Analytics // Threat Intelligence
8/9/2013
08:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Maltego Gets More 'Teeth'

New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets

Open-source intelligence tools give defenders the ability to collect information on attackers and their infrastructure or look at their own network in the same way as an attacker. Since its creation in 2007, Maltego--originally called Evolution--did just that: Each information operation--or transform--had a purely defensive purpose.

Click here for more of Dark Reading's Black Hat articles.

Now the open-source intelligence tool has ripped a few pages from the offense's playbook.

At the Black Hat USA conference last week, Maltego creator and developer Roelof Temmingh announced a new set of transforms and features for the tool that gives it more utility for penetration testers and attackers. Users now have the ability to find vulnerabilities in servers or create a phishing campaign, create a botnet from compromised machines, and manage the compromised network.

Called Maltego Teeth, the added functionality allows penetration testers and attackers to use powerful tools for SQL injection, password breaking, and vulnerability detection through a graphical interface, Temmingh says.

"Why should I have to have a command line, when I just want to point and click," he says.

Mimicking the attackers methods is a useful technique for defenders but one that has caused a lot of controversy in the past. The Metasploit Framework, for example, allows users an easy way to find and exploit vulnerabilities in systems and caused quite a stir when first announced. Yet the tool has also helped defenders check for vulnerabilities, experts teach others about exploitation techniques, and penetration testers exploit weak client systems.

The latest updates to Maltego are designed to show the potential capabilities of attackers, says Temmingh. At the Black Hat conference, he showed features that allow the identification of vulnerable systems, manage the compromise of those systms, and then control the resulting botnet. Attackers will have to have permission to use them on any system, because they are purely offensive, he says.

"We've created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or ask for excuses," he wrote in a paper on the new feature set. "When using these transforms you'll be clearly attacking a target."

[At Black Hat, researchers release new set of big-data tools that can find patterns in the data among security firms' massive databases of malware. See 'BinaryPig' Uses Hadoop To Sniff Out Patterns In Malware.]

Making information-gathering easy is a valuable feature in any attack tool, says HD Moore, chief security officer for Rapid7 and the co-creator of Metasploit. The Metasploit development teams spends a lot of time making the gathering of data and the management of nodes easy, he says.

"After the first few footholds are obtained, penetration tests are more about efficient time management and information extraction than anything specific to security," Moore says. "A security analyst may spend a couple hours on the initial break-in, but the rest of a week trying to locate and compromise critical internal assets."

Other researchers also find the new features potentially valuable, while posing less danger than one might think. While there is little difference between the actions of an attacker and a penetration tester, someone actually using Maltego for malicious purposes will not know how well the software hides their identity, says Christopher Barber, a threat analyst with managed-security firm Solutionary.

"You can do all these cool things, but you have no idea if the communications channels are secure," Barber says. "You have no way of knowing if these are protecting your own identity while you are running these transforms."

Because the tool could be leaking identity information, malicious attackers will be unlikely to use it, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio