M3GuideTransforms PDF

PATERVA
Maltego transforms
A reference guide
RT
2011/01
January 2011
Maltego 3 User Guide - Transforms
Version 3.0
Table of Contents
1
Introduction ...................................................................................................................................................................... 7
Search engine transforms ........................................................................................................................................... 8
2.1
General notes when using search engine transforms ........................................................................................................... 8
2.2
Problems with parsing results........................................................................................................................................................ 9
Infrastructure ................................................................................................................................................................ 10
3.1
Internet Autonomous System (AS) .............................................................................................................................................10
3.1.1
3.2
To Netblocks in this AS [Robtex]........................................................................................................................................10
NS (Name Server) ..............................................................................................................................................................................11
3.2.1
To Domains [DNS] ....................................................................................................................................................................11
3.2.2
To IP Address [DNS] ................................................................................................................................................................11
3.2.3
To Web site [Query port 80] ................................................................................................................................................12
3.3
Domain ...................................................................................................................................................................................................13
3.3.1
To MX (mail server) [DNS] ...................................................................................................................................................13
3.3.2
To NS (name server) [DNS] ..................................................................................................................................................14
3.3.3
To DNS Name [Attempt zone transfer]............................................................................................................................15
3.3.4
To DNS Name [Find common DNS names] ....................................................................................................................16
3.3.5
To DNS Name [Name Schema] ............................................................................................................................................17
3.3.6
To Domain [Find other TLDs] .............................................................................................................................................18
3.3.7
To Email address [From whois info] ................................................................................................................................19
3.3.8
To Email addresses [PGP] .....................................................................................................................................................20
3.3.9
To Email addresses [using Search Engine] ....................................................................................................................20
3.3.10
To Emails @domain [using Search Engine]...................................................................................................................21
3.3.11
To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................22
3.3.12
To Files (Interesting) [using Search Engine] ................................................................................................................22
3.3.13
To Files (Office) [using Search Engine] ...........................................................................................................................23
3.3.14
To Person [PGP] ........................................................................................................................................................................24
3.3.15
To Phone Numbers [using Search Engine] ....................................................................................................................25
3.3.16
To Phone numbers [From whois info].............................................................................................................................26
3.3.17
To Website DNS [using Search Engine] ...........................................................................................................................26
3.3.18
To Website [Quick lookup] ...................................................................................................................................................27
3.3.19
To Website [using Search Engine].....................................................................................................................................27
Maltego Transforms a reference guide
Page 2
January 2011
Version 3.0
3.4
An IP version 4 address ...................................................................................................................................................................29
3.4.1
To DNS Name [Other DNS names].....................................................................................................................................29
3.4.2
To DNS Name [Reverse DNS] ..............................................................................................................................................30
3.4.3
To Domain [Sharing this MX] ..............................................................................................................................................30
3.4.4
To Domain [Sharing this NS] ...............................................................................................................................................31
3.4.5
To Email address [From whois info] ................................................................................................................................32
3.4.6
To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................32
3.4.7
To Geo location [whoisAPI] ..................................................................................................................................................33
3.4.8
To Netblock [Blocks delegated to this IP as NS] ..........................................................................................................34
3.4.9
To Netblock [Natural boundaries] ....................................................................................................................................34
3.4.10
To Netblock [Using routing info] .......................................................................................................................................35
3.4.11
To Netblock [Using whois info] ..........................................................................................................................................36
3.4.12
To Telephone Number [From whois info] .....................................................................................................................37
3.4.13
To Website where IP appears [using Search Engine]................................................................................................37
3.5
MX record (mail exchange record) .............................................................................................................................................39
3.5.1
To Domain [DNS] ......................................................................................................................................................................39
3.5.2
To Domains [Sharing this MX] ...........................................................................................................................................39
3.5.3
To IP Address [DNS] ................................................................................................................................................................40
3.6
DNS name server record .................................................................................................................................................................41
3.6.1
To Domain [DNS] ......................................................................................................................................................................41
3.6.2
To Domains [ Sharing this NS] ............................................................................................................................................41
3.6.3
To IP Address [DNS] ................................................................................................................................................................42
3.6.4
To Netblock [Blocks delegated to this NS] .....................................................................................................................42
3.7
Netblock .................................................................................................................................................................................................43
3.7.1
To AS number ............................................................................................................................................................................43
3.7.2
To DNS Names in netblock [Reverse DNS] ....................................................................................................................44
3.7.3
To Entities (NER) [Alchemy and OpenCalais via whois............................................................................................45
3.7.4
To Geo location ..........................................................................................................................................................................45
3.8
URL...........................................................................................................................................................................................................46
3.8.1
To Email Addresses [Found on web page].....................................................................................................................46
3.8.2
To Entities (NER) [OpenCalais and Alchemy API] ......................................................................................................47
3.8.3
To Phone number [Found on this web page]................................................................................................................48
3.8.4
To URL [incoming links found to this web page] ........................................................................................................49
3.8.5
To Website [Convert]..............................................................................................................................................................50
Page 3
January 2011
Version 3.0
3.8.6
To Website [Links on this web page] ...............................................................................................................................50
3.9
Website...................................................................................................................................................................................................51
3.9.1
Mirror: Email addresses found ...........................................................................................................................................51
3.9.2
Mirror: External links found ................................................................................................................................................52
3.9.3
To Domains [DNS] ....................................................................................................................................................................52
3.9.4
To IP Address [DNS] ................................................................................................................................................................53
3.9.5
To URLs [show Search Engine results]............................................................................................................................53
3.9.6
To Website [Incoming links to site] ..................................................................................................................................54
3.9.7
To Website [Replace with thumbnail] .............................................................................................................................55
3.9.8
To Website title .........................................................................................................................................................................55
Personal ........................................................................................................................................................................... 57
4.1
Document ..............................................................................................................................................................................................57
4.1.1
Parse meta information .........................................................................................................................................................57
4.1.2
To URL [Show SE results] .....................................................................................................................................................58
4.2
Email........................................................................................................................................................................................................59
4.2.1
To Domain [DNS] ......................................................................................................................................................................59
4.2.2
To Email Addresses [PGP (signed)] ..................................................................................................................................59
4.2.3
To Email Addresses [PGP] ....................................................................................................................................................60
4.2.4
To Email Addresses [using Search Engine] ...................................................................................................................60
4.2.5
To Person [PGP] ........................................................................................................................................................................61
4.2.6
To Phone number [using Search Engine] .......................................................................................................................61
4.2.7
To URLs [Show search engine results] ............................................................................................................................62
4.2.8
4.2.9
Verify email address exists [SMTP] ..................................................................................................................................63
4.3
Person .....................................................................................................................................................................................................64
4.3.1
To Email Address [PGP] .........................................................................................................................................................64
4.3.2
To Email Address [Verify common]..................................................................................................................................65
4.3.3
To Email Address [using Search Engine] ........................................................................................................................66
4.3.4
To Person [PGP (signed)] ......................................................................................................................................................67
4.3.5
To Phone Number [using Search Engine] ......................................................................................................................67
4.3.6
4.4
Phone Number ....................................................................................................................................................................................70
4.4.1
To Email Address [using Search Engine] ........................................................................................................................70
4.4.2
To Phone Number [using Search Engine] ......................................................................................................................70
Page 4
January 2011
Version 3.0
4.4.3
To URL [Show Search Engine results] .............................................................................................................................71
4.4.4
4.5
Phrase .....................................................................................................................................................................................................72
4.5.1
To Email Addresses [using Search Engine] ...................................................................................................................72
4.5.2
To Entities (NER) [Alchemy and OpenCalais] ..............................................................................................................73
4.5.3
To Files (Interesting) [using Search Engine] ................................................................................................................74
4.5.4
To Files (Office) [using Search Engine] ...........................................................................................................................75
4.5.5
To Telephone numbers [using Search Engine] ............................................................................................................76
4.5.6
To Tweets [Search Twitter] .................................................................................................................................................77
4.5.7
4.5.8
To related phrase .....................................................................................................................................................................79
4.6
Twit ..........................................................................................................................................................................................................80
4.6.1
To Twitter Affiliation [Convert] .........................................................................................................................................80
4.6.2
To URL(s) [Found in these Tweets] ..................................................................................................................................80
4.7
Affiliation Twitter ...........................................................................................................................................................................82
4.7.1
To AffTwitter [Get details of ID holder] ..........................................................................................................................82
4.7.2
To AffTwitter [This person received Tweets from ?] ................................................................................................82
4.7.3
To AffTwitter [This person wrote Tweets to ?] ...........................................................................................................83
4.7.4
To Person [Convert] ................................................................................................................................................................84
4.7.5
To Tweets [That this person wrote] .................................................................................................................................84
4.7.6
To Tweets [Written to this person] ..................................................................................................................................85
4.7.7
To followers of this person...................................................................................................................................................85
4.7.8
To friends of this person .......................................................................................................................................................86
Maltego 3 Client Transforms - Overview ........................................................................................................... 88

