Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

Maltego Gets More 'Teeth'

New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets

Open-source intelligence tools give defenders the ability to collect information on attackers and their infrastructure or look at their own network in the same way as an attacker. Since its creation in 2007, Maltego--originally called Evolution--did just that: Each information operation--or transform--had a purely defensive purpose.

Click here for more of Dark Reading's Black Hat articles.

Now the open-source intelligence tool has ripped a few pages from the offense's playbook.

At the Black Hat USA conference last week, Maltego creator and developer Roelof Temmingh announced a new set of transforms and features for the tool that gives it more utility for penetration testers and attackers. Users now have the ability to find vulnerabilities in servers or create a phishing campaign, create a botnet from compromised machines, and manage the compromised network.

Called Maltego Teeth, the added functionality allows penetration testers and attackers to use powerful tools for SQL injection, password breaking, and vulnerability detection through a graphical interface, Temmingh says.

"Why should I have to have a command line, when I just want to point and click," he says.

Mimicking the attackers methods is a useful technique for defenders but one that has caused a lot of controversy in the past. The Metasploit Framework, for example, allows users an easy way to find and exploit vulnerabilities in systems and caused quite a stir when first announced. Yet the tool has also helped defenders check for vulnerabilities, experts teach others about exploitation techniques, and penetration testers exploit weak client systems.

The latest updates to Maltego are designed to show the potential capabilities of attackers, says Temmingh. At the Black Hat conference, he showed features that allow the identification of vulnerable systems, manage the compromise of those systms, and then control the resulting botnet. Attackers will have to have permission to use them on any system, because they are purely offensive, he says.

"We've created a set of transforms that do not pretend to be friendly, that do not beg for forgiveness or ask for excuses," he wrote in a paper on the new feature set. "When using these transforms you'll be clearly attacking a target."

[At Black Hat, researchers release new set of big-data tools that can find patterns in the data among security firms' massive databases of malware. See 'BinaryPig' Uses Hadoop To Sniff Out Patterns In Malware.]

Making information-gathering easy is a valuable feature in any attack tool, says HD Moore, chief security officer for Rapid7 and the co-creator of Metasploit. The Metasploit development teams spends a lot of time making the gathering of data and the management of nodes easy, he says.

"After the first few footholds are obtained, penetration tests are more about efficient time management and information extraction than anything specific to security," Moore says. "A security analyst may spend a couple hours on the initial break-in, but the rest of a week trying to locate and compromise critical internal assets."

Other researchers also find the new features potentially valuable, while posing less danger than one might think. While there is little difference between the actions of an attacker and a penetration tester, someone actually using Maltego for malicious purposes will not know how well the software hides their identity, says Christopher Barber, a threat analyst with managed-security firm Solutionary.

"You can do all these cool things, but you have no idea if the communications channels are secure," Barber says. "You have no way of knowing if these are protecting your own identity while you are running these transforms."

Because the tool could be leaking identity information, malicious attackers will be unlikely to use it, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22199
PUBLISHED: 2021-06-16
SQL Injection vulnerability in phpCMS 2007 SP6 build 0805 via the digg_mod parameter to digg_add.php.
CVE-2020-22200
PUBLISHED: 2021-06-16
Directory Traversal vulnerability in phpCMS 9.1.13 via the q parameter to public_get_suggest_keyword.
CVE-2020-22201
PUBLISHED: 2021-06-16
phpCMS 2008 sp4 allowas remote malicious users to execute arbitrary php commands via the pagesize parameter to yp/product.php.
CVE-2021-20483
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 is vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to obtain sensitive data. IBM X-Force ID: 197591.
CVE-2021-20488
PUBLISHED: 2021-06-16
IBM Security Identity Manager 6.0.2 could allow an authenticated malicious user to change the passowrds of other users in the Windows AD enviornemnt when IBM Security Identity Manager Windows Password Synch Plug-in is deployed and configured. IBM X-Force ID: 197789.