PATERVA

Maltego transforms
A reference guide
RT

2011/01

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

Table of Contents
1

Introduction ...................................................................................................................................................................... 7

Search engine transforms ........................................................................................................................................... 8

2.1

General notes when using search engine transforms ........................................................................................................... 8

2.2

Problems with parsing results........................................................................................................................................................ 9

Infrastructure ................................................................................................................................................................ 10
3.1

Internet Autonomous System (AS) .............................................................................................................................................10

3.1.1
3.2

To Netblocks in this AS [Robtex]........................................................................................................................................10

NS (Name Server) ..............................................................................................................................................................................11

3.2.1

To Domains [DNS] ....................................................................................................................................................................11

3.2.2

To IP Address [DNS] ................................................................................................................................................................11

3.2.3

To Web site [Query port 80] ................................................................................................................................................12

3.3

Domain ...................................................................................................................................................................................................13

3.3.1

To MX (mail server) [DNS] ...................................................................................................................................................13

3.3.2

To NS (name server) [DNS] ..................................................................................................................................................14

3.3.3

To DNS Name [Attempt zone transfer]............................................................................................................................15

3.3.4

To DNS Name [Find common DNS names] ....................................................................................................................16

3.3.5

To DNS Name [Name Schema] ............................................................................................................................................17

3.3.6

To Domain [Find other TLDs] .............................................................................................................................................18

3.3.7

To Email address [From whois info] ................................................................................................................................19

3.3.8

To Email addresses [PGP] .....................................................................................................................................................20

3.3.9

To Email addresses [using Search Engine] ....................................................................................................................20

3.3.10

To Emails @domain [using Search Engine]...................................................................................................................21

3.3.11

To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................22

3.3.12

To Files (Interesting) [using Search Engine] ................................................................................................................22

3.3.13

To Files (Office) [using Search Engine] ...........................................................................................................................23

3.3.14

To Person [PGP] ........................................................................................................................................................................24

3.3.15

To Phone Numbers [using Search Engine] ....................................................................................................................25

3.3.16

To Phone numbers [From whois info].............................................................................................................................26

3.3.17

To Website DNS [using Search Engine] ...........................................................................................................................26

3.3.18

To Website [Quick lookup] ...................................................................................................................................................27

3.3.19

To Website [using Search Engine].....................................................................................................................................27

Maltego Transforms a reference guide

Page 2

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
3.4
An IP version 4 address ...................................................................................................................................................................29
3.4.1

To DNS Name [Other DNS names].....................................................................................................................................29

3.4.2

To DNS Name [Reverse DNS] ..............................................................................................................................................30

3.4.3

To Domain [Sharing this MX] ..............................................................................................................................................30

3.4.4

To Domain [Sharing this NS] ...............................................................................................................................................31

3.4.5

To Email address [From whois info] ................................................................................................................................32

3.4.6

To Entities (NER) [Alchemy and OpenCalais] via whois ..........................................................................................32

3.4.7

To Geo location [whoisAPI] ..................................................................................................................................................33

3.4.8

To Netblock [Blocks delegated to this IP as NS] ..........................................................................................................34

3.4.9

To Netblock [Natural boundaries] ....................................................................................................................................34

3.4.10

To Netblock [Using routing info] .......................................................................................................................................35

3.4.11

To Netblock [Using whois info] ..........................................................................................................................................36

3.4.12

To Telephone Number [From whois info] .....................................................................................................................37

3.4.13

To Website where IP appears [using Search Engine]................................................................................................37

3.5

MX record (mail exchange record) .............................................................................................................................................39

3.5.1

To Domain [DNS] ......................................................................................................................................................................39

3.5.2

To Domains [Sharing this MX] ...........................................................................................................................................39

3.5.3

To IP Address [DNS] ................................................................................................................................................................40

3.6

DNS name server record .................................................................................................................................................................41

3.6.1

To Domain [DNS] ......................................................................................................................................................................41

3.6.2

To Domains [ Sharing this NS] ............................................................................................................................................41

3.6.3

To IP Address [DNS] ................................................................................................................................................................42

3.6.4

To Netblock [Blocks delegated to this NS] .....................................................................................................................42

3.7

Netblock .................................................................................................................................................................................................43

3.7.1

To AS number ............................................................................................................................................................................43

3.7.2

To DNS Names in netblock [Reverse DNS] ....................................................................................................................44

3.7.3

To Entities (NER) [Alchemy and OpenCalais via whois............................................................................................45

3.7.4

To Geo location ..........................................................................................................................................................................45

3.8

URL...........................................................................................................................................................................................................46

3.8.1

To Email Addresses [Found on web page].....................................................................................................................46

3.8.2

To Entities (NER) [OpenCalais and Alchemy API] ......................................................................................................47

3.8.3

To Phone number [Found on this web page]................................................................................................................48

3.8.4

To URL [incoming links found to this web page] ........................................................................................................49

3.8.5

To Website [Convert]..............................................................................................................................................................50

Maltego Transforms a reference guide

Page 3

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
3.8.6
To Website [Links on this web page] ...............................................................................................................................50
3.9

Website...................................................................................................................................................................................................51

3.9.1

Mirror: Email addresses found ...........................................................................................................................................51

3.9.2

Mirror: External links found ................................................................................................................................................52

3.9.3

To Domains [DNS] ....................................................................................................................................................................52

3.9.4

To IP Address [DNS] ................................................................................................................................................................53

3.9.5

To URLs [show Search Engine results]............................................................................................................................53

3.9.6

To Website [Incoming links to site] ..................................................................................................................................54

3.9.7

To Website [Replace with thumbnail] .............................................................................................................................55

3.9.8

To Website title .........................................................................................................................................................................55

Personal ........................................................................................................................................................................... 57
4.1

Document ..............................................................................................................................................................................................57

4.1.1

Parse meta information .........................................................................................................................................................57

4.1.2

To URL [Show SE results] .....................................................................................................................................................58

4.2

Email........................................................................................................................................................................................................59

4.2.1

To Domain [DNS] ......................................................................................................................................................................59

4.2.2

To Email Addresses [PGP (signed)] ..................................................................................................................................59

4.2.3

To Email Addresses [PGP] ....................................................................................................................................................60

4.2.4

To Email Addresses [using Search Engine] ...................................................................................................................60

4.2.5

To Person [PGP] ........................................................................................................................................................................61

4.2.6

To Phone number [using Search Engine] .......................................................................................................................61

4.2.7

To URLs [Show search engine results] ............................................................................................................................62

4.2.8

To Website [using Search Engine].....................................................................................................................................62

4.2.9

Verify email address exists [SMTP] ..................................................................................................................................63

4.3

Person .....................................................................................................................................................................................................64

4.3.1

To Email Address [PGP] .........................................................................................................................................................64

4.3.2

To Email Address [Verify common]..................................................................................................................................65

4.3.3

To Email Address [using Search Engine] ........................................................................................................................66

4.3.4

To Person [PGP (signed)] ......................................................................................................................................................67

4.3.5

To Phone Number [using Search Engine] ......................................................................................................................67

4.3.6

To Website [using Search Engine].....................................................................................................................................68

4.4

Phone Number ....................................................................................................................................................................................70

4.4.1

To Email Address [using Search Engine] ........................................................................................................................70

4.4.2

To Phone Number [using Search Engine] ......................................................................................................................70

