In this article, we will analyze practical examples, go through the functionality and working principles of the Maltego tool.
395 
In today’s digital age, it is rare to find a person connected to the Internet who does not have an account on one or more social networking sites. People use social networking sites to chat, play games, shop, chat online, and search for information about anything you can imagine. Facebook, Twitter, YouTube, LinkedIn and Google have become an integral part of our lives, and hundreds of millions of people spend significant amounts of time on these platforms every day. Social media sites open up numerous opportunities for any investigation due to the vast amount of useful information that can be found on them. All this can be found, for example, in one Facebook profile. Facebook also helps an outside observer understand how a particular Facebook user perceives life simply by checking the user’s current activity. Many estimates indicate that 90 percent of useful information obtained by intelligence agencies comes from open sources (OSINT), with the remainder coming from traditional covert intelligence.
Security agencies collect information in bulk from social sites to gain insight into possible future events around the world and profile people on a national scale. In addition to intelligence gathering, law enforcement agencies use social networking sites as investigative resources to fight crime. Although social networking sites allow their users to enforce privacy controls so that others do not see the content posted. This makes a large amount of available data readily available for various types of online investigations.
In the article about Facebook, we already talked about how to get to the account on the social network, so we will not dwell on it again. Let’s take a closer look at what information can be extracted from a user’s Instagram profile. First, we convert the Instagram link to the correct Entity, but not the task – the Entity is not filled. Only the User ID was received. We download the rest of the data using Transform — [Instagram] User Details. At the output, we receive a correctly filled Entity for the Instagram profile.
[Instagram] User Followers – download the list of the user’s subscribers;
[Instagram] User Following – download the list of those to whom the user subscribed;
[Instagram] User Media – upload photos and videos of the user;
[Instagram] User Tagged Media – download media files on which the user has been tagged.
If we go crazy and recall all the points, then for the account of an average person, we will get this picture:
The first problem stems from the internal structure of the social network. Since in Instagram all page formats are accounts in any case, we can separate subscriptions and subscribers only by the marks above Links. If we include groups of Entities, they all merge into a single block.
[Convert] To Entitie – downloads and converts to add. Entities account URL, photo/video URL and account Alias;
[Convert] To Location – loads Entity with photo geolocation;
[Face Recognition] Search – identifies the persons in the photo and starts a search for them with the credentials of the owner of the photo;
[Instagram] Comments — downloads accounts of users who left comments under photos/videos;
[Instagram] Get Likes – uploads accounts of users who liked the photo/video;
[Instagram] To Photo | Video Details – uploads available photo/video data to Entity;
[Instagram] To Profile – provides the profile of the user who owns the photo/video.
Next, I decided to test whether it is possible to find a person’s other social networks on the fly using Transforms from the Search Profile in Other Networks group. All Transforms data is related to the Face Recognition mechanism, which we will talk about in a separate article. I didn’t think too much and started everything at once, since there are not many of them and the final information output will be small: either there is an account, or there is not.
Approx. Author: Never! Do you hear? NEVER run ALL TRANSFORMS! It’s for your own good. What you end up with will just be a huge jumble of Entities and Links. When conducting OSINT using Maltego, you should run several Transforms as described above only if you have a clear idea of what the final information output is waiting for you. Gradual advancement during OSINT is the key to victory.
The result surprised me, to put it mildly! Out of the blue, my LinkedIn profile popped up:
But according to Hideo Kojima, it turned out to be an even more interesting information release:
– 1 VK account;
– 4 Facebook accounts;
– 1 Foursquare account;
– 3 Twitter accounts;
– 1 Xing account (similar to LinkedIN);
– 1 MySpace account.
Here, LinkedIn has already asked itself. Let’s see what information we can extract from the account of this social network using Maltego. And let’s probably take someone more interesting than me. Bill Gates, for example.
