Analytics // Threat Intelligence
8/9/2013
08:48 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Maltego Gets More 'Teeth'

New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets

Open-source intelligence tools give defenders the ability to collect information on attackers and their infrastructure or look at their own network in the same way as an attacker. Since its creation in 2007, Maltego--originally called Evolution--did just that: Each information operation--or transform--had a purely defensive purpose.

Click here for more of Dark Reading's Black Hat articles.

Now the open-source intelligence tool has ripped a few pages from the offense's playbook.

At the Black Hat USA conference last week, Maltego creator and developer Roelof Temmingh announced a new set of transforms and features for the tool that gives it more utility for penetration testers and attackers. Users now have the ability to find vulnerabilities in servers or create a phishing campaign, create a botnet from compromised machines, and manage the compromised network.

Called Maltego Teeth, the added functionality allows penetration testers and attackers to use powerful tools for SQL injection, password breaking, and vulnerability detection through a graphical interface, Temmingh says.

"Why should I have to have a command line, when I just want to point and click," he says.

Mimicking the attackers methods is a useful technique for defenders but one that has caused a lot of controversy in the past. The Metasploit Framework, for example, allows users an easy way to find and exploit vulnerabilities in systems and caused quite a stir when first announced. Yet the tool has also helped defenders check for vulnerabilities, experts teach others about exploitation techniques, and penetration testers exploit weak client systems.

The latest updates to Maltego are designed to show the potential capabilities of attackers, says Temmingh. At the Black Hat conference, he showed features that allow the identification of vulnerable systems, manage the compromise of those systms, and then control the resulting botnet. Attackers will have to have permission to use them on any system, because they are purely offensive, he says.

"We've created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or ask for excuses," he wrote in a paper on the new feature set. "When using these transforms you'll be clearly attacking a target."

[At Black Hat, researchers release new set of big-data tools that can find patterns in the data among security firms' massive databases of malware. See 'BinaryPig' Uses Hadoop To Sniff Out Patterns In Malware.]

Making information-gathering easy is a valuable feature in any attack tool, says HD Moore, chief security officer for Rapid7 and the co-creator of Metasploit. The Metasploit development teams spends a lot of time making the gathering of data and the management of nodes easy, he says.

"After the first few footholds are obtained, penetration tests are more about efficient time management and information extraction than anything specific to security," Moore says. "A security analyst may spend a couple hours on the initial break-in, but the rest of a week trying to locate and compromise critical internal assets."

Other researchers also find the new features potentially valuable, while posing less danger than one might think. While there is little difference between the actions of an attacker and a penetration tester, someone actually using Maltego for malicious purposes will not know how well the software hides their identity, says Christopher Barber, a threat analyst with managed-security firm Solutionary.

"You can do all these cool things, but you have no idea if the communications channels are secure," Barber says. "You have no way of knowing if these are protecting your own identity while you are running these transforms."

Because the tool could be leaking identity information, malicious attackers will be unlikely to use it, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web