Maltego Transforms a reference guide

Page 4

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
4.4.3
To URL [Show Search Engine results] .............................................................................................................................71
4.4.4
4.5

Phrase .....................................................................................................................................................................................................72

4.5.1

To Email Addresses [using Search Engine] ...................................................................................................................72

4.5.2

To Entities (NER) [Alchemy and OpenCalais] ..............................................................................................................73

4.5.3

To Files (Interesting) [using Search Engine] ................................................................................................................74

4.5.4

To Files (Office) [using Search Engine] ...........................................................................................................................75

4.5.5

To Telephone numbers [using Search Engine] ............................................................................................................76

4.5.6

To Tweets [Search Twitter] .................................................................................................................................................77

4.5.7

To Website [using Search Engine].....................................................................................................................................78

4.5.8

To related phrase .....................................................................................................................................................................79

4.6

Twit ..........................................................................................................................................................................................................80

4.6.1

To Twitter Affiliation [Convert] .........................................................................................................................................80

4.6.2

To URL(s) [Found in these Tweets] ..................................................................................................................................80

4.7

To Website [using Search Engine].....................................................................................................................................72

Affiliation Twitter ...........................................................................................................................................................................82

4.7.1

To AffTwitter [Get details of ID holder] ..........................................................................................................................82

4.7.2

To AffTwitter [This person received Tweets from ?] ................................................................................................82

4.7.3

To AffTwitter [This person wrote Tweets to ?] ...........................................................................................................83

4.7.4

To Person [Convert] ................................................................................................................................................................84

4.7.5

To Tweets [That this person wrote] .................................................................................................................................84

4.7.6

To Tweets [Written to this person] ..................................................................................................................................85

4.7.7

To followers of this person...................................................................................................................................................85

4.7.8

To friends of this person .......................................................................................................................................................86

Maltego 3 Client Transforms - Overview ........................................................................................................... 88

5.1

Infrastructure ......................................................................................................................................................................................88

5.1.1

Internet Autonomous System (AS) ...................................................................................................................................88

5.1.2

Domain Name System server name ..................................................................................................................................88

5.1.3

Internet Domain........................................................................................................................................................................89

5.1.4

IP version 4 address ................................................................................................................................................................90

5.1.5

Location on mother earth .....................................................................................................................................................91

5.1.6

DNS mail exchange record ....................................................................................................................................................91

5.1.7

DNS name server record .......................................................................................................................................................91

5.1.8

Netblock .......................................................................................................................................................................................92

5.1.9

URL .................................................................................................................................................................................................92

Maltego Transforms a reference guide

Page 5

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
5.1.10 Website .........................................................................................................................................................................................93
5.2

Personal .................................................................................................................................................................................................93

5.2.1

Document.....................................................................................................................................................................................93

5.2.2

Email ..............................................................................................................................................................................................94

5.2.3

Person ...........................................................................................................................................................................................94

5.2.4

Phone Number ...........................................................................................................................................................................95

5.2.5

Phrase............................................................................................................................................................................................95

5.2.6

Twit ................................................................................................................................................................................................96

5.2.7

Affiliation Facebook .............................................................................................................................................................96

5.2.8

Affiliation LinkedIn ..............................................................................................................................................................96

5.2.9

Affiliation Twitter .................................................................................................................................................................97

Maltego Transforms a reference guide

Page 6

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

Introduction

This document serves as a reference guide of transforms that are currently in use in Maltego. The last section
of this document gives a summary of all transforms.

Maltego Transforms a reference guide

Page 7

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

Search engine transforms

There are couple of transforms that use search engines - all of them very similar. The basic recipe with these
transforms is as follows:
1. Expand the question. The question is the input from the GUI - be that a person's name, a domain or an
phone number. When looking at a person's name for instance the name 'Kosie Kramer' will be
expanded to searches like '"Kosie Kramer"', '"K Kramer"', 'Kramer Kosie' etc. In the case of a telephone
number the search will be expanded to include most telephone notations used.
2. Assign confidence levels. Because a search for '"Kosie Kramer"' is more likely to return good results rather than a search for 'KramerK' the confidence level for the first search would be higher. The
confidence levels are also used to assign preference to certain file types when doing searches on
documents (these are configurable in the transform). In the same way a XLS file containing the word is
likely more interesting than a PDF file.
3. Perform each search. The searches are performed and the snippets are obtained. It is important to note
that only snippets are parsed. For parsing the entire page you need to dump to URL and process the
URLs separately. Various search engines have various snippet lengths.
4. Parse for output entities. Depending on what output is required the snippets are parsed for entities - in
some cases the web site's name is all that's required.
5. Calculate weight. The weigh is calculated from various factors - the confidence of the search, the
frequency of the result, the importance of the web site where the result came from, and in some cases a
correlation to the input.
6. Normalise. The weights are now normalised using a fairly interesting algorithm that involves the mean
and standard deviation of the spread of weights. It is important to understand that a search result with
a equal spread of weights are mostly useless.

2.1

General notes when using search engine transforms

Maltego will sometimes give you results that seem plain wrong. You need to keep in mind that the application will
get pretty desperate when it does not get results. So - when you are searching for a person called "Vaxynutus
Grabounill" and that person simply left no marks on the Internet Maltego will eventually go after a search term
"VG" - with a super low confidence - but you will still get some results. These results could seem completely off the
mark, but should have very low weights. Always look at the weights.
Many of the search engine transforms use pop-up transform settings for location and additional terms. If you are
not getting the results you want you should try adding some terms here. You can read all about it in the User guide
in the section about Transform properties.
Maltego Transforms a reference guide

Page 8

January 2011

2.2

Maltego 3 User Guide - Transforms

Version 3.0

Problems with parsing results

Some entities are hard to parse. Telephone numbers are notoriously hard to parse. There is always a trade-off
between missing numbers and parsing non-telephone numbers as phone numbers. With the current transforms
we hope to have reached the optimal balance.

Maltego Transforms a reference guide

Page 9

January 2011

Maltego 3 User Guide - Transforms

Infrastructure

3.1

Internet Autonomous System (AS)

Version 3.0

3.1.1 To Netblocks in this AS [Robtex]

This transform expands an ASNumber to one or more netblock Entity. This transform is very useful in the
infrastructure
re foot printing of an organization. Let us assume that Org. X owns a couple of netblocks, but only
has a single DNSName that points to a single netblock - the other netblocks have no DNS information (e.g. no
forward DNS pointing to it, or reverse DNS entr
entries
ies in the block). Using this transform we can find the
ASNumberEntity of the netblock. Once we have the AS number we can expand it to all the other netblocks that
Org. X have.

Maltego Transforms a reference guide

Page 10

January 2011

3.2

Maltego 3 User Guide - Transforms

Version 3.0

NS (Name Server)

3.2.1 To Domains [DNS]

This transform extracts the DomainEntity from a DNSNameEntity. The domain in a DNS Name like
'mx.google.co.uk' would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these
TLDs and subTLDs are really not that useful it is not rreturned.

3.2.2 To IP Address [DNS]

This is a simple transform. It resolves a DNSName to an IPAddress. Enough said.

Maltego Transforms a reference guide

Page 11

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.2.3 To Web site [Query port 80]

This transform basically converts DNSName to Website. Before simply changing the types the transform will
query port 80 on the DNS Name and see if it can get a proper HTTP response. Currently only port 80 is tested.
In upcoming versions port 443 will also be tested. The transform also populates the server type and the HTTP
ports in the additional fields.

