Maltego Gets More 'Teeth'
New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets
Open-source intelligence tools give defenders the ability to collect information on attackers and their infrastructure or look at their own network in the same way as an attacker. Since its creation in 2007, Maltego--originally called Evolution--did just that: Each information operation--or transform--had a purely defensive purpose.
|Click here for more of Dark Reading's Black Hat articles.|
More Security Insights
- 10 Steps to Cleaning up Active Directory
- The Active Directory Management and Security You've Always Dreamed of
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- COBOL in the Big Data Era: A Guide
Now the open-source intelligence tool has ripped a few pages from the offense's playbook.
At the Black Hat USA conference last week, Maltego creator and developer Roelof Temmingh announced a new set of transforms and features for the tool that gives it more utility for penetration testers and attackers. Users now have the ability to find vulnerabilities in servers or create a phishing campaign, create a botnet from compromised machines, and manage the compromised network.
Called Maltego Teeth, the added functionality allows penetration testers and attackers to use powerful tools for SQL injection, password breaking, and vulnerability detection through a graphical interface, Temmingh says.
"Why should I have to have a command line, when I just want to point and click," he says.
Mimicking the attackers methods is a useful technique for defenders but one that has caused a lot of controversy in the past. The Metasploit Framework, for example, allows users an easy way to find and exploit vulnerabilities in systems and caused quite a stir when first announced. Yet the tool has also helped defenders check for vulnerabilities, experts teach others about exploitation techniques, and penetration testers exploit weak client systems.
The latest updates to Maltego are designed to show the potential capabilities of attackers, says Temmingh. At the Black Hat conference, he showed features that allow the identification of vulnerable systems, manage the compromise of those systms, and then control the resulting botnet. Attackers will have to have permission to use them on any system, because they are purely offensive, he says.
"We've created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or ask for excuses," he wrote in a paper on the new feature set. "When using these transforms you'll be clearly attacking a target."
[At Black Hat, researchers release new set of big-data tools that can find patterns in the data among security firms' massive databases of malware. See 'BinaryPig' Uses Hadoop To Sniff Out Patterns In Malware.]
Making information-gathering easy is a valuable feature in any attack tool, says HD Moore, chief security officer for Rapid7 and the co-creator of Metasploit. The Metasploit development teams spends a lot of time making the gathering of data and the management of nodes easy, he says.
"After the first few footholds are obtained, penetration tests are more about efficient time management and information extraction than anything specific to security," Moore says. "A security analyst may spend a couple hours on the initial break-in, but the rest of a week trying to locate and compromise critical internal assets."
Other researchers also find the new features potentially valuable, while posing less danger than one might think. While there is little difference between the actions of an attacker and a penetration tester, someone actually using Maltego for malicious purposes will not know how well the software hides their identity, says Christopher Barber, a threat analyst with managed-security firm Solutionary.
"You can do all these cool things, but you have no idea if the communications channels are secure," Barber says. "You have no way of knowing if these are protecting your own identity while you are running these transforms."
Because the tool could be leaking identity information, malicious attackers will be unlikely to use it, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.