Perform Network Fingerprinting with Maltego [Tutorial]

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
starting with a simple domain name it's easy for a hacker or researcher to find technical information about any organization using open-source intelligence tools like multigo we'll show you how simple this is to do on this episode of cyber weapons lab [Music] [Applause] [Music] open-source intelligence tools like multigo allow you to take a small detail you know about an organization like a domain name or a website and turn it into a whole complete picture of the technical details behind a particular organization's network what that means is being able to pin down the specific details of where they've made their investments in server technology which IP addresses they run what types of services they make available to their internal and external users and all the other information you would need to build a technical picture of an organization's technology that they are incorporating so to do this we can focus on open source intelligence tools and multigo is chief among them for being able to run things called transforms which are kind of like a combination between an API poll and an algorithm to sort that data the goal of this is to be able to pull in large amounts of data based on these requests that we make these API polls and arrange that data in a way that it displays relationships that are important to our investigation in a way that's much more clear and organized than a traditional researcher just making you know Google searches or something would be able to do by themselves so by automating this process and allowing us to easily enrich data to kind of build a chain of information to branch our investigation off of we can get kind of the core picture of what an organization looks like on a technical level with these sorts of techniques now today we're going to be focusing on some very specific information first we're going to take a look at the website and identify any tracking URLs or any tracking codes that might be used to keep an eye on the traffic on this website because it might give us an indication of other websites that the same organization owns and keeps an eye on the traffic of with the same codes next we'll need to look up the DNS information which tells us which servers are pointing to the actual IP address that the website is hosted on and this will give us the opportunity to opportunity to explore four other websites hosted with the same DNS server often belonging to the same organization so after we discovered the DNS servers involved in the organization's business we can start to discover things like the MX server which is what handles the email and the name server which handles the traffic to the website and often will interface with anyone who's looking to use the websites public facing applications or anything like that finally we'll go into the net block which is a block a range of IP addresses assigned to the various services or websites that the organization runs and typically will be segmented so you can see a lot of other sorts of IP addresses that would be involved in that particular organization services they offer publicly on the internet or even privately internally depending on how they're configured last the final piece of information is the AAS number which is a big group of net locks that kind of operate with the same set of rules and this will typically be either administrated by a telecommunications company or by a lot of major companies themselves if they have a lot of services that need to be online so if we're able to go through this chain from top to bottom until we get the AAS number starting all the way from the website or the web URL were able to go back up the chain after we've enriched the data a little bit and start to see patterns and relationships and all the things we can pin to these attributable facts about the organization now that's important because this will keep our investigation focused and keep kind of the core facts that we've been able to establish as the centerpiece of all these multi-code transforms that we're running to pull in more information so that we avoid getting lost in kind of the weeds of our investigation so the point of this is to effectively and efficiently find the technical information behind an organization so we can make our in Vega investigation as streamlined as possible and ensure that we're able to come back with the right information the first time we run this process so in order to do this you'll need to have either kali linux installed as multigo Community Edition is installed by default or you can go ahead and download the mel tango Community Edition and just run it on your platform because it runs on Java you have Java but once you do it will run on basically any operating system now once you have this ready to go which will show you how to install it only takes a couple transforms and in order to lead you all the way from the web domain all the way to the AAS number and you can start to discover surprising relationships between different websites and maybe even discover services that are given by the same people that might not officially acknowledge that they are all part of the same company or the same organization so we'll start with an example domain and see how far we can reach it it's pretty simple so let's get started to download montego you'll need to go to the pro turbo website click on the download section before you do this you'll notice that there is a click to register button on the lower left side and you'll need to register for a free account in order to use multigo so make sure to take care of this first otherwise you'll get stuck in the login window as soon as you download multigo Community Edition so at the download page you can see it has a version for Windows Linux and Mac you can go ahead and download the particular file type you want and then just install it and open it and it will run with Java you will need to have Java installed so make sure you have that done first so once you have multigo loaded go ahead and you'll see this initial main screen I think in a previous tutorial someone showed how to do a multi go machine but we're going to show you how to do this much more hands-on because it's just better practice and it will teach you a bit about how networks within an organization work so we're going to use wonder how to as our example because that's where this is going to be so we'll take the domain of wonder how to calm and click on the domain alias and just drag and drop it from the left side onto the main canvas window so we can type in wonder how to calm correctly and then from this initial URL we can get started with doing some of the building of the chain of the hard technical details of this network so the first thing we're going to look for is go from the URL to the website so this will have the actual website associated with it and we can use a quick lookup to do that so once it's transformed completes that we have a website that is loaded into multigo and we can right mouse click on it and then search for any tracking codes that might be in use on other