Maltego Transforms a reference guide

Page 12

January 2011

3.3

Maltego 3 User Guide - Transforms

Version 3.0

Domain

3.3.1 To MX (mail server) [DNS]

This
his transform determines if an MX record exists for the given Domain. The MX record is the mail exchanger
record and is returned
d as an MXrecord Entity. The IP aaddress
ddress of this record gives a good indication of the
network location of the target as most organizations keep their mail close to their network. This is normally
used in the infrastructure foot printing of an organization.
The IP Address of this record gives a good indication of the network location of the target as most
organisations keep their mail close to their network. This is normally used in the infrastructure foot printing of
an organisation.

Maltego Transforms a reference guide

Page 13

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.2 To NS (name server) [DNS]

This transform determines if an NS record exists for the given Domain. The NS record is the name server
record and is returned as an NSrecord Entity. This is normally used in the infrastructure foot printing of an
organization. A note of caution - it is not uncommon for organizations to outsource their name servers to their
ISP or to the registrar of their domain. Thus - in terms of finding the network (e.g. resolving this to an IP
address) of the target this has limited value - human inspection is advised.

Maltego Transforms a reference guide

Page 14

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.3 To DNS Name [Attempt zone transfer]

This transform attempts a zone transfer (AXFR) on the Domain. If possible it extracts the Cnames and A records
from the zone as DNSName. If a zone transfer is possible then all the DNS names associated with the domain
are returned, and there is no need to brute force it anymore. The results of a successful zone transfer normally
results in a very happy analyst as resolving these DNS names to IPAddress gives a very good indication of the
network location of the target.

Maltego Transforms a reference guide

Page 15

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.4 To DNS Name [Find common DNS names]

This transform attempts to find DNS names for the specified Domain. This is done by testing a list of DNS
Names and seeing if they exist. The list of names that are tested for can be configured inside the transform. The
specified domain is appended to the name and tested. If it exists it is returned as a DNS Name.

Maltego Transforms a reference guide

Page 16

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.5 To DNS Name [Name Schema]

The transform will try several word lists (think Lord of the Rings names, planet names, colours, TLDs etc.) as
DNS names. If it finds a match in a specific word list it will try the entire word list. In this way it will try to
determine the naming schema for the domain. Note that the transform can take a while to complete - especially
when it finds a match in a long word list. The test depth per word list can be set in the transform. In the screen
shot below we see how different TLDs exists inside the domain.

Maltego Transforms a reference guide

Page 17

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.6 To Domain [Find other TLDs]

This transform will try to find domains with different TLDs by looking it up at ServerSniff
(www.serversniff.de). If you provide the domain 'funstuff.com.my' the transform will attempt to find
'funstuff.co.uk' and 'funstuff.com'. This is useful when trying to find all the domains of an organization in the
infrastructure foot printing phase. A note of caution - this transform is very heavy in terms of processing
power. It is also relatively slow (appreciate the fact that there are many millions of domains). Also results are
not guaranteed to include all known domains but it is a good trade off between speed/accuracy.

Maltego Transforms a reference guide

Page 18

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.7 To Email address [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for email
addresses. The whois information itself is stored as a property of the supplied domain ('Domain Whois'). You
should always manually inspect this data to give context to results - or see if the parsing of the email address
failed.

Maltego Transforms a reference guide

Page 19

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.8 To Email addresses [PGP]

This transform queries a public PGP key server and asks the question - "show me all the email addresses that
ends in the supplied domain name' - results are returned as email address entities. Keep in mind that this
information might be outdated. The transform is useful for finding email addresses at a domain - an added
bonus is that we know these people communicate encrypted to others.

3.3.9 To Email addresses [using Search Engine]

This transform searches for the domain and shows related email addresses.

Maltego Transforms a reference guide

Page 20

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.10 To Emails @domain [using Search Engine]

This transform will search for email addresses containing the domain name.

Maltego Transforms a reference guide

Page 21

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.11 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform performs NER (Named Entity Recognition) on the whois information extracted from the
domain and proceeds to extract person names, companies/organizations, phone numbers and locations from
the text. Please note that NER is not perfect - just go ask General Failure.

3.3.12 To Files (Interesting) [using Search Engine]

This transform will search for the locations of interesting files hosted on web sites inside the domain. The
priority for each file type can be configured as shown below:
Properties

Maltego Transforms a reference guide

Page 22

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.13 To Files (Office) [using Search Engine]

This transform will search for the locations of interesting documents (think Office[tm]) hosted on web sites
located on the domain. The priority for each file type can be configured as shown below:

Maltego Transforms a reference guide

Page 23

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.14 To Person [PGP]

This transform contacts a public PGP key server and returns Person Entities with email addresses that are
located within the given domain.
This transforms queries one of the public PGP key server and ask the question 'who do you have in your
database with email addresses that ends in the supplied domain?'. Results are returned as Person entities. The
key servers limit the results - if there are too many results the server returns no results. This transform is
useful when enumerating people working at a company. Keep in mind that the information might be outdated.

Maltego Transforms a reference guide

Page 24

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.15 To Phone Numbers [using Search Engine]

This transform will search for the given domain on search engines and shows the related phone numbers.

Maltego Transforms a reference guide

Page 25

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.16 To Phone numbers [From whois info]

This transform performs a recursive whois query on the supplied domain and parses the output for phone
numbers. The idea with the transform is to provide the phone number of the owner of the domain. The whois
information itself is stored as a property of the domain ('Domain Whois'). You should always manually inspect
this data to give context to results - or see if the parsing of the phone number failed (it is difficult to correctly
parse all forms of phone numbers).

3.3.17 To Website DNS [using Search Engine]

This transform will query search engines for websites and return them as website entities.

Maltego Transforms a reference guide

Page 26

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.3.18 To Website [Quick lookup]

This transform will do a quick look up to see if the DNS entry www.domain exists. This transform is useful
when dealing with a large amount of domain and you only need to quickly see which of them have web sites
(e.g. not try to find all possible DNS names).

3.3.19 To Website [using Search Engine]

This transform will search for the domain name and then show the web sites where the domain name occurs.

Maltego Transforms a reference guide

Page 27

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 28

January 2011

3.4

Maltego 3 User Guide - Transforms

Version 3.0

An IP version 4 address

3.4.1 To DNS Name [Other DNS names]

This transform queries two different 'historical' DNS databases to see what other DNS names are associated
with the IP
P Address. These databases are populated using various techniques. The transform is useful to find
co-hosted sites - e.g. the website (or MX, NS) of companyA could resolve to 1.2.3.4 and co-hosted
co
on that IP
address are www.companyB.com and/or companyAB.co
companyAB.com.
m. In certain cases you will find that the forward DNS
entries for the resultant DNS names are is now pointing to other IP addresses (other than the supplied one).
This simply means that changes have been made to DNS, and that the provider's database is keeping
ke
the old
information. Sometimes this is useful (as you can see that a change was made), sometimes it is annoying.

Maltego Transforms a reference guide

Page 29

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.2 To DNS Name [Reverse DNS]

This transform uses stock standard reverse DNS to determine the DNS name associated with the IP Address.
Note that not all IP addresses will reverse resolve. It is the responsibility of the owner of the netblock where
the IP resides (or whoever this task was delegated to) to populate the records. Also note that reverse DNS
entries do not have to match forward DNS - e.g. www.abc.com can resolve to 1.2.3.4 but 1.2.3.4 does not have to
resolve to www.abc.com.