[Linkedin] People Also Viewed —downloads a list of recent users who viewed this account;
[Linkedin] User Details — downloads and creates Entities of the company, educational institution and place of residence, based on the one specified in the profile information;
[Linkedin] User Posts -downloads all user posts;
[SL DB] Get Email by Linkedin Profile — search for a user’s e-mail in the Social Links database using the LinkedIn account.
[Convert] To Entitie – downloads the Entity link from the URL of the company’s profile picture;
[Linkedin] Company Details – uploads Entities office locations and profiles of affiliated companies;
[Linkedin] Current Employees – downloads a list of profiles that indicate that they work for the company;
[Linkedin] Past Employees – downloads a list of profiles that indicate that they have worked for the company.
When receiving information through Transform [Linkedin] Company Details for the Microsoft test, we have the output:
Approx. Author: by the way, there is another interesting OSINT methodology for Maltego. According to Entity location, we can download from the OpenCorporates database a list of all companies located at the specified address. Further, for the company we are interested in, we can perform a search for its accounts on various social networks.
According to Entities, there is no educational institution and Transform user post for uploading information.
So we finally got to VKontakte. Well, if we already have Hideo Kojima’s account in VK, then let’s continue with it. The account is definitely his. Info – hundred!
[Vkontakte] Friends – download a list of friends;
[Vkontakte] User Details – upload user information as separate Entities;
[Vkontakte] User Groups and Pages — download a list of user groups and pages;
[Vkontakte] User Photos – download a list of user photos;
[Vkontakte] User Posts – download a list of user posts;
[Vkontakte] User Videos — download a list of user videos.
The final output looks something like this:
Now let’s dig deeper and find out what we can get for individual Entities. For Groups and Pages, everything is simple – we can get a list of users who belong to them and are subscribed to them, respectively. Lists of users have been downloaded, links of mutual subscriptions have been built. Do not forget to clean the graph from remote accounts (DELETED). They, in the people of SMM-shchiki, are dogs.
For Posts, Videos and Photos, we only have one Transform available to us – download the list of users who liked the post/video/photo. Let’s download the lists and plot the information on the graph. Everything is in place and before us again is the gate of OSINT-hell)
This is not the first time we have seen this. We begin to clean the issue. First, we remove all the lists, and then we start looking at the connections manually. After 5 minutes, the picture begins to emerge.
Well, not even 10 minutes have passed, and with the help of such banal, at first glance, methods, we calculated the BEST OF THE BEST Kojima fans. These are people who are in all groups, friends with Kojima and liked his last 3 posts, photos and videos.
According to the mass media of the world, posts on this social network are equated to official statements and statements.
Elon Musk tweeted in 2018 that it would not be bad to withdraw the company from the stock exchange, and apparently there is even an investor, and how it HAPPENED… the US Securities and Exchange Commission (SEC) launched an investigation into the manipulation of the securities market. And it’s all because of one tweet. As a result, the SEC in a pre-trial order achieved that now Elon Musk is obliged to coordinate with them any of his positions that relate to the Tesla company in any social network. That’s what Twitter is. The mother of hashtags and the battlefield of holivars of all stripes.
[Twitter] Get info from password recovery page – get information from the password recovery page;
[Twitter] To User Followers – download the list of followers;
[Twitter] To User Following – download the list of those to whom the user is subscribed;
[Twitter] User Details — uploading information from the account to the profile.
However, if we go to All Transforms and type Twitter in the search, we will see a somewhat expanded picture. This is due to the fact that along with Transforms from Social Links, there are also Transforms for Twitter from Paterva themselves.
[Twitter] To User RT – download user’s retweets;
[Twitter] To User Tweets – download user tweets;
[Twitter] To User Tweets + RT -download tweets + retweets;
To Twitter Affiliation [This person receives Tweets from ?] — download the list of users who wrote tweets to this user;
To Twitter Affiliation [This person wrote Tweets to ?] — download the list to whom the user wrote tweets;
До Twitter details [From Twitter number or screen name] — analog [Twitter] User Details;
To Twitter followers – analogue of [Twitter] To User Followers;
To Twitter friends – analogue of [Twitter] To User Following;
As with all previous cases, the success of OSINT with all of these Transforms depends solely on how you build your line of inquiry and what techniques you use.