5.1
Infrastructure ......................................................................................................................................................................................88
5.1.1
Internet Autonomous System (AS) ...................................................................................................................................88
5.1.2
Domain Name System server name ..................................................................................................................................88
5.1.3
Internet Domain........................................................................................................................................................................89
5.1.4
IP version 4 address ................................................................................................................................................................90
5.1.5
Location on mother earth .....................................................................................................................................................91
5.1.6
DNS mail exchange record ....................................................................................................................................................91
5.1.7
DNS name server record .......................................................................................................................................................91
5.1.8
Netblock .......................................................................................................................................................................................92
5.1.9
URL .................................................................................................................................................................................................92
Page 5
January 2011
Version 3.0
5.1.10 Website .........................................................................................................................................................................................93
5.2
Personal .................................................................................................................................................................................................93
5.2.1
Document.....................................................................................................................................................................................93
5.2.2
Email ..............................................................................................................................................................................................94
5.2.3
Person ...........................................................................................................................................................................................94
5.2.4
Phone Number ...........................................................................................................................................................................95
5.2.5
Phrase............................................................................................................................................................................................95
5.2.6
Twit ................................................................................................................................................................................................96
5.2.7
Affiliation Facebook .............................................................................................................................................................96
5.2.8
Affiliation LinkedIn ..............................................................................................................................................................96
5.2.9
Affiliation Twitter .................................................................................................................................................................97
Page 6
January 2011
Version 3.0
Introduction
This document serves as a reference guide of transforms that are currently in use in Maltego. The last section
of this document gives a summary of all transforms.
Page 7
January 2011
Version 3.0
Search engine transforms
There are couple of transforms that use search engines - all of them very similar. The basic recipe with these
transforms is as follows:
1. Expand the question. The question is the input from the GUI - be that a person's name, a domain or an
phone number. When looking at a person's name for instance the name 'Kosie Kramer' will be
expanded to searches like '"Kosie Kramer"', '"K Kramer"', 'Kramer Kosie' etc. In the case of a telephone
number the search will be expanded to include most telephone notations used.
2. Assign confidence levels. Because a search for '"Kosie Kramer"' is more likely to return good results rather than a search for 'KramerK' the confidence level for the first search would be higher. The
confidence levels are also used to assign preference to certain file types when doing searches on
documents (these are configurable in the transform). In the same way a XLS file containing the word is
likely more interesting than a PDF file.
3. Perform each search. The searches are performed and the snippets are obtained. It is important to note
that only snippets are parsed. For parsing the entire page you need to dump to URL and process the
URLs separately. Various search engines have various snippet lengths.
4. Parse for output entities. Depending on what output is required the snippets are parsed for entities - in
some cases the web site's name is all that's required.
5. Calculate weight. The weigh is calculated from various factors - the confidence of the search, the
frequency of the result, the importance of the web site where the result came from, and in some cases a
correlation to the input.
6. Normalise. The weights are now normalised using a fairly interesting algorithm that involves the mean
and standard deviation of the spread of weights. It is important to understand that a search result with
a equal spread of weights are mostly useless.
2.1
General notes when using search engine transforms
Maltego will sometimes give you results that seem plain wrong. You need to keep in mind that the application will
get pretty desperate when it does not get results. So - when you are searching for a person called "Vaxynutus
Grabounill" and that person simply left no marks on the Internet Maltego will eventually go after a search term
"VG" - with a super low confidence - but you will still get some results. These results could seem completely off the
mark, but should have very low weights. Always look at the weights.
Many of the search engine transforms use pop-up transform settings for location and additional terms. If you are
not getting the results you want you should try adding some terms here. You can read all about it in the User guide
in the section about Transform properties.
Page 8
January 2011
2.2
Version 3.0
Problems with parsing results
Some entities are hard to parse. Telephone numbers are notoriously hard to parse. There is always a trade-off
between missing numbers and parsing non-telephone numbers as phone numbers. With the current transforms
we hope to have reached the optimal balance.
Page 9
January 2011
Infrastructure
3.1
Internet Autonomous System (AS)
Version 3.0
3.1.1 To Netblocks in this AS [Robtex]

This transform expands an ASNumber to one or more netblock Entity. This transform is very useful in the
infrastructure
re foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only
has a single DNSName that points to a single netblock - the other netblocks have no DNS information (e.g. no
forward DNS pointing to it, or reverse DNS entr
entries
ies in the block). Using this transform we can find the
ASNumberEntity of the netblock. Once we have the AS number we can expand it to all the other netblocks that
Org. X have.
Page 10
January 2011
3.2
Version 3.0
NS (Name Server)
3.2.1 To Domains [DNS]

This transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like
'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these
TLDs and subTLDs are really not that useful it is not rreturned.
3.2.2 To IP Address [DNS]

This is a simple transform. It resolves a DNSName to an IPAddress. Enough said.
Page 11
January 2011
Version 3.0
3.2.3 To Web site [Query port 80]

This transform basically converts DNSName to Website. Before simply changing the types the transform will
query port 80 on the DNS Name and see if it can get a proper HTTP response. Currently only port 80 is tested.
In upcoming versions port 443 will also be tested. The transform also populates the server type and the HTTP
ports in the additional fields.
Page 12
January 2011
3.3
Version 3.0
Domain
3.3.1 To MX (mail server) [DNS]

This
his transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger
record and is returned
d as an MXrecord Entity. The IP aaddress
ddress of this record gives a good indication of the
network location of the target as most organizations keep their mail close to their network. This is normally
used in the infrastructure foot printing of an organization.
The IP Address of this record gives a good indication of the network location of the target as most
organisations keep their mail close to their network. This is normally used in the infrastructure foot printing of
an organisation.
Page 13
January 2011
Version 3.0
3.3.2 To NS (name server) [DNS]