3.4.3 To Domain [Sharing this MX]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other
domains as an MX record. This type of 'reverse MX lookup' cannot be performed using standard DNS queries
and is very useful to find other domains associated with the IP number. In most cases one would work from the
actual DNS name of the MX record, but if you only have the IP address available there is no standard way of
knowing if the IP address is an MX for a domain or not. This transform gives you the ability to do this.

Maltego Transforms a reference guide

Page 30

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.4 To Domain [Sharing this NS]

This transform queries two 'historical' DNS providers to determine if this IP address is the also used by other
domains as an NS record. This type of 'reverse NS lookup' cannot be performed using standard DNS queries
and is very useful to find other domains associated with the IP number. In most cases one would work from the
actual DNS name of the NS record, but if you only have the IP address available there is no standard way of
knowing if the IP address is an NS for a domain or not. This transform gives you the ability to do this. Unlike the
'reverse MX lookup' the 'reverse NS lookup' does not always imply that the domains found have a close
relationship with the IP address as many companies and organizations outsource their DNS service.

Maltego Transforms a reference guide

Page 31

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.5 To Email address [From whois info]

This transform performs a recursive whois query on the IP address (obviously not the domain!) and parses the
output for email addresses. The idea with the transform is to provide the email address of the owner of the
network where this IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub
leased and that the whois information might not reflect this. This can easily lead to false positives. The whois
information itself is stored as a property of the IP address entity ('IP whois'). You should always manually
inspect this data to give context to results.

3.4.6 To Entities (NER) [Alchemy and OpenCalais] via whois

This transform obtains whois information of IP number and then parses it for entities using NER.

Maltego Transforms a reference guide

Page 32

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.7 To Geo location [whoisAPI]

This transform uses an API of Name Intelligence to provide the geographical location of the IP address. The
location has 3 levels of detail - these are comma separated. The first is the country, the second is the region and
the last is the city. Keep in mind that this level of detail is not always available. In fact - the API does not
guarantee that it will return any result - it's a case of best effort. We have also seen that this data can be
extremely misleading - where the location of the registrant (rather than the resource) was returned. For bulk
look ups you should consider getting your own API key.

Maltego Transforms a reference guide

Page 33

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.8 To Netblock [Blocks delegated to this IP as NS]

This transform queries Robtex's database to determine which networks have their reverse DNS delegated to
this IP address. This is a very useful transform in the infrastructure foot printing process. Keep in mind that the
IP address needs to that of a name server (that handles the reverse zones). In many cases this transforms
provides better information than simply looking at routing or whois information. This is because organizations
might have a full class B network but are only using three or four class C networks within the bigger block. In
many of these cases they will only have reverse DNS information populated for these smaller blocks - and you
can find these smaller blocks using this transform.

3.4.9 To Netblock [Natural boundaries]

This transform returns a netblock (IP range) by simply looking at the natural network boundary of the IP
address. The size of the network is determined by a transform setting ('Block size'). The size is set by default to
256 - meaning that the corresponding class C network will be returned. This size can be set to any power of
two - e.g. 1,2,4,8,16,32,64,128,256 etc. As this transform is not doing any lookups it is very fast and by setting
the block size small (making some assumptions) you can quickly get a rough idea of networks involved.
The transform can be set to ask for the network size by marking the property as a pop up:

Maltego Transforms a reference guide

Page 34

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.10 To Netblock [Using routing info]

This transform will determine what network (range of IP addresses) the IP number resides in by looking at
routing information on the Internet. This does not mean that the entire resulting network belongs to the owner
of the IP address (keep in mind that in many cases it might be hosted environment). See also the other
ToNetblock transform for making more precise estimations of network sizes and/or owners.

Maltego Transforms a reference guide

Page 35

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.11 To Netblock [Using whois info]

This transform determines the associated network (IP range) of an IP address by doing a recursive whois
lookup and parsing the resultant information. Keep in mind that in many cases smaller blocks of IP addresses
are sub leased and that the whois information might not reflect this. This can easily lead to false positives. The
whois information itself is stored as a property of the IP address entity ('IP whois'). You should always
manually inspect this data to give context to results.

Maltego Transforms a reference guide

Page 36

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.4.12 To Telephone Number [From whois info]

This transform performs a recursive whois query on the IP address and parses the output for telephone
numbers. The idea with the transform is to provide the phone number of the owner of the network where this
IP address resides. Keep in mind that in many cases smaller blocks of IP addresses are sub leased and that the
whois information might not reflect this. This transform is useful when you have a list of networks and want to
see which ones belong to the same organization. The whois information itself is stored as a property of the IP
address entity ('IP whois'). You should always manually inspect this data to give context to results.

3.4.13 To Website where IP appears [using Search Engine]

This transform will search for the IP Address and show the sites where it occurs.

Maltego Transforms a reference guide

Page 37

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 38

January 2011

3.5

Maltego 3 User Guide - Transforms

Version 3.0

MX record (mail
record))
(mail exchange record

3.5.1 To Domain [DNS]

This transform
sform extracts the domain from a MX record entity. The domain in a DNS Name like 'mx.google.co.uk'
would be 'google.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs
are really not that useful it is not returne
returned.

3.5.2 To Domains [Sharing this MX]

This transform is used on a MX record. It determines which other domains use this DNS Name as an MX record.
This is very useful in the infrastructure footprint of an organization as it ccan
an reveal other domains that the
organization uses. If company X's Domain all have MX records pointing to a single DNS name this transform can
find all (or most) of these domains.

Maltego Transforms a reference guide

Page 39

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.5.3 To IP Address [DNS]

This transform resolves a MX record to an IP address using plain old DNS.

Maltego Transforms a reference guide

Page 40

January 2011

3.6

Maltego 3 User Guide - Transforms

Version 3.0

DNS name server record

3.6.1 To Domain [DNS]

This transform extracts the domain from a NS record entity. The domain in a DNS Name like 'mx.google.co.uk'
would be 'google.co.uk'
le.co.uk' and 'co.uk' (and 'uk' if you really want to be precise). Because these TLDs and sub TLDs
are really not that useful it is not returned.

3.6.2 To Domains [ Sharing this NS]

This transform runs on an NS record. It de
determines which other domains use this DNS Name as a name server.
This is very useful in the infrastructure footprint of an organisation as it can reveal other domains that the
organisation uses. If company X's Domains all have NS records pointing to a single DNS name this transform

Maltego Transforms a reference guide

Page 41

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
can find all (or most) of these domains. A word of caution - if the target is hosting its name servers at an ISP
then you will end up with a list of domains that hosted by the ISP - normally not the most exciting result.

3.6.3 To IP Address [DNS]

This transform resolves a NS record to an IP address using plain old DNS.

3.6.4 To Netblock [Blocks delegated to this NS]

This transform works on NSrecords. It determines if the particular name server has any Netblock reverse DNS
delegated to it. This is useful for finding Netblock of an organization. What's interesting about the results of this
Maltego Transforms a reference guide

Page 42

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
etblock), but, in reality are only
transform is that an organization might have a class B network (a fairly large netblock),
using a couple of class Cs (smaller netblocks) within that block. In many cases they will only populate the
reverse DNS of these smaller blocks and delegate it to their name servers. The transform will show these
smaller blocks.

3.7

Netblock

3.7.1 To AS number
This transform determines the Autonomous System (AS) number of the supplied network. This is useful for
determining if two (or more)
ore) networks are related. If two networks are in the same AS (e.g. have the same AS
number) we can say they are at least loosely routed to the same destination. If the networks belong to an
organization (as opposed to belonging to an ISP that is splitting the network into smaller networks and leasing
them to clients) we get a good indication that both networks belong to the same organization.

Maltego Transforms a reference guide

Page 43

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.7.2 To DNS Names in netblock [Reverse DNS]

This transform will ask for all historical DNS records on file for the supplied network. It gets a bit messy - what
happens when you have a class B network? As such the providers have limitations. Robtex wont return reverse
DNS entries for networks larger than 2048 IPs (that's 4 class Cs) and Serversniff won't be impressed if you run
a block larger than a class B. Keep in mind that you need to adjust your slider accordingly (if your slider is on
the first notch and you reverse a class C you'll only get 12 entries back). Also - note that this information comes
from a database - so it might not always be up to date. The transform can take a while to run - so be patient. It
still beats doing it manually...

Maltego Transforms a reference guide

Page 44

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.7.3 To Entities (NER) [Alchemy and OpenCalais via whois

This transform obtains whois information of netblock (well the first IP in the block), then parses it for entities
using NER.

3.7.4 To Geo location

This transform takes the first IP number in the range and performs the 'IP address to Geo location' on it. The
transform uses an API of Name Intelligence to provide the geographical location of the IP address. The location
has 3 levels of detail - these are comma separated. The first is the country, the second is the region and the last
is the city. Keep in mind that this level of detail is not always available. In fact - the API does not guarantee that
it will return any result - it's a case of best effort. We have also seen that this data can be extremely misleading where the location of the registrant (rather than the resource) was returned. For bulk lookups you should
consider getting your own API key.

Maltego Transforms a reference guide

Page 45

January 2011

3.8

Maltego 3 User Guide - Transforms

Version 3.0

URL

3.8.1 To Email Addresses [Found on web page]

This transform will connect to the website wher
wheree the URL (web page) is hosted, download the particular page /
URL and parse it for email addresses. Results are returned as email address entities. The transform is useful
when you are looking for results on a specific page, not an entire site.

Maltego Transforms a reference guide

Page 46

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.8.2 To Entities (NER) [OpenCalais and Alchemy API]

This transform performs NER (Named Entity Recognition) on the URL and extracts person names,
companies/organizations, phone numbers and locations from the text. If the URL points to a document, it will
try to convert to text and perform NER on the resultant text. Entities extracted are: location, persons name,
organization or company.

Maltego Transforms a reference guide

Page 47

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.8.3 To Phone number [Found on this web page]

This transform will connect to the website where the URL (web page) is hosted, download the particular page /
URL and parse it for phone numbers. Results are returned as phone number entities. The transform is useful
when you are looking for results on a specific page, not an entire site.

Maltego Transforms a reference guide

Page 48

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.8.4 To URL [incoming links found to this web page]

This transform finds the incoming URLs to an URL by looking on a search engine.

Maltego Transforms a reference guide

Page 49

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.8.5 To Website [Convert]

This transform simply extracts that website's name from the URL. This is useful when you have a lot of URLs
(that came from other transforms) and need to see which URLs are on the same site.

3.8.6 To Website [Links on this web page]

This transform will connect to the website where the URL (web page) is hosted, download the particular page /
URL and look for links from that page. Results are returned as websites entities with embedded URLs. The
transform is useful when you are looking for links on a specific page, not an entire site.

Maltego Transforms a reference guide

Page 50

January 2011

3.9

Maltego 3 User Guide - Transforms

Version 3.0

Website

3.9.1 Mirror: Email addresses found

This transform will make a (partial) mirror of the web site and extract all email addresses found on the site.
The slider plays a big role in this transform as it set the time
time-out
out for the mirroring process. The higher (to the
right) the slider is set, the deeper the mirroring process will go, and hopefully, the more results you'll get. The
process runs via a caching server (that is local on the box) which means that you wont be doing the data
transfer to the site twice (if you run the transform again) - expect of course if the first round did not manage to
get the entire site. Also keep in mind that not all sites are mirror friendly. Flash base
based
d sites will give problems

Maltego Transforms a reference guide

Page 51

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
as will sites with exotic JavaScript menus and redirects. Email addresses that are obfuscated using nonstandard techniques will also not be picked up.

3.9.2 Mirror: External links found

This transform will make a (partial) mirror of the web site and extract all external links found on the site these will be returned as website entities. The slider plays a big role in this transform as it set the time-out for
the mirroring process. The higher (to the right) the slider is set, the deeper the mirroring process will go, and
hopefully, the more results you'll get. The process runs via a caching server (that is local on the box) which
means that you wont be doing the data transfer to the site twice (if you run the transform again) - expect of
course if the first round did not manage to get the entire site. Also keep in mind that not all sites are mirror
friendly. Flash based sites will give problems as will sites with exotic JavaScript menus and redirects.

3.9.3 To Domains [DNS]

This transform will return the domain of the supplied website. The transform will also return any sub domains
- all the way to the sub TLD. This means that if a web site with the name www.duh.moo.co.za is supplied the
transform will return the domains duh.moo.co.za and moo.co.za, but not co.za (sub TLD) or za (TLD).
Maltego Transforms a reference guide

Page 52

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.9.4 To IP Address [DNS]

This is a very simple transform - it simply resolves the website's IP address.

3.9.5 To URLs [show Search Engine results]

When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are
collected within the entity itself. This transform generates separate URL type entities from each result. This
allows you to now perform transforms on each URL - like mining for email address, links or phone numbers.

Maltego Transforms a reference guide

Page 53

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.9.6 To Website [Incoming links to site]

The transforms queries search engines to determine what sites links to the supplied website. This is useful in
combination with 'To websites using Mirror' - which will give an idea of what goes into a site (e.g. links to the
site) and what comes out of a site (e.g. links from the site).

Maltego Transforms a reference guide

Page 54

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

3.9.7 To Website [Replace with thumbnail]

This transform will ask Thumbshot.org if it has a small image (thumbnail) of the site's front page and if so it
will change the entity's icon to it. This is useful when working with huge amounts of web sites that appear to
have the same branding - it gives the user the ability to quickly visually see which sites are branded in a similar
manner.

3.9.8 To Website title

This transform will return the title of the site's front page as a web title entity. It will do it's best to follow
JavaScript redirects, 302 redirects and others until it ends on a page with a title. Of course it cannot extract
titles for ALL websites - some do not have titles, are Flash based or performs some exotic Javascripting. The
transform is useful when dealing with loads of web sites that appear to belong to the same organization.
Running this transform and looking at web site titles that match (or simply using Find and looking for
keywords) makes it easy to find and group sites.

Maltego Transforms a reference guide

Page 55

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 56

January 2011

Personal

4.1

Document

Maltego 3 User Guide - Transforms

Version 3.0

4.1.1 Parse meta information

This transform downloads the document at the specified URL and extracts the meta information from it.
Maltego tries to map the meta data to Person, Phrase and EmailAddress, but in some cases the information is
not correctly populated within the document itself. Visual inspection of the resultant entities are
ar advised. The
following fields are extracted from the document:

Company->Phrase

Creator->Phrase

Keywords->Phrase

Author->Person

LastSavedBy->Person

AuthorEmail->Email address

AuthorEmailDisplayName->Email
>Email address

Maltego Transforms a reference guide

Page 57

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.1.2 To URL [Show SE results]

When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are
collected within the entity itself. This transform generates separate URL type entities from each result. This
allows you to now perform transforms on each URL - like mining for email address, links or phone numbers.

