Userguide

From Paterva Wiki

Contents 1 Maltego User Guide (Commercial edition) 2 Installation 2.1 Windows 2.2 Linux 3 Running the first time & registering 4 Your first graph 5 Navigation 5.1 Zoom 5.2 Pan 6 Running transforms 7 Setting the number of results returned 8 Selecting entities 8.1 Single select 8.2 Multiple select 8.3 Selecting entities one at a time 8.4 Selection by child 8.5 Selection by child (keep parent) 8.6 Selecting parent 8.7 Select a parent (keep) 8.8 Selecting entities using ‘Find’ 8.9 Combinations 8.10 Quick list of incoming and outgoing nodes 9 Views and layout 9.1 Layout 9.2 Views 10 Entity Properties & Detailed view 10.1 Entity properties 10.2 Entity detailed view 11 Save/Load 12 Export 13 Printing

Maltego User Guide (Commercial edition)

This user guide is for the commercial edition of Maltego. The community edition of Maltego is very similar; there are only a couple of differences in the startup.

Maltego can run on Windows or Linux. This section of the guide assumes that you already have Java 1.6 installed. Should you have any questions not answered by this user guide please Contact Us

Installation

Windows

After downloading the MaltegoInstaller.exe file double click on it to start the installation process. The installer is built using Izpack – a generic Java installer that is not platform specific. You should follow the wizard – defaults will do, but you might want to add icons to your desktop on the last screen:

After installation you should see an icon on the desktop and see it in the start menu under Paterva -> Maltego

Linux

You will need to have a windows (X11) system – Maltego is a graphical application. After download you should open a terminal window. You should change to the directory to where you have downloaded the MaltegoInstaller.jar file – e.g.

> cd downloads/maltego (assuming that you’ve downloaded it here)

From here you can run the Java installer using the following command:

> java –jar MaltegoInstaller.jar

The installer should start the graphical wizard. As with the Windows install you can decide if you want a desktop item. The installer can normally add this for KDE or Gnome based desktops – others have not been tested.

Note 1: Make 100% sure that you can read and write in the directory where you've installed the application - for instance - when you've installed the application as root and you run it under a normal user you might find that reading and writing your configuration files fails. This is not good.

Note 2: If you have different versions of Java on your machine you need to make sure that you are using Version 1.6 for Maltego. The best way to force Maltego to use the new Java is to run it from the command line as such:

> [MaltegoInstallDirectory]/bin/maltego --jdkhome /path/to/your/java/install/

Running the first time & registering

When you run Maltego for the very first time you should see a start up screen:

Note that parts of this screen are dynamic content and thus could change from time to time.

Maltego v2 is a commercial product and a license key is used to activate the product. The license key is valid for one year and is computer specific. Without a valid license key you can only use MaltegoV2 to view files created by other users – you cannot create new graphs and you cannot add or edit existing graphs. To register you can click on the red text that reads “You must register before you can use Maltego. Click here to register now”. This will start the registration wizard.

Enter your license key – is should be provided to you via email. The license key has a checksum digit (the last digit) to check that you have not made a typo. When the license key is in the correct format you will see the word ‘Valid’ appear. If not it the word ‘Invalid’ will appear:

Click on next. Next you will be asked on which adaptor you want to bind the installation. Choose an adaptor that it not likely to change.

Under Linux you are encouraged to choose the ‘eth0’ adaptor. Click on Next. The application will now check if the license is still valid. Note that you can use a license only once. If the license is valid the product is now enabled. The screen should show a summary of registration information. Don’t worry about writing any of it down as you can get it from the application at a later stage.

The start page will now be updated with the registration information:

Your first graph

To start a new graph click on

You can also click on the ‘New’ icon that’s right below [File]. You can create new graph at any time by clicking on this button. The keyboard shortcut for creating a new graph is Control T (new tab).

You should get an empty graph which looks like this:

More than one graph can be opened. New graphs are added as tabs at the top of the screen.

You can go back to the start page by clicking on the ‘Start Page’ tab, or by going to Help -> Start Page. To get API and license keys, as well as a summary of registration information you can go to Help -> About Maltego. This should show a screen that looks like this:

If you ever need to query the status of your license or if you’ve lost your API keys you can view your license key here.

At this stage you want to make sure that you have the preconfigured transforms discovered and keyed. Click on Tools->Manage transforms. You should see:

Note that there is a list of transforms and that most of them have a green icon on the left (which means they are ready to be used). For more information about managing transforms see the relevant section in this documentation.

