At Maltego, we work hard to bring you the best data sources for your investigations. Today, we are announcing our new integration with AbuseIPDB that makes their invaluable dataset readily available to Maltego investigators around the world.
In this article, we will walk you through the AbuseIPDB data and how to use its Maltego Transforms to speed up investigations involving suspicious IP addresses.
What is AbuseIPDB? π︎
AbuseIPDB is a project designed to help combat the spread of hackers, spammers, and other abusive activity on the internet by providing a central blacklist for IP addresses that have been associated with malicious activity online.
AbuseIPDB is a collaborative effort to track these bad IP addresses. It relies on the contributions of users and organizations across the web reporting malicious traffic on their sites and servers.
There are thousands of reports generated daily from users who detect suspicious traffic and report it to AbuseIPDB.
(AbuseIPDB Reporting Statistics Taken from AbuseIPDB)
Consulting an OSINT resource like AbuseIPDB can help to confirm suspicions and provide corroboration during your investigations.
What Do I Need to Start Using the AbuseIPDB Transforms in Maltego? π︎
To start making using of our new integration, simply install the Transforms from the Transform Hub in your Maltego Desktop Client and sign up for an AbuseIPDB API key.
Register for an account here to receive a free API key which will allow you to perform up to 1000 queries per day. Once you exhaust your API queries, a warning message will be displayed in the Transform Output window as shown below.
What Type of Information Can I Get from AbuseIPDB? π︎
You can use our AbuseIPDB Transforms to gather the following information about IPv4 and IPv6 Addresses:
- Abuse score
- IP usage type
- Hostname associated with the IP
- Country
- ISP Details, and more.
Abuse Score π︎
You can use the Check Abuse Score [AbuseIPDB] Transform to retrieve the Abuse Score (Abuse Confidence) for the IP. This is a rating (scaled 0-100) of how confident AbuseIPDB is that a particular IP is malicious.
Hostname π︎
The hostname associated with the IP.
Report π︎
This is the actual AbuseIPDB report for the IP Address. The country flag overlay reflects the country associated with the reporterβs IP Address.
Usage Type π︎
The usage type of the IP address, such as Data Center, Web Hosting, Transit, Government, Commercial, and more. You can find the list of all Usage Types documented by AbuseIPDB here.
By bringing AbuseIPDB data into Maltego, you can reduce the time it takes to confirm that a particular IP Address is malicious and that you are not the only one seeing traffic generated from that IP.
Report Suspicious IPs to AbuseIPDB Directly from within Maltego π︎
Besides utilizing data from AbuseIPDB for your investigations, you can also contribute to AbuseIPDB’s effort by submitting suspicious IPs directly from Maltego.
All you need to do is select the IP Entity in Maltego and run the Report IP Address [AbuseIPDB] Transform.
Maltego will open a pop-up window where you will need to enter some information, such as the categories and a comment explaining why you are submitting the report. The settings popup allows you to specify what type of abuse you would like to report for the API, as well as to enter a short textual explanation for the report.
Start Using the AbuseIPDB Transforms to Accelerate Your IP Address Investigations in Maltego! π︎
We hope you enjoyed the release of the AbuseIPDB data integration for Maltego.
Donβt forget to follow us on Twitter and LinkedIn and sign up for our email newsletter to stay updated on the latest news, tutorials, and events.
Happy Threat Hunting!