This transform determines if an NS record exists for the given Domain. The NS record is the name server
record and is returned as an NSrecord Entity. This is normally used in the infrastructure foot printing of an
organization. A note of caution - it is not uncommon for organizations to outsource their name servers to their
ISP or to the registrar of their domain. Thus - in terms of finding the network (e.g. resolving this to an IP
address) of the target this has limited value - human inspection is advised.
Page 14
January 2011
Version 3.0
3.3.3 To DNS Name [Attempt zone transfer]

This transform attempts a zone transfer (AXFR) on the Domain. If possible it extracts the Cnames and A records
from the zone as DNSName. If a zone transfer is possible then all the DNS names associated with the domain
are returned, and there is no need to brute force it anymore. The results of a successful zone transfer normally
results in a very happy analyst as resolving these DNS names to IPAddress gives a very good indication of the
network location of the target.
Page 15
January 2011
Version 3.0
3.3.4 To DNS Name [Find common DNS names]

This transform attempts to find DNS names for the specified Domain. This is done by testing a list of DNS
Names and seeing if they exist. The list of names that are tested for can be configured inside the transform. The
specified domain is appended to the name and tested. If it exists it is returned as a DNS Name.
Page 16
January 2011
Version 3.0
3.3.5 To DNS Name [Name Schema]

The transform will try several word lists (think Lord of the Rings names, planet names, colours, TLDs etc.) as
DNS names. If it finds a match in a specific word list it will try the entire word list. In this way it will try to
determine the naming schema for the domain. Note that the transform can take a while to complete - especially
when it finds a match in a long word list. The test depth per word list can be set in the transform. In the screen
shot below we see how different TLDs exists inside the domain.
Page 17
January 2011
Version 3.0
3.3.6 To Domain [Find other TLDs]

This transform will try to find domains with different TLDs by looking it up at ServerSniff
(www.serversniff.de). If you provide the domain 'funstuff.com.my' the transform will attempt to find
'funstuff.co.uk' and 'funstuff.com'. This is useful when trying to find all the domains of an organization in the
infrastructure foot printing phase. A note of caution - this transform is very heavy in terms of processing
power. It is also relatively slow (appreciate the fact that there are many millions of domains). Also results are
not guaranteed to include all known domains but it is a good trade off between speed/accuracy.
Page 18
January 2011
Version 3.0
3.3.7 To Email address [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for email
addresses. The whois information itself is stored as a property of the supplied domain ('Domain Whois'). You
should always manually inspect this data to give context to results - or see if the parsing of the email address
failed.
Page 19
January 2011
Version 3.0
3.3.8 To Email addresses [PGP]

This transform queries a public PGP key server and asks the question - "show me all the email addresses that
ends in the supplied domain name' - results are returned as email address entities. Keep in mind that this
information might be outdated. The transform is useful for finding email addresses at a domain - an added
bonus is that we know these people communicate encrypted to others.
3.3.9 To Email addresses [using Search Engine]

This transform searches for the domain and shows related email addresses.
Page 20
January 2011
Version 3.0
3.3.10 To Emails @domain [using Search Engine]

This transform will search for email addresses containing the domain name.
Page 21
January 2011
Version 3.0
3.3.11 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform performs NER (Named Entity Recognition) on the whois information extracted from the
domain and proceeds to extract person names, companies/organizations, phone numbers and locations from
the text. Please note that NER is not perfect - just go ask General Failure.
3.3.12 To Files (Interesting) [using Search Engine]

This transform will search for the locations of interesting files hosted on web sites inside the domain. The
priority for each file type can be configured as shown below:
Properties
Page 22
January 2011
Version 3.0
3.3.13 To Files (Office) [using Search Engine]

This transform will search for the locations of interesting documents (think Office[tm]) hosted on web sites
located on the domain. The priority for each file type can be configured as shown below:
Page 23
January 2011
Version 3.0
3.3.14 To Person [PGP]

This transform contacts a public PGP key server and returns Person Entities with email addresses that are
located within the given domain.
This transforms queries one of the public PGP key server and ask the question 'who do you have in your
database with email addresses that ends in the supplied domain?'. Results are returned as Person entities. The
key servers limit the results - if there are too many results the server returns no results. This transform is
useful when enumerating people working at a company. Keep in mind that the information might be outdated.
Page 24
January 2011
Version 3.0
3.3.15 To Phone Numbers [using Search Engine]

This transform will search for the given domain on search engines and shows the related phone numbers.
Page 25
January 2011
Version 3.0
3.3.16 To Phone numbers [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for phone
numbers. The idea with the transform is to provide the phone number of the owner of the domain. The whois
information itself is stored as a property of the domain ('Domain Whois'). You should always manually inspect
this data to give context to results - or see if the parsing of the phone number failed (it is difficult to correctly
parse all forms of phone numbers).
3.3.17 To Website DNS [using Search Engine]

This transform will query search engines for websites and return them as website entities.
Page 26
January 2011
Version 3.0
3.3.18 To Website [Quick lookup]

This transform will do a quick look up to see if the DNS entry www.domain exists. This transform is useful
when dealing with a large amount of domain and you only need to quickly see which of them have web sites
(e.g. not try to find all possible DNS names).
3.3.19 To Website [using Search Engine]

This transform will search for the domain name and then show the web sites where the domain name occurs.
Page 27
January 2011
Version 3.0
Page 28
January 2011
3.4
Version 3.0
An IP version 4 address
3.4.1 To DNS Name [Other DNS names]

This transform queries two different 'historical' DNS databases to see what other DNS names are associated
with the IP
P Address. These databases are populated using various techniques. The transform is useful to find
co-hosted sites - e.g. the website (or MX, NS) of companyA could resolve to 1.2.3.4 and co-hosted
co
on that IP
address are www.companyB.com and/or companyAB.co
companyAB.com.
m. In certain cases you will find that the forward DNS
entries for the resultant DNS names are is now pointing to other IP addresses (other than the supplied one).
This simply means that changes have been made to DNS, and that the provider's database is keeping
ke
the old
information. Sometimes this is useful (as you can see that a change was made), sometimes it is annoying.
Page 29
January 2011
Version 3.0
3.4.2 To DNS Name [Reverse DNS]

This transform uses stock standard reverse DNS to determine the DNS name associated with the IP Address.
Note that not all IP addresses will reverse resolve. It is the responsibility of the owner of the netblock where
the IP resides (or whoever this task was delegated to) to populate the records. Also note that reverse DNS
entries do not have to match forward DNS - e.g. www.abc.com can resolve to 1.2.3.4 but 1.2.3.4 does not have to
resolve to www.abc.com.
3.4.3 To Domain [Sharing this MX]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other
domains as an MX record. This type of 'reverse MX lookup' cannot be performed using standard DNS queries
and is very useful to find other domains associated with the IP number. In most cases one would work from the
actual DNS name of the MX record, but if you only have the IP address available there is no standard way of
knowing if the IP address is an MX for a domain or not. This transform gives you the ability to do this.
Page 30
January 2011
Version 3.0
3.4.4 To Domain [Sharing this NS]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other
domains as an NS record. This type of 'reverse NS lookup' cannot be performed using standard DNS queries
and is very useful to find other domains associated with the IP number. In most cases one would work from the
actual DNS name of the NS record, but if you only have the IP address available there is no standard way of
knowing if the IP address is an NS for a domain or not. This transform gives you the ability to do this. Unlike the
'reverse MX lookup' the 'reverse NS lookup' does not always imply that the domains found have a close
relationship with the IP address as many companies and organizations outsource their DNS service.
Page 31
January 2011
Version 3.0
3.4.5 To Email address [From whois info]

