02 May 2023

Exploring Your Attack Surface with Maltego: A Practical Guide

Mario Rojas

In today’s rapidly evolving threat landscape, it is essential for organizations to regularly assess their attack surface to identify potential vulnerabilities and weaknesses. This can help you better understand your organization’s security posture and take proactive measures to protect its critical assets.

Attack Surface Assessments example

In this article, we will explore how to use Maltego for attack surface assessments while relying solely on free data sources and provide a practical guide to help you get started.

Maltego for Attack Surface Assessments: A Blog Series ๐Ÿ”—︎

What is an Attack Surface Assessment? ๐Ÿ”—︎

An attack surface assessment involves identifying the various entry points an attacker could use to gain unauthorized access to an organization’s network or systems. These entry points can include everything from publicly available websites and social media profiles to network devices and cloud-based services.

An organization can proactively mitigate any vulnerabilities and prevent unauthorized access by identifying all potential entry points with the proper measures in place and an adequate tool stack.

Using Maltego for Attack Surface Assessments ๐Ÿ”—︎

Maltego is used extensively by security and threat intelligence teams worldwide for a wide range of cybersecurity tasks, including conducting attack surface assessments.

In this guide, we will demonstrate how to do that by using Maltego and following the steps below:

Let us delve into each of them.

Step 1: Define the Scope of the Assessment ๐Ÿ”—︎

The first step in any attack surface assessment is to define its scope. This includes identifying the target systems or network and determining the objectives. For example, our aim might be to identify all publicly accessible domains and IP addresses associated with your organization.

In this demo, we’ll explore the on-premises infrastructure of a large international organization. We will look to identify any potential security vulnerabilities, including insecure open ports, legacy systems, exposed security solutions, and critical vulnerabilities such as unpatched software.

DISCLAIMER: Please note that the information and techniques contained in this article are for educational purposes only and are intended to provide insights into the attack surface assessment process. Therefore, we will blur any identifying Entities to protect the target organization’s security.

Step 2: Identify Potential Data Sources ๐Ÿ”—︎

Once you have defined the scope of the assessment, the next step is to identify potential data sources that can be used to gather information about the target.

To configure Maltego for attack surface assessments, we will need to select the appropriate, relevant data sources using the Filters available on the Start Page of your Maltego Client.

Filters on Maltego Desktop Client Start Page

In our demo assessment, we will use free data sources only:

Step 3: Reconnaissance ๐Ÿ”—︎

Once you have installed all relevant Transforms, you can start gathering information about your target systems or network. This can include domain names associated with your organization, IP addresses in use, open ports, software versions, and any other publicly available data that may help to identify potential vulnerabilities.

To begin our demo, letโ€™s first take a look at one of the coolest features in Maltego, called Maltego Machines. They function as a sort of automated playbook for different types of investigations. In our case, we will use one of the default Machines to get us started with our assessment.

What we need to do is:

  1. Add a Domain Entity for our target organization on a new Graph
  2. Right-click the Entity to get the Transforms menu
  3. Go to the bottom to open the Machines submenu
  4. Click the Network Footprint L1 Machine

Run Network Footprint L1 Machine

In just under a minute, we retrieve a comprehensive picture of the assets and records associated with the target domain, over 750 Entities, ranging from Websites, DNS records, IP addresses, AS numbers, Email addresses, and more.

Given the ever-growing adoption of cloud services, we are not surprised that the organizationโ€™s digital perimeter extended well beyond its on-premises natural boundaries by multiple service providers, including Microsoft, Google, and Salesforce. Since our scope is for on-premises assets only, we need to identify those in our Graph.

Identify on-premises assets of the target organization

In this case, there is a Company Entity with the targetโ€™s name.

Letโ€™s move only the associated Entities to a new graph. To do that, we can select the Company Entity and click the Add Parents button until the selection includes our initial domain. We can right-click anywhere on the Graph and select the Copy To New Graph button in the bottom left corner.

Copy the Company Entity and relevant entities

Having done that, we will now focus on mapping the attack surface of the target without including the infrastructure owned by the vendors used by the organization.

In the above image, there are some interesting subdomain names used by the target, including development (dev) and pre-production (preprod) instances. We will refer to these as Juicy instances.

Let’s find some additional Juicy instances by running the To DNS Name (interesting) [SecurityTrails] Transform on our initial Domain Entity.

The list of results show additional test and mail-related instances

The list of results shows some additional test and mail-related instances. We can resolve the IP addresses associated with the new Entities to confirm whether these are live.

To do that, we will select the new Entities and run the To IP Address [DNS] Transform. Any instance that returns a corresponding IP address can be considered potentially live.

Since we are on IP addresses, it is possible to use Shodan to find vulnerabilities associated with online hosts. Letโ€™s find some by selecting all the IP addresses and running the To Vulnerabilities [Shodan] Transform.

Select all IP addresses and run the To Vulnerabilities [Shodan] Transform

Not only have we identified a critical 6-year-old vulnerability but also a number of interesting subdomains, a production security instance, as well as a possible Mobile Device Management (MDM) test server. We will come back to these in the Analyze the Information section.

We can also use Netblocks to find vulnerable assets with the help of Shodan. Since we are confident that the current Netblock Entities belong to the organization, letโ€™s run the To Vulnerable IP Addresses [Shodan] Transform on these and re-run the previous Transform to extract the associated common vulnerabilities and exposures.