Maltego Transforms a reference guide

Page 58

January 2011

4.2

Maltego 3 User Guide - Transforms

Version 3.0

Email

4.2.1 To Domain [DNS]

This transform will simply return the domain of the email address - e.g. if the input is [email protected] it will
return kramer.com. This is useful when you have a lot of email addresses and what to see which ones are
located in the same domain.

4.2.2 To Email Addresses [PGP (signed)]

This transform contacts a public PGP keyserver aand
nd retrieves the email addresses of signers for the given
address.

Maltego Transforms a reference guide

Page 59

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.2.3 To Email Addresses [PGP]

This transform will query one of the public PGP key server and will return other email addresses that uses the
same public key. This is very useful to find alternative email addresses for an individual. Keep in mind that this
information might be outdated.

4.2.4 To Email Addresses [using Search Engine]

This transform will search for the email address and show related email addresses.

Maltego Transforms a reference guide

Page 60

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.2.5 To Person [PGP]

Most email addresses map 1:1 to a person. Unlike the 'Email address from Name using PGP' this transforms
gives you a clear indication of who the email address belongs to. The transform queries a public PGP key server
to obtain this information.

4.2.6 To Phone number [using Search Engine]

This transform will search for the given email address and show the related telephone numbers.

Maltego Transforms a reference guide

Page 61

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.2.7 To URLs [Show search engine results]

When running any of the search engine transforms (*_SE) on an entity the search results (each URL) are
collected within the entity itself. This transform generates separate URL type entities from each result. This
allows you to now perform transforms on each URL - like mining for email address, links or phone numbers.

4.2.8 To Website [using Search Engine]

This transform will search for the email address and shows the sites where it occurs.

Maltego Transforms a reference guide

Page 62

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.2.9 Verify email address exists [SMTP]

Verify Email address must first be activated in Transform Manager by accepting disclaimer. This transform
verifies that an email address really exists. It's one of the more interesting transforms. It works as follows - as a
start the transform finds the right MX (mail server) record for the domain. It then connects to port 25 (SMTP)
of the host. The transforms starts the normal SMTP conversation - it issues a HELO (paterva.com) and a MAIL
FROM ([email protected]) SMTP commands. Before testing for the supplied email
address it issues a RCPT TO with an email address that does not exist (it tests for thisisreallynothere@domain).
If the error message indicates that the address is not there the transform knows that it can test for the supplied
email address. If no error is returned during this 'baseline' test the transform returns 'Inconclusive'.
The transform does not return new entities as a result - it returns the same entity but it adds a label to the
supplied email address indicating if it could verify it. Note that not all mail servers allow you to verify
addresses in this way. Because this transform transacts with the mail server (and this is not considered very
passive) this transform contains a disclaimer that explains the situation.

Maltego Transforms a reference guide

Page 63

January 2011

4.3

Maltego 3 User Guide - Transforms

Version 3.0

Person

4.3.1 To Email Address [PGP]

This transform queries a public PGP key server to see if the person's name eexists
xists in the key database. It returns
entries as email address entities. Some things to keep in mind - if the name is very common (John Smith) you
are going to get a lot of false positives. Also - the information kept in the database might be out of date. This
transform is useful to get long forgotten email addresses for people with an unique name / surname
combination.

Maltego Transforms a reference guide

Page 64

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.3.2 To Email Address [Verify common]

This transform will test on common free mail provider for combinations of the person's name. This transform
only works with mail servers that will report failed recipients with a 550 code and verified recipients with a
250 code. Not all mail servers do this - as example Yahoo does not! Also note that this transform makes a TCP
connection to the given entity's MX record!
This transforms uses the techniques used in the EmailAddressToEmailAddress Verify transform. Since this
gives us the ability to verify if an email address exists we can expand the idea to test for combinations of first
name / last name on popular email providers - like Gmail and Hotmail. The providers (domains) where the
transform test is configurable - e.g. you can add/remove domains be changing the 'Domains to check'
additional transform setting. There is one difficulty here - not all mail servers falls for the verification trick. As
such you cannot randomly add domains here - be sure to test if email addresses can be verified using the
verification transform first.

Maltego Transforms a reference guide

Page 65

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.3.3 To Email Address [using Search Engine]

This transform searches for the person's most likely email address.

Maltego Transforms a reference guide

Page 66

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.3.4 To Person [PGP (signed)]

This transform queries a public PGP key server and asks the question 'show me the names of persons that the
owner of the supplied email address have signed'. This is useful for determining trust relationships between
people. The transform shows you these people communicated encrypted (or at least exchanged keys). Keep in
mind that the information in the database could be outdated.

4.3.5 To Phone Number [using Search Engine]

This transform searches for the person's associated telephone numbers.

Maltego Transforms a reference guide

Page 67

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.3.6 To Website [using Search Engine]

This transform shows sites where various permutations of the person's name was found. Youll see a pop up
asking for a Domain or TLD and an additional search term.

Maltego Transforms a reference guide

Page 68

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 69

January 2011

4.4

Maltego 3 User Guide - Transforms

Version 3.0

Phone Number

4.4.1 To Email Address [using Search Engine]

This transform searches for the telephone number and returns related email addresses.

4.4.2 To Phone Number [using Search Engine]

This transform searches for the telephone number and ret
returns
urns related email addresses.

Maltego Transforms a reference guide

Page 70

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.4.3 To URL [Show Search Engine results]

This transform just dumps the URLs collected from the search engine. When running any of the search engine
transforms (*_SE) on an entity the search results (each URL) are collected within the entity itself. This
transform generates separate URL type entities from each result. This allows you to now perform transforms
on each URL - like mining for email address, links or phone numbers.

Maltego Transforms a reference guide

Page 71

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.4.4 To Website [using Search Engine]

This transform searches for the telephone number and returns related sites.

4.5

Phrase

4.5.1 To Email Addresses [using Search Engine]

This transform will search for the phrase
hrase and show related email addresses.

Maltego Transforms a reference guide

Page 72

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.2 To Entities (NER) [Alchemy and OpenCalais]

The transform actually packages a set of smaller transforms - all in one. It searches for the entered keyphrase,
extracts all URLs from the results, then 'visits' each page and performs NER (Named Entity Recognition) on
each page. For this reason the transform can take quite a while to finish and is very resource intensive. The
result is the top list of people, places, email addresses, company/organization names (as phrases) associated

Maltego Transforms a reference guide

Page 73

January 2011

Maltego 3 User Guide - Transforms

with the phrase.

Version 3.0

4.5.3 To Files (Interesting) [using Search Engine]

This transform will search for the given phrase and show interesting files containing the term. As with the
Domain to Files transform the priority of file types can be configured.

Maltego Transforms a reference guide

Page 74

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.4 To Files (Office) [using Search Engine]

This transform will search for the given phrase and show documents (Office[tm]) containing the term. As with
the Domain to Files transform the priority of file types can be configured.

Maltego Transforms a reference guide

Page 75

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.5 To Telephone numbers [using Search Engine]

This transform will search for the phrase and shows the related telephone numbers.