Approx. Author: in general, a lot of useful and not so useful information can be extracted from Twitter for ordinary people, if, of course, they use it. When searching for information on Twitter (and in general in any social networks), avoid transferring connections to different media persons. They have a very large number of followers and tweets. Moreover, when I say “big”, I’m talking about the amount from 100 thousand! Even Maltego XL will not help you with such volumes.
Well, what GitHub is, I think, is not a secret for anyone. Only the world’s largest web service for hosting and joint development of IT projects.
To receive information, we will need a GitHub account and an API key, which can be generated in the account’s personal cabinet. Taking into account the instructions on the Social Links website, remove all the checkmarks when creating a token.
[Github] Followers – download the list of subscribers;
[Github] Following – download the list of subscriptions;
[Github] Get Email – upload the e-mail account to the graph;
[Github] Organization – upload the Entity of the organization specified in the account to the graph;
[Github] Starred – Download the list of repositories marked by the user;
[Github] User Details – download information about the user;
[Github] User Repos – download the list of user repositories;
[Github] User Subscriptions — unloading a user’s subscription.
There are also a wide variety of Transforms available for uploading to the repository graph, but in this article we’re looking at GitHub in terms of getting input from users. And here is also a complete set, if the person filled it in his profile, of course.
Then everything depends on your knowledge of OSINT methods and the ability to analyze and connect the received information together.
Classmates – your time has come! It may seem to many that this social network is unremarkable, in fact, it provides a great help in finding information on people aged 40+.
In my OSINT practice, at least 7 times I used the full information that I managed to find on this social network.
But first, as an information protection specialist, I want to express my DISLIKE with the completely absurd demand of a social network to pay money to make your profile completely private. Do you think I was joking?
You will be asked for money to change all the specified parameters to private ones. And the point is not in the ridiculous amount of 50 rubles, but in the fact that it is not very ethical to ask people for money for privacy. And I am silent about other aspects of monetization of classmates. The day is not far when message packs will be sold there, as earlier SMS were bought individually. In terms of OSINT, however, this makes the task easier because not all people get steamrolled by buying options.
Unfortunately, for this social network we have, so far, only the possibility of uploading the list of friends and information from the account to the graph. Of course, this is enough for basic methods, but I would like more options. Transforms are being actively expanded by Social Links and I think that they will be very similar in terms of functionality to the set of Transforms for VKontakte.
Approx. By: One of Maltego’s very handy features is Entities conversion. Let’s say you need to perform a search using face recognition, but you have an Entity — Person with a photo attached. With a light movement of the mouse, you can convert it into the Entity you need and not break the graph of connections. Details in the screenshots below.
As you can see, as a result, we have a new type of Entity and we can apply to it the full range of Transforms that are available to this type of Entity, but were available to Entity — Person. Thus, during OSINT, you can adjust the graph and make it more logical and readable.
Gravatar, Xing, Myspace, Snapchat, and My World are represented as separate Entities with a set of parameters that are loaded into properties and graphs as needed.
However, there are no full-fledged Transforms for working with Entities of these networks. The exception is, perhaps, Foursquare. You can download a list of friends in it.
But here we can get a lot of useful information. As part of OSINT, information from these networks can be used to confirm already discovered information and reveal additional information search channels in the form of a network of contacts, connected profiles of other social networks, workplaces, work e-mails. phones
That’s it for social media and Maltego for today. As it turns out, it’s not all that complicated and confusing, right? Don’t miss the next article where we’ll look at Social Links’ photo face recognition engine and how it works in the Maltego ecosystem.
395 
282 
303 
252 
255 
251