon in a single scan with a single
tool. Maltego is also capable of doing individual recon, but we will
leave that for my next Maltego article, my greenhorn hackers.