Next, we want to put some entities on the graph window. Select the ‘Domain’ Entity from the Palette and drag it to the graph window:

The first thing that you will notice is that the entity contains three numbers and a value. The values are as follows:

To edit the name of the entity (in this case a domain) double click on it. The entity will become selected and the text area underneath the entity will be highlighted – you can now edit it:

Navigation

Zoom

To zoom in and out use the mouse scroll wheel. If you are using a notebook without a scroll wheel you can use the buttons. When zooming out on a graph you will see that it changes from detailed view to overview at a certain level. This is when it becomes impossible to read the entity’s value on the node. It therefore does not make any sense to show this detail. When it overview mode different entities appear as different colors, with a small legend for mapping colors to entity types in the right hand bottom corner of the graph:

Note that the colors are not always the same – e.g. the IP address entity will not always be dark blue. This happens because Maltego can be used with custom entities, and the number of entities used is not known to the program.

Pan

To pan you can use the scroll bars at the sides of the graph window, or you can right-click and drag. This method of navigation is a lot faster than using the scroll bars.

You can also use the Satellite view to navigate. This is useful navigation technique on large graphs.

You can move the visible frame (grey box) around on the Satellite view using the mouse (right click, drag)– the main graph window will update in real time. Depending on the zoom level the visible frame becomes larger (zoomed out) or smaller (zoomed in).

Running transforms

To run your first transform you can right click on the entity. You will see a list that looks like this:

Let us assume that we want to find out what the MX (mail exchanger) records for the domain are. We want to use the ‘To MX records [DNS]’ transform and so we click on it. In the bottom right hand corner we can see the transform status bar indicating that we are running one transform on one entity.

When running multiple transforms on multiple entities the progress bar will give an indication of the progress. When running a single transform on a single entity the progress just shows activity.

The resultant screen should look something like this:

Note that the Output screen has appeared with details about the transform’s execution. This information is very useful as some transforms will give additional information in this screen.

Setting the number of results returned

A slider is located at the top of the Maltego application:

When set to the very left Maltego will only show the top 12 results, based on weight. The middle setting corresponds to 50 results and the very right to 255 results. One needs to understand the implications of these settings. Many transforms has no concept of weight. In fact, only search engine transforms uses weight as an indication of relevance. Think about the reverse DNS results for a class C network – it can potentially return 255 results – each of them with a value of 100 (the default value), as no one DNS entry is more important than the other. Setting the slider to 12 results will only show the first 12 results – useful for simply getting an idea of what in the network, but useless for enumerating ALL the reverse DNS information of the block. In the same way setting the slider to 255 results for a search engine transform (e.g. looking for someone specific but who has a very common name) is not clever as you will be flooded with results.

In upcoming versions of the tool the transforms will be categorized as either ‘enumeration’ or ‘search’ transforms – the slider will only apply to ‘search’ transforms. For now you have to be careful to understand how the slider works and spend time experimenting with it.

Selecting entities

There are a few way of selecting entities.

Single select

Simply click on the entity. The entity gets a blue frame around it. If zoomed out the entity’s color is enhanced.

Multiple select

You can select more than one entity by left click dragging a box around it:

As soon as you release the left mouse button the entities are selected:

Selecting entities one at a time

You can select entities one by one by click on it and holding in shift:

Selection by child

It is very useful to be able to select the children of a node (e.g. all the nodes that were created from the node). You can do this by selecting the parent and pressing Control + Down Arrow.

Selection by child (keep parent)

You can select child nodes and keep the parents selected by pressing Control + Shift + Down Arrow. This is useful to select an entire “family tree”:

Selecting parent

You can select a parent of a node (e.g. the source of the selected node) by selecting the node and pressing Control + Up Arrow. This is useful to get to the original source of a child node.

Select a parent (keep)

You can select a child node and press Control + Shift + Up Arrow to select the parent while keeping the children. This is useful for selecting a “family tree”, but from a child node’s perspective.

Selecting entities using ‘Find’

To enable searching press Control F. The following window will appear:

Enter the search term and click on “Find” – entities that match the criteria will be selected:

For more information on finding entities please refer to the relevant section in this document.

Combinations

The best way to select entities is a combination of all of the above methods. For instance you might single select entities and use a combination of child/parent expansion to find what you are looking for.

Quick list of incoming and outgoing nodes

When working with large graphs it is very possible that parent and child nodes of a selected entity is outside the border of the current graph. A quick way to get a list of parent and child nodes is to Control click on the node. This show a separate window with all incoming (parents) and outgoing (children) nodes:

Views and layout

Layout

Maltego supports 4 types of layout algorithms:

1. Block layout. This is the default layout and is also used during mining. This layout is discussed in more depth later.
2. Hierarchical layout. Think of this a tree based layout – like a file manager.
3. Centrality layout. Nodes that are most central to the graph (e.g. most incoming links) appear in the middle with the other nodes scattered around it.
4. Organic layout. Nodes are packed tight together in such a way that the distance between each node and all the other nodes are minimized.

