Penetration testing

Information Gathering Using Maltego

Hari Krishnan
February 20, 2012 by
Hari Krishnan

The first phase in security assessment is to focus on collecting as much information as possible about a target application.

According to OWASP, information gathering is a necessary step of a penetration test.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

The more information, the higher the success rate. There are basically two types of information gathering: active and passive. Passive information gathering is where the attackers won't be contacting the target directly and will be trying to gather information that is available on the Internet; whereas in active information gathering, the attacker will be directly contacting the target and will be trying to gather information.

Information gathering is generally done on infrastructure and on people. In infrastructure recon, the attackers generally try to find the information about the host i.e., the mail exchanger record, name server record , shared resources, etc.,. For information gathering on people, the attackers try to gather information like email addresses, their public profiles, files publicly uploaded, etc., that can be used for performing a brute force, social engineering or Spear phishing.

About OSINT:

OSINT stands for Open Source Intelligence. In OSINT method, the information is basically found publicly and that information can be used to further analysis. The relationship between the various forms of information gathered from the Internet can be extremely valuable from the attacker's point of view. In this method, there is no direct contact with the victim's servers or only standard traffic is directed toward the victim.

Maltego is an example which uses OSINT to gather information.Maltego, is an open source intelligence and forensics application and shows how information is connected to each other. Another advantage of this tool is that the relationship between various types of information can give a better picture on how they are interlinked and can also help in identifying unknown relationship.

What information can be found using Maltego:

With Maltego, we can find the relationships, which (people) are linked to, including their social profile, mutual friends, companies that are related to the information gathered, and websites.

If we want to gather information related to any infrastructure, we can gather relationship between domains, DNS names, and net blocks.

Architecture of Maltego:

Image from

The Maltego client sends the request to seed servers in XML format over HTTPS. The request from the seed server is given to the TAS servers which are passed on to the service providers. The request results are given back to the Maltego client. The advantage is that we can have our own TAS servers for more privacy. Currently Maltego has two types of server modules: professional and basic. The major differences between the two servers are the modules available. The professional server comes with CTAS, SQLTAS and the PTTAS and the basic server comes with CTAS.

CTAS – Commercial TAS contains the transforms available in public server. This is similar to basic server.

SQLTAS – TAS can access the SQL database using this module. It can also can perform various SQL queries and will return the results. The supported types are MySQL, MSSQL, DB2, Oracle and Postgres.

PTTAS- Pentesting TAS module that allows you to perform various pentesting related tasks from within Maltego like the port scan, banner grabbing, etc.


Starting Maltego

First go to Applications-->Backtrack-->Information Gathering-->Network Analysis-->DNS Analysis-->Maltego

The first time you login it will ask you to register your product. If you already have an account just enter your email ID and password. Once you validate your login it will update the transforms.

Once the transforms are updated, click the 'Investigate' tab and select the desired option from the palette. There are two main categories in the palette: Infrastructure and Personal. We can also import other entities to the palette. An example is the SHODAN entity. SHODAN is a search engine which can be used to find specific information like server, routers, switches, etc .,with the help of their banner.


Infrastructure Reconnaissance:

Maltego helps to gather a lot of information about the infrastructure. In order to start gathering information, select the desired entity from the palette. In this example, we are going to scan a domain. Select the domain option from the palette and drag the option to the workspace. Enter the target domain. Now right-click on the entity and you should be getting an window that says "Run Transform" with additional relevant options.



Run the required transform and find out information like the MX, NS and IP address. We can then use transforms like 'IPAddressToNetblock' to break a large netblock into smaller networks for better understanding.

Also we can find the shared domains. We can determine information like IP addresses for domains and other internal networks, the netblocks which are used by the target, etc.


Infrastructure Info gathering

Personal Reconnaissance:

Maltego helps you find information about a person, like their email address, social profiles, mutual friends, various files shared on various URLs, etc. Select the desired option from the palette. Here I am going to select the option 'Person' and will enter the name of the person I will be trying to gather information about.

Right-click on the 'Person' option and select the desired transforms. First let's find the email address related to the person and try to gather more information. With Maltego, we can find their SNS information from Facebook, Flickr, etc.

Person Info Gathering



Various entities in Facebook were detected by using the transform "toFacebookaffiliation." This method generally looks for a Facebook affiliation that matches closely to a person's name based on the first and last name and weighs each result accordingly. With Maltego we can also find mutual friends of two targeted persons in order to gather more information.

Similarly, we can find if the user has uploaded any files in pastebin or any other public URLs. Having all this information can be useful for performing a social engineering-based attack.



Foca is another network infrastructure mapping tool which can discover information related to network infrastructure and also analyze metadata from various file formats like MS office, PDF files, etc. It can also enumerate users, folders, emails, software used to create the file, and the operating system.

Download link:

Register your email id in order to download the tool.

Various Steps involved:

Step 1: First go to Project –> New Project and start a new project where you have to enter the project name and the target.

Step 2: Once the target is selected and saved, the next step is searching for the files using various search engines like Google, Bing and Exalead by clicking "Search All". We can also search files using our custom search.

Note: Exalead is a another type of search engine.

Step 3: Various files will be shown in FOCA. Download the files once the scan is completed in order to analyze the metadata. While gathering the files from the Internet, FOCA also analyzes the target's network and gives out information like network, domain, roles and vulnerabilities. We get information like the name of the user, share path, their operating system, software used and other various useful data from the metadata analyzed. Information like the software used to create the document can be used for performing a client-based exploitation.

Both tools are best for gathering information about any target and gives a better picture about the target.

Another thing both tools have in common is that they use the functionality of SHODAN. The SHODAN transform for Maltego can be downloaded from the below link.

SHODAN is useful for performing the initial stages of information gathering. Enter the target IP or the website URL into SHODAN. This can provide a lot of information, like the technology used by the domain, server versions, etc.,

Having the maximum amount of information about your target is always good as it helps us to understand more about the target, their network infrastructure, and the people connected to the target. The more information, the higher the success rate for the attack. If you are good at social engineering then perform the attack on the users found from Maltego and FOCA, i.e., a client based attack or binding malicious content to a document or any other files related to that particular author and asking them to check it for corrections, thus infecting the author.

Foca also has an online service for finding the generic metadata, but it has a lot of limitations and does not provide much information. The url is


Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Hari Krishnan
Hari Krishnan

Hari Krishnan works as a security and bug researcher for a private firm, as well as InfoSec Institute. His interests largely encompass web application security issues. Hari is also an organizer for Defcon Chennai (