Analytics // Threat Intelligence
8/9/2013
08:48 AM
50%
50%

Maltego Gets More 'Teeth'

New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets

Open-source intelligence tools give defenders the ability to collect information on attackers and their infrastructure or look at their own network in the same way as an attacker. Since its creation in 2007, Maltego--originally called Evolution--did just that: Each information operation--or transform--had a purely defensive purpose.

Click here for more of Dark Reading's Black Hat articles.

Now the open-source intelligence tool has ripped a few pages from the offense's playbook.

At the Black Hat USA conference last week, Maltego creator and developer Roelof Temmingh announced a new set of transforms and features for the tool that gives it more utility for penetration testers and attackers. Users now have the ability to find vulnerabilities in servers or create a phishing campaign, create a botnet from compromised machines, and manage the compromised network.

Called Maltego Teeth, the added functionality allows penetration testers and attackers to use powerful tools for SQL injection, password breaking, and vulnerability detection through a graphical interface, Temmingh says.

"Why should I have to have a command line, when I just want to point and click," he says.

Mimicking the attackers methods is a useful technique for defenders but one that has caused a lot of controversy in the past. The Metasploit Framework, for example, allows users an easy way to find and exploit vulnerabilities in systems and caused quite a stir when first announced. Yet the tool has also helped defenders check for vulnerabilities, experts teach others about exploitation techniques, and penetration testers exploit weak client systems.

The latest updates to Maltego are designed to show the potential capabilities of attackers, says Temmingh. At the Black Hat conference, he showed features that allow the identification of vulnerable systems, manage the compromise of those systms, and then control the resulting botnet. Attackers will have to have permission to use them on any system, because they are purely offensive, he says.

"We've created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or ask for excuses," he wrote in a paper on the new feature set. "When using these transforms you'll be clearly attacking a target."

[At Black Hat, researchers release new set of big-data tools that can find patterns in the data among security firms' massive databases of malware. See 'BinaryPig' Uses Hadoop To Sniff Out Patterns In Malware.]

Making information-gathering easy is a valuable feature in any attack tool, says HD Moore, chief security officer for Rapid7 and the co-creator of Metasploit. The Metasploit development teams spends a lot of time making the gathering of data and the management of nodes easy, he says.

"After the first few footholds are obtained, penetration tests are more about efficient time management and information extraction than anything specific to security," Moore says. "A security analyst may spend a couple hours on the initial break-in, but the rest of a week trying to locate and compromise critical internal assets."

Other researchers also find the new features potentially valuable, while posing less danger than one might think. While there is little difference between the actions of an attacker and a penetration tester, someone actually using Maltego for malicious purposes will not know how well the software hides their identity, says Christopher Barber, a threat analyst with managed-security firm Solutionary.

"You can do all these cool things, but you have no idea if the communications channels are secure," Barber says. "You have no way of knowing if these are protecting your own identity while you are running these transforms."

Because the tool could be leaking identity information, malicious attackers will be unlikely to use it, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

CVE-2014-9197
Published: 2015-01-27
The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request.

CVE-2014-9198
Published: 2015-01-27
The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session.

CVE-2014-9646
Published: 2015-01-27
Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.