This transform performs a recursive whois query on the IP address (obviously not the domain!) and parses the
output for email addresses. The idea with the transform is to provide the email address of the owner of the
network where this IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub
leased and that the whois information might not reflect this. This can easily lead to false positives. The whois
information itself is stored as a property of the IP address entity ('IP whois'). You should always manually
inspect this data to give context to results.
3.4.6 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform obtains whois information of IP number and then parses it for entities using NER.
Page 32
January 2011
Version 3.0
3.4.7 To Geo location [whoisAPI]

This transform uses an API of Name Intelligence to provide the geographical location of the IP address. The
location has 3 levels of detail - these are comma separated. The first is the country, the second is the region and
the last is the city. Keep in mind that this level of detail is not always available. In fact - the API does not
guarantee that it will return any result - it's a case of best effort. We have also seen that this data can be
extremely misleading - where the location of the registrant (rather than the resource) was returned. For bulk
look ups you should consider getting your own API key.
Page 33
January 2011
Version 3.0
3.4.8 To Netblock [Blocks delegated to this IP as NS]

This transform queries Robtex's database to determine which networks have their reverse DNS delegated to
this IP address. This is a very useful transform in the infrastructure foot printing process. Keep in mind that the
IP address needs to that of a name server (that handles the reverse zones). In many cases this transforms
provides better information than simply looking at routing or whois information. This is because organizations
might have a full class B network but are only using three or four class C networks within the bigger block. In
many of these cases they will only have reverse DNS information populated for these smaller blocks - and you
can find these smaller blocks using this transform.
3.4.9 To Netblock [Natural boundaries]

This transform returns a netblock (IP range) by simply looking at the natural network boundary of the IP
address. The size of the network is determined by a transform setting ('Block size'). The size is set by default to
256 - meaning that the corresponding class C network will be returned. This size can be set to any power of
two - e.g. 1,2,4,8,16,32,64,128,256 etc. As this transform is not doing any lookups it is very fast and by setting
the block size small (making some assumptions) you can quickly get a rough idea of networks involved.
The transform can be set to ask for the network size by marking the property as a pop up:
Page 34
January 2011
Version 3.0
3.4.10 To Netblock [Using routing info]

This transform will determine what network (range of IP addresses) the IP number resides in by looking at
routing information on the Internet. This does not mean that the entire resulting network belongs to the owner
of the IP address (keep in mind that in many cases it might be hosted environment). See also the other
ToNetblock transform for making more precise estimations of network sizes and/or owners.
Page 35
January 2011
Version 3.0
3.4.11 To Netblock [Using whois info]

This transform determines the associated network (IP range) of an IP address by doing a recursive whois
lookup and parsing the resultant information. Keep in mind that in many cases smaller blocks of IP addresses
are sub leased and that the whois information might not reflect this. This can easily lead to false positives. The
whois information itself is stored as a property of the IP address entity ('IP whois'). You should always
manually inspect this data to give context to results.
Page 36
January 2011
Version 3.0
3.4.12 To Telephone Number [From whois info]

This transform performs a recursive whois query on the IP address and parses the output for telephone
numbers. The idea with the transform is to provide the phone number of the owner of the network where this
IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the
whois information might not reflect this. This transform is useful when you have a list of networks and want to
see which ones belong to the same organization. The whois information itself is stored as a property of the IP
address entity ('IP whois'). You should always manually inspect this data to give context to results.
3.4.13 To Website where IP appears [using Search Engine]

This transform will search for the IP Address and show the sites where it occurs.
Page 37
January 2011
Version 3.0
Page 38
January 2011
3.5
Version 3.0
MX record (mail
record))
(mail exchange record
3.5.1 To Domain [DNS]

This transform
sform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk'
would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs
are really not that useful it is not returne
returned.
3.5.2 To Domains [Sharing this MX]

This transform is used on a MX record. It determines which other domains use this DNS Name as an MX record.
This is very useful in the infrastructure footprint of an organization as it ccan
an reveal other domains that the
organization uses. If company X's Domain all have MX records pointing to a single DNS name this transform can
find all (or most) of these domains.
Page 39
January 2011
Version 3.0

This transform resolves a MX record to an IP address using plain old DNS.
Page 40
January 2011
3.6
Version 3.0
DNS name server record

This transform extracts the domain from a NS record entity. The domain in a DNS Name like 'mx.google.co.uk'
would be 'google.co.uk'
le.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs
are really not that useful it is not returned.
3.6.2 To Domains [ Sharing this NS]

This transform runs on an NS record. It de
determines which other domains use this DNS Name as a name server.
This is very useful in the infrastructure footprint of an organisation as it can reveal other domains that the
organisation uses. If company X's Domains all have NS records pointing to a single DNS name this transform
Page 41
January 2011
Version 3.0
can find all (or most) of these domains. A word of caution - if the target is hosting its name servers at an ISP
then you will end up with a list of domains that hosted by the ISP - normally not the most exciting result.

This transform resolves a NS record to an IP address using plain old DNS.
3.6.4 To Netblock [Blocks delegated to this NS]

This transform works on NSrecords. It determines if the particular name server has any Netblock reverse DNS
delegated to it. This is useful for finding Netblock of an organization. What's interesting about the results of this
Page 42
January 2011
Version 3.0
etblock), but, in reality are only
transform is that an organization might have a class B network (a fairly large netblock),
using a couple of class Cs (smaller netblocks) within that block. In many cases they will only populate the
reverse DNS of these smaller blocks and delegate it to their name servers. The transform will show these
smaller blocks.
3.7
Netblock
3.7.1 To AS number
This transform determines the Autonomous System (AS) number of the supplied network. This is useful for
determining if two (or more)
ore) networks are related. If two networks are in the same AS (e.g. have the same AS
number) we can say they are at least loosely routed to the same destination. If the networks belong to an
organization (as opposed to belonging to an ISP that is splitting the network into smaller networks and leasing
them to clients) we get a good indication that both networks belong to the same organization.
Page 43
January 2011
Version 3.0
3.7.2 To DNS Names in netblock [Reverse DNS]

This transform will ask for all historical DNS records on file for the supplied network. It gets a bit messy - what
happens when you have a class B network? As such the providers have limitations. Robtex wont return reverse
DNS entries for networks larger than 2048 IPs (that's 4 class Cs) and Serversniff won't be impressed if you run
a block larger than a class B. Keep in mind that you need to adjust your slider accordingly (if your slider is on
the first notch and you reverse a class C you'll only get 12 entries back). Also - note that this information comes
from a database - so it might not always be up to date. The transform can take a while to run - so be patient. It
still beats doing it manually...
Page 44
January 2011
Version 3.0
3.7.3 To Entities (NER) [Alchemy and OpenCalais via whois

This transform obtains whois information of netblock (well the first IP in the block), then parses it for entities
using NER.
3.7.4 To Geo location

This transform takes the first IP number in the range and performs the 'IP address to Geo location' on it. The
transform uses an API of Name Intelligence to provide the geographical location of the IP address. The location
has 3 levels of detail - these are comma separated. The first is the country, the second is the region and the last
is the city. Keep in mind that this level of detail is not always available. In fact - the API does not guarantee that
it will return any result - it's a case of best effort. We have also seen that this data can be extremely misleading where the location of the registrant (rather than the resource) was returned. For bulk lookups you should
consider getting your own API key.
Page 45
January 2011
3.8
Version 3.0
URL
3.8.1 To Email Addresses [Found on web page]

