Even if you are very new to online investigation and if you don’t know anything about Maltego, you will be able to stalk any company after reading this 2-minute blog.
Here we are going to pick a target, and Maltego will search for all the email addresses it can find and from there it tries to find which resolves on social networks, it also tries to get related documents and extracts metadata.
Before starting, Download Maltego if you do not have it.
Go to https://www.maltego.com/downloads/ and download Community Edition (limited, but free) of Maltego.
Register on the following link to activate Maltego Community Edition and login into the Maltego desktop client.
This is a super simple process with just 3 steps:
Step 1: Go to Machines Tab and click on Run Machine.
Choose Company Stalker Machine from the list.
Step 2: Enter the Domain name you want to investigate and click on finish.
Now it will prompt us a piece of information about the maximum number of results that we can get in the Maltego Client from running this machine, as we are using a free community edition of Maltego.
Once you click on OK, Maltego will automatically create a new graph for you and it will also add a domain entity to your graph.
Now company stalker machine will start running. This machine will try to get all email addresses from that domain then see which resolves on social networks.
You will be able to see the running process and which transforms the company stalker machine is running on the top right side of the Maltego.
Step 3: Now it will ask you to filter out any unrelated or unwanted data from the list.
Here all the email address which are found by this machine is relevant and I do not want to remove any of them from the list so I proceed further but you can remove any.
Results: It will provide you with the graph of the result as shown below.
Note: We are only getting 12 results because we are using the community edition of Maltego.
Following are the transforms which this machine performed.
Here we can see the step-by-step list of all the transforms performed by Maltego in this company stalker machine.
Moving Further in the stalking:
Step 4: Click on Home or go to the Transforms tab and click on the Transform hub item.
It will show you all the transform hub partners of Maltego.
Search for Have I been Pwned? and install it.
Now go back to the previously generated graph.
Step 5: Now to run transform select all the entities (email addresses) from the graph and right-click on it.
Click on Machines from the transform menu.
And select haveibeenpwned transform from the list.
Haveibeenpwned transform includes its machine which got added to our Maltego client when we installed it from the hub item. Because of that, you can see haveibeenpwned machine running on the top right side.
Results: You will get one big graph that shown which email IDs have been pawned and which are not.
Following are not breached email addresses.
And these are pawned email addresses. It also shows further information about it as shown below.
Here it displays on which domain that email address was compromised and what information was stolen.
1) We can also get more information about the data breach from the notes in Maltego.
Notes are attached to entities in Maltego and they are useful for adding additional information to your Entities.
2) You can also add a note as a reminder to yourself or your colleagues about that entity and it can also be added to by Transforms you run on that entity.
3) For example, here one of the email addresses was pawned on adobe.com. To gain more information when I select the domain entity of adobe.com, I can see the details in the notes section on the right-side panel on Maltego.
4) It showed when this breach happed what was stolen in this breach and what was the reason behind it.
5) As we can see it says in October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password. And the reason was a password hint was stored in plain text and the password cryptography was poorly done and many of them were very easy to resolve back to plain text.
After gaining all this information you can do so many things with it.
We got all of this with just a single thing which is the name of the target domain and with few clicks with the help of Maltego.
Written by: Khushbu Vyas (Cybersecurity Analyst)