websites at the same organization owns so in this case we get a tracking code back and we can use this tracking code to find other websites which i've been other and we see two other sites with the same code now if this organization happened to own a bunch of other websites and use the same tracking code on them this would be how we could figure that out but in this case it looks like they're not using a tracking code that's we used elsewhere so that's a little bit of a dead end but we can take the wonder how to domain and we can still start to search for the next step which is the mx-server which we can do to DNS name and X server and then we can also there we go we can see they use a Google Mail google yes so they use Google services for their email that's important and useful to know and then for NS servers name servers we can use C name server - DNS name name server spider right mouse clicking and going here we can see Google Cloud and some other stuff that's associated with these domains name servers and finally we can type DNS so there's actually a number of different DNS queries you can make community edition may be partially restricted and how many results it can bring back but in general you can learn a lot about the DNS settings and other websites that might be located on the zone on the domain from the DNS so we'll do a couple things first we'll do two domains DNS which should give us any other domains that are on the same DNS server and then also two DNS name interesting so you can try a couple of these transforms and see exactly what happens but in general if you do something like find common DNS names you can see two DNS servers pop up and then if we do two DNS names via interesting this will give us a new set so we can see we've got two DNS servers now that are responsible surfer looks like a mail server and then a wild part in use now to find more information about the DNS I can also refer to the website and by typing DNS into the transform window I can click - DNS name enumerate host names numerically and let's go with the default settings and then - IP address DNS so this gives me the IP address of the DNS server and I can click - DNS name other DNS names to kind of enrich this and see if I can find more DNS servers on the same IP address and here we can see whoa a bunch of interesting stuff so we can see violin and viola that wonder how to calm outdoor games oneplus I guess for that cellphone and some other interesting things they won't go too much more into but you can see that there's a whole bunch of DNS servers that have now been added that we didn't know about before so from just the domain we've now gotten all these other DNS servers that refer to other parts of the website we never would have known about have we not done this kind of research first so now that we have these DNS servers we can select everything by pressing command or control a and on the right side we see that there's this little window that allows us to organize our stuff by the type of entity so I can select then within this all of the DNS servers and attempt to resolve them to IP addresses because that's the next step so from our DNS servers or MX servers or NS servers we're going to find as many IP addresses as possible because that will give us the ability to learn more about what this organization has and find different ways that we can hopefully get in or understand more about what it is they're doing so I'll go ahead it's gonna let me do this resolution looks like we found a couple different new IP addresses so we can see here they are by selecting all and grabbing these we can take the next step up which is to resolve these to a net block so IP addresses will be located in a block of IP addresses that are allocated to a particular provider and we'll use the two net block using rabbiting routing info to get hopefully the most accurate different picture we can of the net blocks involved in this organization structure and the services they provide now this isn't a complete picture we can enrich this much further but we kind of want to hurry down the chain and get these hard details about the organization so once we can attribute them positively to this organization we can go back up the chain and start enriching the data that we've already found and positively attributed so now we've that yielded a couple different net blocks we can grab these and then select only the net blocks and when we select them we can look for the a s number now the a s number is a top-level service number that is provided by telecommunications companies and such to provide a large set of switches that all kind of operate the same and this will give us an indication of like a server or something else that has a whole bunch of different services running on it and we can see that we have a server or an a s number in Mountain View and then a server in Los Angeles California so by doing this we were able to start with the web domain and there very quickly locate the physical location of a major chunk of there of you know network architecture and we can even start to see the subdomains and sub DNS servers that are distributing traffic and responding to requests across the website so in order to take the next up on this now we've gone all the way down the chain we can take all the data we have like the a s numbers and by selecting everything and then selecting just the a s numbers we can go back up and from the a s numbers attempt to find netbox which can yield a whole bunch of results depending on whether or not this organization owns its own a s number or if they're just using someone else's so we'll attempt this in this case being prepared for possibly a lot of different results again you should remember that net blocks are huge ranges of IP addresses so here we've generated a whole lot of them an upstream if we were to select these and then enrich them further to find let's say DNS servers within them so we're going to try to find any websites associated with our target by jumping up the chain a bit and looking for DNS because we can see right in the domains DNS whether or not they're relevant to our target so this will run all these transforms and we see boom we've expanded our data substantially and now we can see a Google user content so we can get an understand understanding of sub services they use we can see like crestcom is a service that's listed we can see Krypton accom a number of other things that the website likely uses to facilitate its services and we can expand on these initial things we found that DNS servers like violins a viola phishing not wonder how to gs5 not wonder how to we can start to discover more DNS servers that might point us to interesting things so we've now expanded on the DNS servers so let's select the interesting ones that we found particularly the wonder how to ones that we found and I need to stick it to these traivor safe do you wonder how to go cool and then we will attempt to find websites to websites by querying the ports so this should resolve a whole bunch of websites associated with these DNS servers and this will give us a fingerprint on exactly what it looks like on the website