This transform will connect to the website wher
wheree the URL (web page) is hosted, download the particular page /
URL and parse it for email addresses. Results are returned as email address entities. The transform is useful
when you are looking for results on a specific page, not an entire site.
Page 46
January 2011
Version 3.0
3.8.2 To Entities (NER) [OpenCalais and Alchemy API]

This transform performs NER (Named Entity Recognition) on the URL and extracts person names,
companies/organizations, phone numbers and locations from the text. If the URL points to a document, it will
try to convert to text and perform NER on the resultant text. Entities extracted are: location, persons name,
organization or company.
Page 47
January 2011
Version 3.0
3.8.3 To Phone number [Found on this web page]

This transform will connect to the website where the URL (web page) is hosted, download the particular page /
URL and parse it for phone numbers. Results are returned as phone number entities. The transform is useful
when you are looking for results on a specific page, not an entire site.
Page 48
January 2011
Version 3.0
3.8.4 To URL [incoming links found to this web page]

This transform finds the incoming URLs to an URL by looking on a search engine.
Page 49
January 2011
Version 3.0
3.8.5 To Website [Convert]

This transform simply extracts that website's name from the URL. This is useful when you have a lot of URLs
(that came from other transforms) and need to see which URLs are on the same site.
3.8.6 To Website [Links on this web page]

This transform will connect to the website where the URL (web page) is hosted, download the particular page /
URL and look for links from that page. Results are returned as websites entities with embedded URLs. The
transform is useful when you are looking for links on a specific page, not an entire site.
Page 50
January 2011
3.9
Version 3.0
Website
3.9.1 Mirror: Email addresses found

This transform will make a (partial) mirror of the web site and extract all email addresses found on the site.
The slider plays a big role in this transform as it set the time
time-out
out for the mirroring process. The higher (to the
right) the slider is set, the deeper the mirroring process will go, and hopefully, the more results you'll get. The
process runs via a caching server (that is local on the box) which means that you wont be doing the data
transfer to the site twice (if you run the transform again) - expect of course if the first round did not manage to
get the entire site. Also keep in mind that not all sites are mirror friendly. Flash base
based
d sites will give problems
Page 51
January 2011
Version 3.0
as will sites with exotic JavaScript menus and redirects. Email addresses that are obfuscated using nonstandard techniques will also not be picked up.
3.9.2 Mirror: External links found

This transform will make a (partial) mirror of the web site and extract all external links found on the site these will be returned as website entities. The slider plays a big role in this transform as it set the time-out for
the mirroring process. The higher (to the right) the slider is set, the deeper the mirroring process will go, and
hopefully, the more results you'll get. The process runs via a caching server (that is local on the box) which
means that you wont be doing the data transfer to the site twice (if you run the transform again) - expect of
course if the first round did not manage to get the entire site. Also keep in mind that not all sites are mirror
friendly. Flash based sites will give problems as will sites with exotic JavaScript menus and redirects.
3.9.3 To Domains [DNS]

This transform will return the domain of the supplied website. The transform will also return any sub domains
- all the way to the sub TLD. This means that if a web site with the name www.duh.moo.co.za is supplied the
transform will return the domains duh.moo.co.za and moo.co.za, but not co.za (sub TLD) or za (TLD).
Page 52
January 2011
Version 3.0

This is a very simple transform - it simply resolves the website's IP address.
3.9.5 To URLs [show Search Engine results]

When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are
collected within the entity itself. This transform generates separate URL type entities from each result. This
allows you to now perform transforms on each URL - like mining for email address, links or phone numbers.
Page 53
January 2011
Version 3.0
3.9.6 To Website [Incoming links to site]

The transforms queries search engines to determine what sites links to the supplied website. This is useful in
combination with 'To websites using Mirror' - which will give an idea of what goes into a site (e.g. links to the
site) and what comes out of a site (e.g. links from the site).
Page 54
January 2011
Version 3.0
3.9.7 To Website [Replace with thumbnail]

This transform will ask Thumbshot.org if it has a small image (thumbnail) of the site's front page and if so it
will change the entity's icon to it. This is useful when working with huge amounts of web sites that appear to
have the same branding - it gives the user the ability to quickly visually see which sites are branded in a similar
manner.
3.9.8 To Website title

This transform will return the title of the site's front page as a web title entity. It will do it's best to follow
JavaScript redirects, 302 redirects and others until it ends on a page with a title. Of course it cannot extract
titles for ALL websites - some do not have titles, are Flash based or performs some exotic Javascripting. The
transform is useful when dealing with loads of web sites that appear to belong to the same organization.
Running this transform and looking at web site titles that match (or simply using Find and looking for
keywords) makes it easy to find and group sites.
Page 55
January 2011
Version 3.0
Page 56
January 2011
Personal
4.1
Document
Version 3.0
4.1.1 Parse meta information

This transform downloads the document at the specified URL and extracts the meta information from it.
Maltego tries to map the meta data to Person, Phrase and EmailAddress, but in some cases the information is
not correctly populated within the document itself. Visual inspection of the resultant entities are
ar advised. The
following fields are extracted from the document:
Company->Phrase
Creator->Phrase
Keywords->Phrase
Author->Person
LastSavedBy->Person
AuthorEmail->Email address
AuthorEmailDisplayName->Email
>Email address
Page 57
January 2011
Version 3.0
4.1.2 To URL [Show SE results]

Page 58
January 2011
4.2
Version 3.0
Email

This transform will simply return the domain of the email address - e.g. if the input is kosie@kramer.com it will
return kramer.com. This is useful when you have a lot of email addresses and what to see which ones are
located in the same domain.
4.2.2 To Email Addresses [PGP (signed)]

This transform contacts a public PGP keyserver aand
nd retrieves the email addresses of signers for the given
address.
Page 59
January 2011
Version 3.0
4.2.3 To Email Addresses [PGP]

This transform will query one of the public PGP key server and will return other email addresses that uses the
same public key. This is very useful to find alternative email addresses for an individual. Keep in mind that this
information might be outdated.
4.2.4 To Email Addresses [using Search Engine]

This transform will search for the email address and show related email addresses.
Page 60
January 2011
Version 3.0
4.2.5 To Person [PGP]

Most email addresses map 1:1 to a person. Unlike the 'Email address from Name using PGP' this transforms
gives you a clear indication of who the email address belongs to. The transform queries a public PGP key server
to obtain this information.
4.2.6 To Phone number [using Search Engine]

This transform will search for the given email address and show the related telephone numbers.
Page 61
January 2011
Version 3.0
4.2.7 To URLs [Show search engine results]


This transform will search for the email address and shows the sites where it occurs.
Page 62
January 2011
Version 3.0
4.2.9 Verify email address exists [SMTP]

Verify Email address must first be activated in Transform Manager by accepting disclaimer. This transform
verifies that an email address really exists. It's one of the more interesting transforms. It works as follows - as a
start the transform finds the right MX (mail server) record for the domain. It then connects to port 25 (SMTP)
of the host. The transforms starts the normal SMTP conversation - it issues a HELO (paterva.com) and a MAIL
FROM (harmlessverificationofaddress@paterva.com) SMTP commands. Before testing for the supplied email
address it issues a RCPT TO with an email address that does not exist (it tests for thisisreallynothere@domain).
If the error message indicates that the address is not there the transform knows that it can test for the supplied
email address. If no error is returned during this 'baseline' test the transform returns 'Inconclusive'.
The transform does not return new entities as a result - it returns the same entity but it adds a label to the
supplied email address indicating if it could verify it. Note that not all mail servers allow you to verify
addresses in this way. Because this transform transacts with the mail server (and this is not considered very
passive) this transform contains a disclaimer that explains the situation.
Page 63
January 2011
4.3
Version 3.0
Person
4.3.1 To Email Address [PGP]