Maltego Transforms a reference guide

Page 76

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.6 To Tweets [Search Twitter]

This transform will search Twitter for the supplied phrase. The transform returns Tweets that contains the
phrase. From these entities you can dig deeper - e.g. looking who wrote it, and what URLs it contains. To search
for more than one word put the phrase in quotes. E.g "economic gardening".

Maltego Transforms a reference guide

Page 77

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.7 To Website [using Search Engine]

This transform will search for the given phrase and show the sites where the phrase occurs. This is basically
the same as searching for the phrase on a search engine.

Maltego Transforms a reference guide

Page 78

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.5.8 To related phrase

This transform will search for the phrase on the configured search engine and return a list of keywords found.
The keywords are related to the search term. You can use the transform to get a quick idea of what the search
term is about - like scanning the first couple of pages of a search engine result by hand. The '!Q&D!' part of the
transform description is really for 'Quick and Dirty' - meaning that no scientific approach was used to get the
results (it's more a try, try, try again approach). The transform was actually experimental at first, but since it
sometimes gives interesting results we kept it in.

Maltego Transforms a reference guide

Page 79

January 2011

4.6

Maltego 3 User Guide - Transforms

Version 3.0

Twit

4.6.1 To Twitter Affiliation [Convert]

This transform will convert a Twit to a Twitter Affiliation entity by simply converting it.

4.6.2 To URL(s) [Found in these Tweets]

This transform will try to mine URL from T
Tweets,
s, also expanding the tiny URLs where possible.

Maltego Transforms a reference guide

Page 80

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 81

January 2011

4.7

Maltego 3 User Guide - Transforms

Version 3.0

Affiliation Twitter

4.7.1 To AffTwitter [Get details of ID holder]

This transform will find detail about the Twitter entity.

4.7.2 To AffTwitter
fTwitter [This person received Tweets from ?]
This transform will find people that wrote Tweets TO the selected person.

Maltego Transforms a reference guide

Page 82

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.7.3 To AffTwitter [This person wrote Tweets to ?]

This transform people that the selected person wrote Tweets TO.

Maltego Transforms a reference guide

Page 83

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.7.4 To Person [Convert]

This transform will convert the Affiliation to a person, with the alias in the 'additional' field.

4.7.5 To Tweets [That this person wrote]

This transform will find more Twitter posts from the same user.

Maltego Transforms a reference guide

Page 84

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.7.6 To Tweets [Written to this person]

This transform will find Tweets from other people to the selected author.

4.7.7 To followers of this person

This transform will find followers of the selected person.

Maltego Transforms a reference guide

Page 85

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

4.7.8 To friends of this person

This transform will find friends of the selected person.

Maltego Transforms a reference guide

Page 86

January 2011

Maltego Transforms a reference guide

Maltego 3 User Guide - Transforms

Version 3.0

Page 87

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

Maltego 3 Client Transforms - Overview

Overview

Along with the standard entities there are various transforms that can be used and that come
preconfigured with Maltego. This section provides an overview of these standard transforms.

5.1

Infrastructure

5.1.1 Internet Autonomous System (AS)

1. ASNumberToNetblocks_Robtex. This transform shows which routes are located within an AS number by
looking it up on RobTex (www.robtex.com).

5.1.2 Domain Name System server name

1. DNSNameToDomain_DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. DNSNameTOIPAddress_DNS. This transform resolves a DNS name to an IP address using plain old DNS.
3. DNSNameTOWebsite_QueryPorts. This transform determines if a DNS Name is a Web Site by checking for
responsive HTTP(s) ports. This version only checks port 80.

Maltego Transforms a reference guide

Page 88

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.1.3 Internet Domain

1. DomainToMXrecord_DNS. This transform will find the MX records (mail servers) of a domain.
2. DomainToNSrecord_DNS. This transform will find the NS records (name servers) of a domain.
3. DomainToDNSName_ZT. This transform will attempt to perform a zone transfer a returns A and Cname
records - done via Serversniff (www.serversniff.de).
4. DomainToDNSName_DNSBrute. This transform will try to discover various common DNS Names in a
domain.
5. DomainToDNSName NameSchema. This transform will attempt to determine the naming schema of the
domain - e.g. Lords of the Rings, Planets, Trees etc.
6. DomainToDomain_TLD. This transform will try to find domains with different TLDs by looking it up at
ServerSniff (www.serversniff.de).
7. DomainToEmailAddress Whois. This transform obtains whois information of the IP number, then parses it
for email addresses.
8. DomainToEmailAddress PGP. This transform contacts a public PGP keyserver and retrieves email
addresses containing the given domain.
9. Search Engine. This transform searches for the domain and shows related email addresses.
10. Search Engine. This transform will search for email addresses containing the domain name.
1. DomainToEntities Whois NER. This transform obtains whois information of the domain then parses it for
entities using NER.
2. Search Engine. This transform will search for the locations of interesting files hosted on web sites inside the
domain.
3. Search Engine. This transform will search for the locations of interesting documents (think Office[tm])
hosted on web sites inside the domain.
4. DomainToPerson PGP. This transform contacts a public PGP key server and returns Person Entities with
email addresses that are located within the given domain.
5. Search Engine. This transform will search for the given domain and shows the related phone numbers.
6. DomainToPhone Whois. This transforms obtains whois information of the given domain, then parses it for
telephone numbers.
7. Search Engine. This transform will query a search engine for websites and return them as website entities.

Maltego Transforms a reference guide

Page 89

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
8. DomainToWebsite DNS. This transform will quickly see if there is a www.DOMAIN entry. Useful when used
in bulk.
9. Search Engine. This transform will search for the domain name and then show the web sites where the
domain name occurs.

5.1.4 IP version 4 address

1. IPAddressToDNSName SharedIP. This transform performs a reverse lookup on an IPAddress (typically

belonging to a web site) by looking it up on ServerSniff and Robtex.
2. IPAddressToDNSName DNS. This transform reverse resolves an IP address to a DNS name using plain old
DNS.
3. IPAddressToDomain SharedMX. This transform performs lookups on both ServerSniff and RobTex to see
which domains share the same IP number as a MX record.
4. IPAddressToDomain SharedNS. This transform performs lookups on both ServerSniff and RobTex to see
which domains share the same IP number as a NS record.
5. IPAddressToEmailAddress Whois. This transform obtains whois information of IP number, then parses it
for email addresses.
6. IPAddressToEntities Whois NER. This transform obtains whois information of IP number, then parses it for
entities using NER.
7. IPAddressToLocation WhoisAPI. This transforms comes preconfigured with an API key which has limited
use per day. Please consider getting your own API key at http://xml-api.domaintools.com/ .
8. IPAddressToNetblock NS4block. This transform will contact Robtex and determine if the IP number has
any reverse DNS netblocks has been delegated to it.
9. IPAddressToNetblock Cuts. This transform will carve a netblock from an IP - counting a certain number of
IPs up and down.
10. IPAddressToNetblock SS. This transform determines the network block that an IP address belong to by
looking ar routing tables at ServerSniff.
1. IPAddressToNetblock Whois. This transform will get the netblock via the whois service
(ARIN/APNIC/LACNIC/AFRINIC/RIPE).
2. IPAddressToPhone Whois. Transforms obtains whois information of IP number, then parses it for telephone
numbers.
3. Search Engine. This transform will search for the IP Address and show the sites where it occurs.