side of things where all these DNS servers are pointing the various sites we're going to look and see if we can actually resolve them and pin them down to websites they refer to so this is going back up and now we're at the website phase again the next would be to query the websites for the domain names associated and then begin looking for you know other commonalities since we've been rich our data to this kind of much much larger set so I'm actually going to select all the DNS servers and go ahead and rich them just so we have some data to work with and then I want to zoom out and show you a couple different ways you can look for patterns by changing the view and kind of understanding the way this data is being pulled in and what it means and even if you're a beginner this view should give you some perspective on what you're looking at so let's try to resolve some more websites from this now that we have a larger sample size it should take a little bit of time but as you can see we've got some results back and now we can start playing with this final step a little bit further so some of these kind of look like kind of look a little garbagey these don't look like real domains they probably just resolved these are something.net these are probably processes that resolve something that's not public facing I don't really know but we can also see a bunch of wonder how two domains have already resolved or are resolving now so if we zoom out we've gone all the way back up to two domains from starting with a single domain we're still still getting results into our map and we can see by selecting these various views on the left side much more detailed relationship graphs I've liked how this data is coming together now you can only show so much in a higher like hierarchical graph like this but if you were to switch it to a more circular graph that shows you know hubs and spokes basically different data points coming off of a common data point rather than kind of a top-down view you can see here that there's very clearly a couple sources of a lot of activity things that maybe there's a lot of different services centered around or things they've chosen to invest in heavily and on the other side here we have little clusters which indicate individual net blocks or things that have you know basically a lot of different websites in common and we can tell that all these services are associated with this common series of net locks so as we discover these as individual points and I've discovered how the organization is using them we can learn to very quickly enumerate them and begin to be able here we here we go we can see we're now finding websites first wildcard anouska ceramics wonder how to calm that's not a website we probably would have been able to find otherwise but if there's any vulnerabilities or if we can start scanning this stuff or using as it as targeting for more advanced more active reconnaissance methods this is the kind of open source intelligence information we can use to target more active methods and dig a little bit deeper into any of these results that we find that particularly interest us so after we get this finished the best way that we can do some sort of report or some sort of overall understanding of this is to take a step back and analyze our goals and see what we found and what can facilitate that and that's kind of what this whole process is for so if you like this kind of investigation this is just one way that you can use something like multi go to build this kind of data picture of any sort of information or investigation you would want to build that does doesn't just apply to cyber crime and cyber weapons lab this is also used for business intelligence and you know the kind of like spy work that you have to do when you don't have access to data directly and you need to pull it in from something as simple as a simple domain name so that's it Network fingerprinting with multi Co can set the stage for discovering specific vulnerabilities allowing an attacker to design a technical attack that otherwise would require too much information to be practical by using these sorts of fingerprinting techniques we can discover the configuration of networks that might be really expansive or have a lot of different moving pieces which allows us to target the most convenient one when designing an attack and avoid unnecessary effort or extra expense when we should be focusing on something that would be more efficient so to do this we'll be exploring relationships building a complete understanding and generally profiling target to be the most efficient we can possibly be when we're actually moving into the attack phase of some sort of like hacking engagement so this should give you an understanding of how sort of research works and we hope that you enjoy this piece on ascent because we love talking about it and also thank you guys so much for getting us up to 10,000 subscribers and a hundred thousand views on our first video because of that we would love to hear your feedback on more great ideas be sure to hit us up with more comments make sure to LIKE and subscribe and we'll see you next time on cyberweapons on
Info
Channel: Null Byte
Views: 143,212
Rating: undefined out of 5
Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, fingerprinting, fingerprint, network, maltego, dns, transform, domain, recon, reconnaissance, digital, MX server, name server, NS, netblock, ip address, ip, OSINT, mail exchanger, mail, tracking codes, as number, website, webpage, web, kali, linux, paterva, kody kinzie
Id: hPIhItC-Vr8
Channel Id: undefined
Length: 19min 36sec (1176 seconds)
Published: Thu May 31 2018
Related Videos
Solving a REAL investigation using OSINT
Gary Ruddell
121K
Nmap Tutorial to find Network Vulnerabilities
NetworkChuck
2.6M
Use Nmap for Tactical Network Reconnaissance [Tutorial]
Null Byte
294K
From Photo to Passport Number With Maltego OSINT Tools
SecurityFWD
192K
How To: Conduct Person of Interest Investigations with Maltego - Official Tutorial (2023)
Maltego
7.5K
Maltego: The Ultimate OSINT & Cyber Investigation Tool
Gary Ruddell
42K
Quick and Easy Local SSL Certificates for Your Homelab!
Wolfgang's Channel
611K
I legally defaced this website.
thehackerish
417K
Penetration Testing: Gophish Tutorial (Phishing Framework)
freeCodeCamp.org
210K
Find Employee Accounts with Password Breaches Using Maltego [Tutorial]
Null Byte
103K
Track & Connect to Smartphones with a Beacon Swarm [Tutorial]
Null Byte
1.1M
Maltego - Automated Information Gathering
HackerSploit
209K
How Hackers Move Through Networks (with Ligolo)
John Hammond
240K
Wireshark Tutorial for Beginners | Network Scanning Made Easy
Anson Alexander
145K
Scan for Vulnerabilities on Any Website Using Nikto [Tutorial]
Null Byte
401K
Find Network Vulnerabilities with Nmap Scripts [Tutorial]
Null Byte
349K
How To Crack WPA2 WiFi Password With AirCrack-NG - WiFi Pentesting Video 2023
InfoSec Pat
554K
Explore & Map Nearby Wireless Networks with WiGLE [Tutorial]
Null Byte
123K
How SSH Works
Mental Outlaw
421K
Top 10 Browser Extensions for Hackers & OSINT Researchers [Tutorial]
Null Byte
370K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.