This transform queries a public PGP key server to see if the person's name eexists
xists in the key database. It returns
entries as email address entities. Some things to keep in mind - if the name is very common (John Smith) you
are going to get a lot of false positives. Also - the information kept in the database might be out of date. This
transform is useful to get long forgotten email addresses for people with an unique name / surname
combination.
Page 64
January 2011
Version 3.0
4.3.2 To Email Address [Verify common]

This transform will test on common free mail provider for combinations of the person's name. This transform
only works with mail servers that will report failed recipients with a 550 code and verified recipients with a
250 code. Not all mail servers do this - as example Yahoo does not! Also note that this transform makes a TCP
connection to the given entity's MX record!
This transforms uses the techniques used in the EmailAddressToEmailAddress Verify transform. Since this
gives us the ability to verify if an email address exists we can expand the idea to test for combinations of first
name / last name on popular email providers - like Gmail and Hotmail. The providers (domains) where the
transform test is configurable - e.g. you can add/remove domains be changing the 'Domains to check'
additional transform setting. There is one difficulty here - not all mail servers falls for the verification trick. As
such you cannot randomly add domains here - be sure to test if email addresses can be verified using the
verification transform first.
Page 65
January 2011
Version 3.0
4.3.3 To Email Address [using Search Engine]

This transform searches for the person's most likely email address.
Page 66
January 2011
Version 3.0
4.3.4 To Person [PGP (signed)]

This transform queries a public PGP key server and asks the question 'show me the names of persons that the
owner of the supplied email address have signed'. This is useful for determining trust relationships between
people. The transform shows you these people communicated encrypted (or at least exchanged keys). Keep in
mind that the information in the database could be outdated.
4.3.5 To Phone Number [using Search Engine]

This transform searches for the person's associated telephone numbers.
Page 67
January 2011
Version 3.0

This transform shows sites where various permutations of the person's name was found. Youll see a pop up
asking for a Domain or TLD and an additional search term.
Page 68
January 2011
Version 3.0
Page 69
January 2011
4.4
Version 3.0
Phone Number
4.4.1 To Email Address [using Search Engine]

This transform searches for the telephone number and returns related email addresses.
4.4.2 To Phone Number [using Search Engine]

This transform searches for the telephone number and ret
returns
urns related email addresses.
Page 70
January 2011
Version 3.0
4.4.3 To URL [Show Search Engine results]

This transform just dumps the URLs collected from the search engine. When running any of the search engine
transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This
transform generates separate URL type entities from each result. This allows you to now perform transforms
on each URL - like mining for email address, links or phone numbers.
Page 71
January 2011
Version 3.0

This transform searches for the telephone number and returns related sites.
4.5
Phrase
4.5.1 To Email Addresses [using Search Engine]

This transform will search for the phrase
hrase and show related email addresses.
Page 72
January 2011
Version 3.0
4.5.2 To Entities (NER) [Alchemy and OpenCalais]

The transform actually packages a set of smaller transforms - all in one. It searches for the entered keyphrase,
extracts all URLs from the results, then 'visits' each page and performs NER (Named Entity Recognition) on
each page. For this reason the transform can take quite a while to finish and is very resource intensive. The
result is the top list of people, places, email addresses, company/organization names (as phrases) associated
Page 73
January 2011

with the phrase.
Version 3.0
4.5.3 To Files (Interesting) [using Search Engine]

This transform will search for the given phrase and show interesting files containing the term. As with the
Domain to Files transform the priority of file types can be configured.
Page 74
January 2011
Version 3.0
4.5.4 To Files (Office) [using Search Engine]

This transform will search for the given phrase and show documents (Office[tm]) containing the term. As with
the Domain to Files transform the priority of file types can be configured.
Page 75
January 2011
Version 3.0
4.5.5 To Telephone numbers [using Search Engine]

This transform will search for the phrase and shows the related telephone numbers.
Page 76
January 2011
Version 3.0
4.5.6 To Tweets [Search Twitter]

This transform will search Twitter for the supplied phrase. The transform returns Tweets that contains the
phrase. From these entities you can dig deeper - e.g. looking who wrote it, and what URLs it contains. To search
for more than one word put the phrase in quotes. E.g "economic gardening".
Page 77
January 2011
Version 3.0

This transform will search for the given phrase and show the sites where the phrase occurs. This is basically
the same as searching for the phrase on a search engine.
Page 78
January 2011
Version 3.0
4.5.8 To related phrase

This transform will search for the phrase on the configured search engine and return a list of keywords found.
The keywords are related to the search term. You can use the transform to get a quick idea of what the search
term is about - like scanning the first couple of pages of a search engine result by hand. The '!Q&D!' part of the
transform description is really for 'Quick and Dirty' - meaning that no scientific approach was used to get the
results (it's more a try, try, try again approach). The transform was actually experimental at first, but since it
sometimes gives interesting results we kept it in.
Page 79
January 2011
4.6
Version 3.0
Twit
4.6.1 To Twitter Affiliation [Convert]

This transform will convert a Twit to a Twitter Affiliation entity by simply converting it.
4.6.2 To URL(s) [Found in these Tweets]

This transform will try to mine URL from T
Tweets,
s, also expanding the tiny URLs where possible.
Page 80
January 2011
Version 3.0
Page 81
January 2011
4.7
Version 3.0
Affiliation Twitter
4.7.1 To AffTwitter [Get details of ID holder]

This transform will find detail about the Twitter entity.
4.7.2 To AffTwitter
fTwitter [This person received Tweets from ?]
This transform will find people that wrote Tweets TO the selected person.
Page 82
January 2011
Version 3.0
4.7.3 To AffTwitter [This person wrote Tweets to ?]

This transform people that the selected person wrote Tweets TO.
Page 83
January 2011
Version 3.0
4.7.4 To Person [Convert]

This transform will convert the Affiliation to a person, with the alias in the 'additional' field.
4.7.5 To Tweets [That this person wrote]

This transform will find more Twitter posts from the same user.
Page 84
January 2011
Version 3.0
4.7.6 To Tweets [Written to this person]

This transform will find Tweets from other people to the selected author.
4.7.7 To followers of this person

This transform will find followers of the selected person.
Page 85
January 2011
Version 3.0
4.7.8 To friends of this person

This transform will find friends of the selected person.
Page 86
January 2011
Version 3.0
Page 87
January 2011
Version 3.0
Maltego 3 Client Transforms - Overview