Select Netblock Entities and run the To Vulnerable IP Addresses [Shodan] Transform

This expands the list of vulnerabilities to 93, including at least 12 critical. In other words, threat actors could exploit 93 unique attack vectors to breach this organizationโ€™s network.

We are not entirely done with IP addresses yet, as we can also use these to identify insecure open ports and outdated software versions.

Letโ€™s start by finding open ports with the To Ports [Shodan Internet DB] and To Ports [OTX] Transforms. Maltego returned 257 unique Port Entities.

To make it easier to read, we have identified and bookmarked a few ports considered insecure by default and which should not be exposed to the internet.

List of Port Entites considered insecure by default

Next, we will retrieve the services associated with the IP addresses. The information in the Service Entities can help us find outdated software versions, which could, in turn, be vulnerable or beyond their support lifecycles. We will again select the IP address Entities and run the To Services [Censys] and To Services [Shodan] Transforms.

Once the Transforms have finished running, we can use the Find option to search for specific software versions.

Let’s say we want to check if any servers are running Apache 2.4, released over ten years ago.

Use the Find option to search for specific software versions

Bingo! As we can see in the above image, the service Entity contains information about the software versions, associated common vulnerabilities and exposures, and they even include a timestamp for when this was last seen.

So far, we have found multiple Juicy instances, exposed security solutions, insecure open ports, 12 critical vulnerabilities, and outdated software versions running on live instances. It’s time to move on to the next stage in our assessment.

Step 4: Analyze the Information ๐Ÿ”—︎

After gathering information using Maltego, we will analyze the data and identify potential vulnerabilities or weaknesses.

Let’s go through some of the security issues identified during the previous stage and discuss why these are considered a risk to the organization they belong to.

Critical Vulnerabilities ๐Ÿ”—︎

They increase the likelihood of exploitation, affect operations, may lead to non-compliance, and damage public perception. Companies should prioritize identifying and addressing critical vulnerabilities to minimize these risks and maintain a secure and reliable digital environment.

Insecure Open Ports ๐Ÿ”—︎

During the reconnaissance step, we found and highlighted ports such as:

  • Port 143: This port is used for Internet Messaging Access Protocol (IMAP) traffic, which is used for email retrieval.
  • Port 445: This port is commonly used for SMB (Server Message Block) traffic, which is used for file sharing and printer sharing between computers.
  • Port 389: This port is used for LDAP (Lightweight Directory Access Protocol) traffic, which is used for authentication and directory services.
  • Port 139: This port is also used for SMB traffic but uses an older version of the protocol that is more vulnerable to attacks.
  • Port 21: This port is used for FTP (File Transfer Protocol) unencrypted traffic, which is used for transferring files between computers.

Exposing these ports to the internet can allow attackers to access and compromise sensitive information or execute remote code on a system. Limiting external exposure to these ports is generally recommended to prevent security risks.

Outdated Software ๐Ÿ”—︎

It may contain known security vulnerabilities that attackers can exploit to gain unauthorized access, steal data, or cause other damage. Also, the vendor may no longer support the software, meaning no new security patches or bug fixes will be released to address current or future vulnerabilities.

Juicy Instances ๐Ÿ”—︎

These types of instances, which include testing (Test) and staging as well as the previously mentioned development (dev) and Pre-Production (pre-prod) servers, are usually short-lived instances created for testing security patches, software upgrades, or new versions of in-house applications before moving them into Production. These servers typically get a lower level of security than production ones, making them a juicier target for hackers.

Exposed Security Solutions ๐Ÿ”—︎

During our assessment, we also found exposed security solutions such as ArcSight and a Mobile Device Management test server. These types of systems usually contain sensitive security data about the organization they belong to and may be targeted by attackers seeking to exploit vulnerabilities in the system or steal data.

Step 5: Develop a Remediation Plan ๐Ÿ”—︎

Finally, the attack surface assessment results can be used to develop a remediation plan. This can include implementing security patches, closing unsecured ports, establishing a Request for Change (RFC) that defines how to decommission Test instances, and other measures to help you reduce the organization’s attack surface.

Accelerating Your Attack Surface Assessment ๐Ÿ”—︎

Maltego can help security teams identify potential vulnerabilities and weaknesses in an organization’s network and assets. Following the steps in this article, you can effectively leverage Maltego’s features and conduct comprehensive attack surface assessments in minutes while using only free data resources.

If you want to learn more about vulnerability and attack surface assessment, take a look at our detailed Cyber Threat Intelligence handbook, which also covers four other typical CTI investigations.

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

This was part 1 of a 2-part series on how to use Maltego for Attack Surface Assessments. In the next release, we will learn how to automate most of the techniques detailed in this article by creating our own custom Machine.

In the meantime, follow us on Twitter and LinkedIn, and subscribe to our newsletter to stay up to date on new tutorials and guides and to make sure you don’t miss the next part of the series.

Happy OSINTing!

About the Author ๐Ÿ”—︎

Mario Rojas

Mario Rojas ๐Ÿ”—︎

Mario Rojas is a former Cyber Security and Threat Intelligence Subject Matter Expert at Maltego with more than 14 years of experience in the cybersecurity field. His expertise in open-source intelligence (OSINT) allows him to effectively map and visualize complex relationships and connections between entities, from IP addresses and domain names to social media profiles and Darkweb forums.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.