In previous posts, we have shown you how to leverage some of the powerful features included in Maltego. From data export options to customizable Entity overlay icons and Stealth Mode for investigations, Maltego is a tool designed to make analysts’ work easier and more effective.
In the same vein, we now focus on how Maltego fosters collaboration amongst analysts to improve investigations, both in speed and in quality. But what does collaboration mean in the context of Maltego?
Collaboration Feature in Maltego 🔗︎
Collaboration allows a seamless iterative process via live-graph sharing. This means that multiple users can work on the same graph at the same time within a secure session, thus remaining compliant with any organizational policies. It also means that session participants can chat within the Client while pursuing their investigation, making the process faster and overall, more efficient.
The Back-End of Maltego’s Collaboration Feature 🔗︎
Communication for the shared graph session takes place over an XMPP server, which is short for Extensible Messaging and Presence Protocol. This standards-protocol is a set of open technologies for instant messaging, multi-party chat, collaboration, and generalized routing of XML data amongst others.
How Secure is the “Secure Session?” 🔗︎
The short answer is, pretty secure. XMPP security is generally known to be better than web security, and the servers talk to the Maltego Desktop Client across heavily end-to-end encrypted links.
In fact, Maltego offers two encryption options, 128 Bit and 256 Bit. On top of that, you can choose which type of server you prefer graph traffic to pass through—whether public, private, or your own XMPP server—depending on your deployment and privacy needs.
Where is the Session Data Stored? 🔗︎
Data for each shared session is not stored on the XMPP server. Instead, it is stored locally on each of the participating Maltego Clients.
Still not sure about XMPP? The XMPP protocol is more popular amongst companies and institutions than you may know. For example, Facebook uses it for their chat integration, and NATO uses it for its tactical chat.
Basic Concepts for Live Graph Sharing Using Maltego 🔗︎
There are four ground principles to a Maltego live graph sharing:
Entity Attribution 🔗︎
Maltego makes it easy for you to visually follow the changes made to the graph by your collaborators. To do so, look out for the name of the user who added an Entity to a shared graph session above the Entity icon.
User Permissions 🔗︎
Every user in the shared graph session has full read/write permissions on the graph. Take this into account when you share the session details with other people.
Shared Graph Layout 🔗︎
When a shared graph user changes the layout of the graph, it will change for all users in the session. Maltego offers five different layout modes (block, hierarchical, circular, organic, and interactive organic) for you to choose from. The view, however, will only be changed for the user applying the change.
Graph Existence 🔗︎
Because of the protocol being used, the graph will remain available so long as there is at least one user in the graph session.
How to Share a Maltego Graph 🔗︎
Your live graph-sharing experience with Maltego has two different starting points: a new graph or a current graph. Remember that sharing a new graph means sharing a blank canvas to be edited by all participants of the shared session.
Regardless of which option you choose, the Graph Sharing Window will open every time.
Adding Session Information 🔗︎
Once the window is open, you will see the session information that you will need to share with your collaborators, so they can have access to the graph:
- Session Name
- Security Key
- User Alias
The Session Name will be either provided by the Maltego Client if you are starting a new session, or by other participants within the session should you be joining an existing one. The Security Key will be generated by clicking the generate button, or provided by one of the session participants.
The User Alias is how the session provides participants with the means to identify you, not only when you join, but also when you use the chat functionality. User Aliases also provide help participants to keep up with the Entities you add to the Graph.
Please note that all session participants need to use the same server type (public, private, other) and provide the same Security Key, otherwise a new session will be created and live graph-sharing with the intended group will not be possible.
Viewing Session Details in Collaboration Window 🔗︎
Once you begin the session, you will be able to view its details in the Collaboration window. Here, you will find details including the session participants, the graph’s metadata, and the type of server being used. The Collaboration window is located on the right side of the Client’s UI.
Send Links to Zoom in on Entities and Communicate in the Chat Window 🔗︎
You will also see the session’s Chat Window at the bottom of the UI. Aside from communicating with other session participants, you will also be able to send links to Entities you select on the graph in the form of a hyperlink which will zoom into the graph to show the referenced Entity. This helps further expedite the analysis process.
Closing a Collaboration Session 🔗︎
Lastly, to close a session , click the Work Offline option located on the Collaboration tab to log out. As previously mentioned, the graph session will remain open for the remaining participants as long as at least one of them is logged in.
How Maltego Collaboration Benefits Investigators 🔗︎
Available across Different Desktop Client Editions 🔗︎
Maltego collaboration does not require you to use the same Client edition as the rest of the session participants. However, the number of results available for your Client will remain the same, potentially affecting the data you are able to visualize.
Query Results of Purchased Transforms Made Viewable for All 🔗︎
Furthermore, one of the most noteworthy things about Maltego’s live-sharing graph feature is that analysts can view from the data returned by the Transforms which the collaborators have access to. This means even if you do not have access to a Hub item, but a session participant does, they can run said Transforms and you will see the results on the graph. This allows all participants to work with the same data and pivot from the returned Entities to continue the enrichment, contextualization and analysis processes.
Demo: Collaborating on Infrastructure Investigation for Pentesting Using Shodan Transforms 🔗︎
For example, if you are looking into the infrastructure of a domain for pentesting purposes, you will at some point, depending on how you wish to conduct your investigation, find IP addresses for said domain. It would be useful to query those IPs and discover which services are running on open ports in order to understand the vulnerabilities they present, verify the networks’ security policies, and make necessary adjustments.
Now, imagine that for some reason your Shodan API key does not work, or you do not have access to one. Instead of pursuing more inconvenient methods, you decide to request one of your colleagues to conduct a live-sharing graph session with you on Maltego to provide you with the investigative resources available to them.
The image below shows how such a session would look. You would ask your colleague to select the two IPs that you have obtained and run a To Service [Shodan] Transform on them. In this case, you would then be shown a total of eleven Service Entities.
Ports such as the 8080, which is the default for the Apache Tomcat service and is used for executing Java servlets and for rendering web pages using Java server page (JSPs) coding, are considered default ports for a large number of web servers, and thus are expected to be open. A commonly used security measure is to add SSL to the IP.
Maltego Service Entities are represented as “< port >:< banner >”, where the banner is the metadata about a service. This representation is especially useful when dealing with a reduced number of Service Entities, as it makes it easier to analyze them. However, when dealing with a larger set of Entities, it would be useful to request your colleague to select the Services and run a To Banner [Parse] Transform on them. In this case, the result is shown as “unknown”.
By examining the list of open ports and the services they run, you will gain insight into which of these might increase the chances of your organization becoming compromised by threat actors and react accordingly.
Alternatively, you could obtain the IP addresses from the websites that share the tracking code with the one you were originally examining, and request your colleague to run the To Service [Shodan] Transform on them, attempting to obtain more services with banners, to provide you with additional intel on the infrastructure.
Collaborate in Maltego and Improve Your Investigative Experience Across the Board! 🔗︎
There is a multitude of Transforms that can be used to examine organizational infrastructure, all of which are potentially available via Maltego’s collaboration feature.
To learn more about collaboration features, check out our documentation. If you have any questions regarding this topic or related ones, such as our privacy practices, feel free to reach out to us at firstname.lastname@example.org.