Overview
Along with the standard entities there are various transforms that can be used and that come
preconfigured with Maltego. This section provides an overview of these standard transforms.
5.1
Infrastructure
5.1.1 Internet Autonomous System (AS)
1. ASNumberToNetblocks_Robtex. This transform shows which routes are located within an AS number by
looking it up on RobTex (www.robtex.com).
5.1.2 Domain Name System server name
1. DNSNameToDomain_DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. DNSNameTOIPAddress_DNS. This transform resolves a DNS name to an IP address using plain old DNS.
3. DNSNameTOWebsite_QueryPorts. This transform determines if a DNS Name is a Web Site by checking for
responsive HTTP(s) ports. This version only checks port 80.
Page 88
January 2011
Version 3.0
5.1.3 Internet Domain
1. DomainToMXrecord_DNS. This transform will find the MX records (mail servers) of a domain.
2. DomainToNSrecord_DNS. This transform will find the NS records (name servers) of a domain.
3. DomainToDNSName_ZT. This transform will attempt to perform a zone transfer a returns A and Cname
records - done via Serversniff (www.serversniff.de).
4. DomainToDNSName_DNSBrute. This transform will try to discover various common DNS Names in a
domain.
5. DomainToDNSName NameSchema. This transform will attempt to determine the naming schema of the
domain - e.g. Lords of the Rings, Planets, Trees etc.
6. DomainToDomain_TLD. This transform will try to find domains with different TLDs by looking it up at
ServerSniff (www.serversniff.de).
7. DomainToEmailAddress Whois. This transform obtains whois information of the IP number, then parses it
for email addresses.
8. DomainToEmailAddress PGP. This transform contacts a public PGP keyserver and retrieves email
addresses containing the given domain.
9. Search Engine. This transform searches for the domain and shows related email addresses.
10. Search Engine. This transform will search for email addresses containing the domain name.
1. DomainToEntities Whois NER. This transform obtains whois information of the domain then parses it for
entities using NER.
2. Search Engine. This transform will search for the locations of interesting files hosted on web sites inside the
domain.
3. Search Engine. This transform will search for the locations of interesting documents (think Office[tm])
hosted on web sites inside the domain.
4. DomainToPerson PGP. This transform contacts a public PGP key server and returns Person Entities with
email addresses that are located within the given domain.
5. Search Engine. This transform will search for the given domain and shows the related phone numbers.
6. DomainToPhone Whois. This transforms obtains whois information of the given domain, then parses it for
telephone numbers.
7. Search Engine. This transform will query a search engine for websites and return them as website entities.
Page 89
January 2011
Version 3.0
8. DomainToWebsite DNS. This transform will quickly see if there is a www.DOMAIN entry. Useful when used
in bulk.
9. Search Engine. This transform will search for the domain name and then show the web sites where the
domain name occurs.
5.1.4 IP version 4 address
1. IPAddressToDNSName SharedIP. This transform performs a reverse lookup on an IPAddress (typically

belonging to a web site) by looking it up on ServerSniff and Robtex.
2. IPAddressToDNSName DNS. This transform reverse resolves an IP address to a DNS name using plain old
DNS.
3. IPAddressToDomain SharedMX. This transform performs lookups on both ServerSniff and RobTex to see
which domains share the same IP number as a MX record.
4. IPAddressToDomain SharedNS. This transform performs lookups on both ServerSniff and RobTex to see
which domains share the same IP number as a NS record.
5. IPAddressToEmailAddress Whois. This transform obtains whois information of IP number, then parses it
for email addresses.
6. IPAddressToEntities Whois NER. This transform obtains whois information of IP number, then parses it for
entities using NER.
7. IPAddressToLocation WhoisAPI. This transforms comes preconfigured with an API key which has limited
use per day. Please consider getting your own API key at http://xml-api.domaintools.com/ .
8. IPAddressToNetblock NS4block. This transform will contact Robtex and determine if the IP number has
any reverse DNS netblocks has been delegated to it.
9. IPAddressToNetblock Cuts. This transform will carve a netblock from an IP - counting a certain number of
IPs up and down.
10. IPAddressToNetblock SS. This transform determines the network block that an IP address belong to by
looking ar routing tables at ServerSniff.
1. IPAddressToNetblock Whois. This transform will get the netblock via the whois service
(ARIN/APNIC/LACNIC/AFRINIC/RIPE).
2. IPAddressToPhone Whois. Transforms obtains whois information of IP number, then parses it for telephone
numbers.
3. Search Engine. This transform will search for the IP Address and show the sites where it occurs.
Page 90
January 2011
Version 3.0
5.1.5 Location on mother earth
There are no transforms included by default that can be run on a location. Some transforms may however return a
location as a result.
5.1.6 DNS mail exchange record
1. MXrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. MXrecordToDomain SharedMX. This transform determines which other domains uses the same DNS name
as MX record by looking it up on ServerSniff and RobTex.
3. MXrecordToIPAddress_DNS. This transform resolves a MX record to an IP address using plain old DNS.
5.1.7 DNS name server record
Page 91
January 2011
Version 3.0
1. NSrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. NSrecordToDomain SharedNS. NS record by looking it up on ServerSniff and RobTex. As byproduct you'll
also get netblocks for which this nameserver is primary server - where applicable.
3. NSrecordToIPAddress_DNS. This transform resolves a NS record to an IP address using plain old DNS .
4. NSrecordToNetblock_NS4block.This transform will contact Robtex and determine if the NS record has any
(reverse) DNS netblocks delegated to it.
5.1.8 Netblock
1. NetblockToAS SS. This transforms determines the AS number of the netblock by looking it up at ServerSniff .
2. NetblockToDNSName SS. This transform contacts ServerSniff and Robtex and asks it for DNS Names it found
in the given netblock.
3. NetblockToEntities NER Whois. This transform obtains whois information of netblock (well the first IP in
the block), then parses it for entities using NER.
4. NetblockToLocation SS.This transforms determines the country location of the netblock.
5.1.9 URL
1.
2.
3.
4.
5.
6.
URLToEmail Parse. This transform finds the email addresses on the URL.
URLToPerson NLP. This transform uses Natural Language Processing (NLP/NER) to extract entities.
URLToPhoneNumber Parse. This transform finds the phone numbers on the URL
URLToURL IncomingLinks. This transform finds the incoming URLs to an URL by looking on a search engine.
URLToWebsite Convert. This transform converts an URL to a website.
URLToWebsite Parse. This transform looks for outgoing links on the URL and show them as websites.
Page 92
January 2011
Version 3.0
5.1.10 Website
1. WebsiteToEmailAddress Mirror. This transform uses Gary's Ruby website mirror to spider the site and
extract email addresses.
2. WebsiteToWebsite Mirror. This transform uses Gary's Ruby website mirror to spider the site and extract
links.
3. WebsiteToDomain DNS. This transform extracts all the domains from a website - it excludes TLDs and SLD.
4. WebsiteToIPAddress DNS.This transform resolves a Website to an IP address using plain old DNS.
5. WebsiteToURL Expand. This transform just dumps the URLs collected from a search engine.
6. WebsiteToWebsite Incominglinks.This transform finds the incoming links to a website by looking for
incoming links on a search engine.
7. WebsiteToWebsite Thumb. This transform gets a thumbnail of the website using Thumbshot.org
8. WebsiteToWebTitle Mech. This transform will attempt to get the title of the website. It tries to follow all
redirects.
5.2
Personal
5.2.1 Document
1. DocumentToPersonEmail_Meta. This transform extracts the meta information from the document and then
parses it for username (persons) and/or email addresses.
2. DocumentToURL Dump. This transform just dumps the URL of the Document for further use.
Page 93
January 2011
Version 3.0
5.2.2 Email
1. EmailAddressToDomain DNS. This transform will remove the part in front of the @ sign of the given
address.
2. EmailAddressToEmailAddress SignedPGP. This transform contacts a public PGP keyserver and retrieves
the email addresses of signers for the given address.
3. EmailAddressToEmailAddress SamePGP. This transform contacts a public PGP keyserver and retrieves
alternative email addresses for the given address.
4. Search Engine. This transform will search for the email address and show related email addresses.
5. EmailAddressToPerson Same PGP. This transform contacts a public PGP keyserver and retrieves the
person's name for the given address.
6. Search Engine. This transform will search for the given email address and show the related telephone
numbers.
7. EmailAddressToAff Rapleaf. (Removed).
8. EmailAddressToURL Expand. This transform just dumps the URLs collected from the search engine.
9. Search Engine. This transform will search for the email address and shows the sites where it occurs.
10. EmailAddressToEmailAddress Verify. This transform simply connects to the relevant mail server and
checks to see if the email address exists. The results are passed back in the same entity - as a label.
5.2.3 Person
1. PersonToAff Spock. (Removed)

