Maltego link analysis graph — OSINT footprinting και transforms
Information Gathering

Maltego: OSINT Link Analysis & Footprinting for Pentesters

0 reactions
0 comments 8 views
Author Avatar

cyberadmin

50Subscribers

In modern OSINT (Open-Source Intelligence) and penetration testing, the ability to connect scattered data — domains, IPs, emails, social profiles, document metadata — into a single graph is decisive. Maltego is the most widely used tool for exactly this kind of work: link analysis and visual mapping of relationships between entities. In this article we explore what Maltego is, where it fits in the recon methodology, and how to take the first practical steps inside an authorized lab.

Legal & ethical scope: OSINT is restricted to publicly accessible sources. Collecting or processing personal data falls under the GDPR (Regulation 2016/679) in the EU and equivalent privacy statutes elsewhere. Use Maltego only against targets covered by written authorization (penetration test or red team engagement) or against laboratory scenarios with placeholder domains.

What OSINT is and why it matters

OSINT (Open-Source Intelligence) is the systematic collection and analysis of information from publicly available sources: search engines, social media, code repositories (GitHub, GitLab), DNS records, certificate transparency logs, corporate registries, publicly archived data breaches, and so on. In penetration testing it sits in the passive reconnaissance phase and maps to MITRE ATT&CK TA0043 — Reconnaissance.

The value of OSINT for a pentester or blue-team analyst:

  • Attack surface mapping: reveals subdomains, IPs, exposed services, and forgotten assets of an organization.
  • Threat intelligence: correlation of IOCs (Indicators of Compromise), phishing infrastructure, and malicious domains.
  • Compliance & due diligence: audits an organization’s digital footprint and detects credentials accidentally exposed in public repositories.
  • Social engineering risk assessment: maps publicly available information about employees — for awareness training, not for attack.

What Maltego is

Maltego (originally Paterva, now Maltego Technologies) is a link-analysis platform that turns abstract data into graphs of entities and relationships. The core concept revolves around three primitives:

  • Entity: a single data point (domain, email, person, phone, IP, organization, document).
  • Transform: a query or lookup that takes an entity as input and returns related entities (for example, example.com to its subdomains).
  • Graph: the canvas where everything is connected visually and patterns that would be invisible in a spreadsheet become obvious.

Editions

  • Maltego Community Edition (CE): Free, capped at 12 entities per transform run. Ideal for training and small cases.
  • Maltego Pro / Enterprise: Commercial editions with full access to premium transform hubs (Shodan, Have I Been Pwned, VirusTotal, and more).

Installation on Kali Linux

On Kali Linux and Parrot OS, Maltego comes pre-installed. Otherwise:

sudo apt update
sudo apt install -y maltego
# or download the .deb / AppImage from:
# https://www.maltego.com/downloads/

Start it with:

maltego &

On the first run, Maltego will ask for a free account. Choose Community Edition for training use.

Core graph concepts

ElementDescription
Entity PaletteLeft-hand panel containing every available entity type (Domain, Person, Phone, MX Record, and so on).
Transform HubMarketplace where you activate modules (Have I Been Pwned, Shodan, ThreatCrowd, Censys, and others).
Run TransformRight-click on an entity, choose a transform, execute the query.
MachinesAutomated transform chains for repeatable workflows.

Practical example: footprinting example.com

The following walks through a complete footprinting workflow against the placeholder domain example.com (reserved for examples by RFC 2606). In a real engagement, replace it with your authorized target.

  1. New graph: File → New.
  2. Drag a Domain entity from the Entity Palette onto the canvas. Double-click it and set the value to example.com.
  3. Right-click → All Transforms → To DNS Name (MX, NS, SOA). This returns mail servers, name servers, and SOA records.
  4. From the domain entity → To Website [Quick lookup] → returns the HTTP server and basic metadata.
  5. Select the new Website entity → To Subdomains [PTR] or Shodan/Censys transforms (if you hold an API key) to discover subdomains.
  6. From each subdomain → To IP Address [DNS] for the reverse mapping.
  7. From each IP → To Netblock and To AS Number to map the ASN and hosting provider.

Within a few minutes you have a graph with dozens of nodes showing the infrastructure of an organization — all sourced from public data.

Complementary CLI workflow

Maltego is the command center, but it is frequently fed by CLI tools. Example:

# Subdomain enumeration with amass (lab / authorized engagements only)
amass enum -passive -d example.com -o subs.txt

# Import subs.txt into Maltego via "Paste Entities"
# for a unified, visual representation

Useful transforms for pentesters

  • Have I Been Pwned (HIBP): Checks whether the organization’s emails appear in known data breaches.
  • Shodan: Banner grabbing and discovery of exposed services on IPs or netblocks.
  • Censys: Certificate transparency and SSL fingerprinting.
  • WhoisXML: Historical WHOIS records and registrant information.
  • VirusTotal: Correlation of domains with malware samples.
  • SocialNet (Maltego): Profile pivoting across social media (premium).

Common mistakes

  • Ignoring Terms of Service: Many transforms rely on APIs with strict rate limits. Always respect the terms.
  • Out-of-scope assets: Maltego will routinely surface subdomains or IPs that may not belong to your authorized scope — confirm ownership before any active testing.
  • Personal data: Collecting employee emails or phone numbers falls under GDPR (and other privacy laws). Keep data minimization in mind and retain only what is necessary, for only as long as it is needed.
  • Over-reliance on the data: Records can be stale (DNS cache, outdated WHOIS). Always cross-check with at least one other source.

Defensive / Blue team perspective

The same tool an attacker uses for footprinting can be turned by defenders toward:

  • Attack Surface Management: Continuously mapping your own digital footprint to identify shadow IT and forgotten assets.
  • Brand monitoring: Detecting typosquatting and phishing domains that impersonate your brand.
  • Threat hunting: Correlating IOCs (IPs, hashes, domains) extracted from incidents.
  • Credential exposure check: Periodically running HIBP lookups on executive and high-privilege accounts.

Best practices

  • Document every transform you ran and its source — essential for the pentest report.
  • Use “Machines” to automate repeatable chains (for example, Domain → MX → email harvesting → HIBP).
  • Keep separate graphs per engagement for clarity and confidentiality.
  • Combine Maltego with Amass, theHarvester, and Recon-ng for cross-validation.

Summary

Maltego is the de facto canvas for OSINT link analysis. It does not replace CLI tools — it unifies them visually and surfaces the relationships that would otherwise stay buried inside text files. On any serious penetration test or threat intelligence project, it deserves a place in your workflow.

Next steps

For a complete OSINT and penetration testing curriculum, explore the Audax Cybersecurity Academy.

Reviews

0 %

User Score

0 ratings
Rate This
Prev
Netdiscover ARP host discovery — διάγραμμα ανίχνευσης hosts σε authorized lab

Netdiscover: ARP Host Discovery for Penetration Testing

Next
Linux privilege escalation enumeration με LinPEAS και LinEnum — terminal output

Linux Privilege Escalation: LinPEAS, LinEnum & LES Enumeration