You can switch between views at any time by clicking on the relevant icon (located at the top of graph window). Selection of nodes will be preserved between layouts.

The block layout is used during mining and the application will always switch to this view when new results are obtained. In this layout nodes are shown using the following rules:

1. In a block of nodes
2. Sorted by entity type
3. Sorted by entity weight

Consider the following graph were two transforms were executed on the Person entity – Person2EmailAddress and Person2Website:

Note that entities are ordered by type and weight.

The following pictures show the same graph in different layout types. The graph shows all Paterva related DNS Names, their IP addresses, what netblocks they belong to and the AS numbers of those networks. Note that most of the graph has been viewed in ‘overview’ mode in order to see the layout properly   Block layout (detailed):

Block layout (zoomed out / overview):

  Tree layout:

Centrality layout:

  Organic layout:

Different layouts work best of different situations – you need to experiment with it to see which layout works best for the situation at hand.

Views

Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Other than the mining view, Maltego supports two other views:

1. Edge weighted view. Node sizes are based on number of incoming links.
2. Centrality view. Nodes that are calculated to be most central to the graph are given larger nodes.

In views two and three entity details are not shown and no selection is possible. It is simply a view of the data with one exception - control clicking on a node still brings up a list of incoming and outgoing links.

The same graph used in the previous section is shown in different views. First the centrality view:

Clearly the domain paterva.com is central to the graph. When viewing the same graph in ‘Edge weighted view’ we see something more interesting:

Now the AS number 15169 is clearly more ‘inflated’. This is the expected result – this AS has the most incoming links.

The layout in these views can be modified. Consider the ‘edge weighted view’ in tree layout:

Comparing this view with the original view we can clearly see the relationship:

The graph showed above is rather simple and manual visual inspection would render the same results. However when graphs get very large these views proves invaluable. Consider this large graph:

It is practically impossible to extract any useful information from the graph. However – viewing the same graph in centrality view (organic):

This view makes it possible to identify the key entities in the graph with ease.

Entity Properties & Detailed view

Each entity has a number of properties and may have a detailed view. Most of the properties of an entity can be set while the detailed view is read-only. The properties of an entity are used by transforms and are passed along with the entity’s value to the transform. Detailed view information is not passed to the transform.

Entity properties

Entity properties are shown and can be edited in the Entity property window. Hereby the entity property of a netblock:

The properties can be changed. Consider a search for a person. We want to add additional search terms to our search. When a new person entity is created the entity’s properties are blank:

When the Person entity is populated with the words “Andrew MacPherson” the properties is automatically updated. It now looks like this:

Running a PersonToWebsite transform on this PersonEntity leads to many results – clearly there are lots of Andrew MacPhersons active on the Internet. What we really want to do is looking for Andrew MacPherson in South Africa. We might also add an additional search term ‘punks’ because we know that the Andrew we are looking for has a mohawk. Running the transform again we now get results restricted to South Africa and related to punks:

The first two results (coming in with weights of 100) are related to the Andrew MacPherson that we’ve had in mind. Setting entity properties for advanced searches is very important to focus searches.

Entity detailed view

The detail view contains information about the entity that cannot be displayed in the main graph window. These are things that the transform author wants you to see about the entity. Sticking with the graph above, when using the Rapleaf transform on an email address entity a lot of additional information is returned that cannot be fitted on the graph window itself:

As the mouse is moved over entities both the entity properties and detail view is updated. The detail view of entity that is returned from the Paterva Commercial Transform Application Server (CTAS) will always contain the following fields:

Save/Load

Maltego can easily load and save graphs. Files are saved with a .MTG extension.

Export

Maltego can export entities in three ways:

1. Export all entities
2. Export selected entities
3. Export screen as PNG file

Entities are exported as CSV with the following fields:

• Value
• Weight
• Entity type

Printing

Maltego can also send the current graph (in whatever view or layout is it) to a printer. You can print to a single page or to multiple pages. With multiple pages you need to specify how many rows and how many columns of pages should be printed.

Adding poster coordinates will help you to figure out which page goes where. Afterwards you need to manually cut the edges from the paper and stick it together. Here is a quick attempt of a 2x2 page poster by the author (picture taken with a cell phone in lowlight conditions…):

Some users told us that printing to PDF is possible. For this you should install a PDF printer driver.