2. PersonToEmailAddress SamePGP. This transform contacts a public PGP keyserver and retrieves the
person's email address - if it exists.
3. PersonToEmailAddress Common. This transform will test on common free mail provider for combinations
of the person's name. This transform only works with mail servers that will report failed recipients with a
550 code and verified recipients with a 250 code. Not all mail servers do this - as example Yahoo does not!
Also note that this transform makes a TCP connection to the given entity's MX record!
Page 94
January 2011
Version 3.0
4. Search Engine. This transform searches for the person's most likely email address.
5. PersonToPerson PGP. This transform contacts a public PGP keyserver and returns the names of people that
signed the given person's key.
6. Search Engine. This transform searches for the person's associated telephone numbers.
7. Search Engine. This transform shows sites where various permutations of the person's name was found.
5.2.4 Phone Number
1.
2.
3.
4.
Search Engine. This transform searches for the telephone number and returns related email addresses.
Search Engine. This transform searches for the telephone number and returns related phone numbers.
PhoneNumberToURL Expand. This transform just dumps the URLs collected from the search engine.
Search Engine. This transform searches for the telephone number and returns related sites.
5.2.5 Phrase
1. Search Engine. This transform will search for the phrase and show related email addresses.
2. PhraseToPhrase OpenCalais. Looking for entities in the actual document.
3. Search Engine. This transform will search for the given phrase and show interesting files containing the
term.
4. Search Engine. This transform will search for the given phrase and show documents (Office[tm]) containing
the term.
5. (Removed).
6. Search Engine. This transform will search for the phrase and shows the related telelphone numbers.
7. PhraseToTwit Search. This transform will search Twitter for a phrase and shows relevant entries.
8. Search Engine. This transform will search for the given phrase and show the sites where the phrase occurs.
9. PhraseToPhrase RT. Looking for key phrases.
Page 95
January 2011
Version 3.0
5.2.6 Twit
1. TwitToPerson Parse. This transform will convert a Twit to a Twitter Affiliation entity by simply converting
it.
2. TwitToURL Expand. TThis transform will try to mine URL from Tweets, also expanding the tiny URLs.
5.2.7 Affiliation Facebook
There are no transforms included by default that can be run on Affiliation - Facebook. Some transforms may
however return an Affiliation - Facebook as a result.
5.2.8 Affiliation LinkedIn
There are no transforms included by default that can be run on Affiliation - LinkedIn. Some transforms may
however return an Affiliation - LinkedIn as a result.
Page 96
January 2011
Version 3.0
5.2.9 Affiliation Twitter
1. AffTwitterToAffTwitter GetDetail. This transform will find detail about the Twitter entity.
2. AffTwitterToAffTwitter RecFrom. This transform will find people that wrote Tweets TO the selected
person.
3. AffTwitterToAffTwitter WritesTo. This transform people that the selected person wrote Tweets TO.
4. AffTwitterToPerson. This transform will convert the Affiliation to a person, with the alias in the
'addditional' field.
5. AffTwitterToTwit Sameperson. This transform will find more Twitter posts from the same user.
6. AffTwitterToTwit OtherAuthors. This transform will find Tweets to other people from the selected author.
7. AffTwitterToAffTwitter Followers. This transform will find followers of the selected person.
8. AffTwitterToAffTwitter Friends. This transform will find friends of the selected person.
Page 97

M3GuideTransforms PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

M3GuideTransforms PDF

Uploaded by

Copyright:

Available Formats

PATERVA

Maltego 3 User Guide - Transforms

Search engine transforms ........................................................................................................................................... 8

General notes when using search engine transforms ........................................................................................................... 8

Problems with parsing results........................................................................................................................................................ 9

Internet Autonomous System (AS) .............................................................................................................................................10

To Netblocks in this AS [Robtex]........................................................................................................................................10

NS (Name Server) ..............................................................................................................................................................................11

To Domains [DNS] ....................................................................................................................................................................11

To IP Address [DNS] ................................................................................................................................................................11

To Web site [Query port 80] ................................................................................................................................................12

To MX (mail server) [DNS] ...................................................................................................................................................13

To NS (name server) [DNS] ..................................................................................................................................................14

To DNS Name [Attempt zone transfer]............................................................................................................................15

To DNS Name [Find common DNS names] ....................................................................................................................16

To DNS Name [Name Schema] ............................................................................................................................................17

To Domain [Find other TLDs] .............................................................................................................................................18

To Email address [From whois info] ................................................................................................................................19

To Email addresses [PGP] .....................................................................................................................................................20

To Email addresses [using Search Engine] ....................................................................................................................20

To Emails @domain [using Search Engine]...................................................................................................................21

To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................22

To Files (Interesting) [using Search Engine] ................................................................................................................22

To Files (Office) [using Search Engine] ...........................................................................................................................23

To Person [PGP] ........................................................................................................................................................................24

To Phone Numbers [using Search Engine] ....................................................................................................................25

To Phone numbers [From whois info].............................................................................................................................26

To Website DNS [using Search Engine] ...........................................................................................................................26

To Website [Quick lookup] ...................................................................................................................................................27

To Website [using Search Engine].....................................................................................................................................27

Maltego Transforms a reference guide

To DNS Name [Other DNS names].....................................................................................................................................29

To DNS Name [Reverse DNS] ..............................................................................................................................................30

To Domain [Sharing this MX] ..............................................................................................................................................30

To Domain [Sharing this NS] ...............................................................................................................................................31

To Email address [From whois info] ................................................................................................................................32

To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................32

To Geo location [whoisAPI] ..................................................................................................................................................33

To Netblock [Blocks delegated to this IP as NS] ..........................................................................................................34

To Netblock [Natural boundaries] ....................................................................................................................................34

To Netblock [Using routing info] .......................................................................................................................................35

To Netblock [Using whois info] ..........................................................................................................................................36

To Telephone Number [From whois info] .....................................................................................................................37

To Website where IP appears [using Search Engine]................................................................................................37

MX record (mail exchange record) .............................................................................................................................................39

To Domain [DNS] ......................................................................................................................................................................39

To Domains [Sharing this MX] ...........................................................................................................................................39

To IP Address [DNS] ................................................................................................................................................................40

DNS name server record .................................................................................................................................................................41

To Domain [DNS] ......................................................................................................................................................................41

To Domains [ Sharing this NS] ............................................................................................................................................41

To IP Address [DNS] ................................................................................................................................................................42

To Netblock [Blocks delegated to this NS] .....................................................................................................................42

To DNS Names in netblock [Reverse DNS] ....................................................................................................................44

To Entities (NER) [Alchemy and OpenCalais via whois............................................................................................45

To Geo location ..........................................................................................................................................................................45

To Email Addresses [Found on web page].....................................................................................................................46

To Entities (NER) [OpenCalais and Alchemy API] ......................................................................................................47

To Phone number [Found on this web page]................................................................................................................48

To URL [incoming links found to this web page] ........................................................................................................49

Maltego Transforms a reference guide

Mirror: Email addresses found ...........................................................................................................................................51