Maltego Transforms a reference guide

Page 90

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.1.5 Location on mother earth

There are no transforms included by default that can be run on a location. Some transforms may however return a
location as a result.

5.1.6 DNS mail exchange record

1. MXrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. MXrecordToDomain SharedMX. This transform determines which other domains uses the same DNS name
as MX record by looking it up on ServerSniff and RobTex.
3. MXrecordToIPAddress_DNS. This transform resolves a MX record to an IP address using plain old DNS.

5.1.7 DNS name server record

Maltego Transforms a reference guide

Page 91

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
1. NSrecordToDomain DNS. This transform extracts all the domains from a DNS Name - it excludes TLDs and
SLD.
2. NSrecordToDomain SharedNS. NS record by looking it up on ServerSniff and RobTex. As byproduct you'll
also get netblocks for which this nameserver is primary server - where applicable.
3. NSrecordToIPAddress_DNS. This transform resolves a NS record to an IP address using plain old DNS .
4. NSrecordToNetblock_NS4block.This transform will contact Robtex and determine if the NS record has any
(reverse) DNS netblocks delegated to it.

5.1.8 Netblock

1. NetblockToAS SS. This transforms determines the AS number of the netblock by looking it up at ServerSniff .
2. NetblockToDNSName SS. This transform contacts ServerSniff and Robtex and asks it for DNS Names it found
in the given netblock.
3. NetblockToEntities NER Whois. This transform obtains whois information of netblock (well the first IP in
the block), then parses it for entities using NER.
4. NetblockToLocation SS.This transforms determines the country location of the netblock.

5.1.9 URL

1.
2.
3.
4.
5.
6.

URLToEmail Parse. This transform finds the email addresses on the URL.
URLToPerson NLP. This transform uses Natural Language Processing (NLP/NER) to extract entities.
URLToPhoneNumber Parse. This transform finds the phone numbers on the URL
URLToURL IncomingLinks. This transform finds the incoming URLs to an URL by looking on a search engine.
URLToWebsite Convert. This transform converts an URL to a website.
URLToWebsite Parse. This transform looks for outgoing links on the URL and show them as websites.

Maltego Transforms a reference guide

Page 92

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.1.10 Website

1. WebsiteToEmailAddress Mirror. This transform uses Gary's Ruby website mirror to spider the site and
extract email addresses.
2. WebsiteToWebsite Mirror. This transform uses Gary's Ruby website mirror to spider the site and extract
links.
3. WebsiteToDomain DNS. This transform extracts all the domains from a website - it excludes TLDs and SLD.
4. WebsiteToIPAddress DNS.This transform resolves a Website to an IP address using plain old DNS.
5. WebsiteToURL Expand. This transform just dumps the URLs collected from a search engine.
6. WebsiteToWebsite Incominglinks.This transform finds the incoming links to a website by looking for
incoming links on a search engine.
7. WebsiteToWebsite Thumb. This transform gets a thumbnail of the website using Thumbshot.org
8. WebsiteToWebTitle Mech. This transform will attempt to get the title of the website. It tries to follow all
redirects.

5.2

Personal

5.2.1 Document

1. DocumentToPersonEmail_Meta. This transform extracts the meta information from the document and then
parses it for username (persons) and/or email addresses.
2. DocumentToURL Dump. This transform just dumps the URL of the Document for further use.

Maltego Transforms a reference guide

Page 93

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.2.2 Email

1. EmailAddressToDomain DNS. This transform will remove the part in front of the @ sign of the given
address.
2. EmailAddressToEmailAddress SignedPGP. This transform contacts a public PGP keyserver and retrieves
the email addresses of signers for the given address.
3. EmailAddressToEmailAddress SamePGP. This transform contacts a public PGP keyserver and retrieves
alternative email addresses for the given address.
4. Search Engine. This transform will search for the email address and show related email addresses.
5. EmailAddressToPerson Same PGP. This transform contacts a public PGP keyserver and retrieves the
person's name for the given address.
6. Search Engine. This transform will search for the given email address and show the related telephone
numbers.
7. EmailAddressToAff Rapleaf. (Removed).
8. EmailAddressToURL Expand. This transform just dumps the URLs collected from the search engine.
9. Search Engine. This transform will search for the email address and shows the sites where it occurs.
10. EmailAddressToEmailAddress Verify. This transform simply connects to the relevant mail server and
checks to see if the email address exists. The results are passed back in the same entity - as a label.

5.2.3 Person

1. PersonToAff Spock. (Removed)

2. PersonToEmailAddress SamePGP. This transform contacts a public PGP keyserver and retrieves the
person's email address - if it exists.
3. PersonToEmailAddress Common. This transform will test on common free mail provider for combinations
of the person's name. This transform only works with mail servers that will report failed recipients with a
550 code and verified recipients with a 250 code. Not all mail servers do this - as example Yahoo does not!
Also note that this transform makes a TCP connection to the given entity's MX record!
Maltego Transforms a reference guide

Page 94

January 2011
Maltego 3 User Guide - Transforms
Version 3.0
4. Search Engine. This transform searches for the person's most likely email address.
5. PersonToPerson PGP. This transform contacts a public PGP keyserver and returns the names of people that
signed the given person's key.
6. Search Engine. This transform searches for the person's associated telephone numbers.
7. Search Engine. This transform shows sites where various permutations of the person's name was found.

5.2.4 Phone Number

1.
2.
3.
4.

Search Engine. This transform searches for the telephone number and returns related email addresses.
Search Engine. This transform searches for the telephone number and returns related phone numbers.
PhoneNumberToURL Expand. This transform just dumps the URLs collected from the search engine.
Search Engine. This transform searches for the telephone number and returns related sites.

5.2.5 Phrase

1. Search Engine. This transform will search for the phrase and show related email addresses.
2. PhraseToPhrase OpenCalais. Looking for entities in the actual document.
3. Search Engine. This transform will search for the given phrase and show interesting files containing the
term.
4. Search Engine. This transform will search for the given phrase and show documents (Office[tm]) containing
the term.
5. (Removed).
6. Search Engine. This transform will search for the phrase and shows the related telelphone numbers.
7. PhraseToTwit Search. This transform will search Twitter for a phrase and shows relevant entries.
8. Search Engine. This transform will search for the given phrase and show the sites where the phrase occurs.
9. PhraseToPhrase RT. Looking for key phrases.

Maltego Transforms a reference guide

Page 95

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.2.6 Twit

1. TwitToPerson Parse. This transform will convert a Twit to a Twitter Affiliation entity by simply converting
it.
2. TwitToURL Expand. TThis transform will try to mine URL from Tweets, also expanding the tiny URLs.

5.2.7 Affiliation Facebook

There are no transforms included by default that can be run on Affiliation - Facebook. Some transforms may
however return an Affiliation - Facebook as a result.

5.2.8 Affiliation LinkedIn

There are no transforms included by default that can be run on Affiliation - LinkedIn. Some transforms may
however return an Affiliation - LinkedIn as a result.

Maltego Transforms a reference guide

Page 96

January 2011

Maltego 3 User Guide - Transforms

Version 3.0

5.2.9 Affiliation Twitter

1. AffTwitterToAffTwitter GetDetail. This transform will find detail about the Twitter entity.
2. AffTwitterToAffTwitter RecFrom. This transform will find people that wrote Tweets TO the selected
person.
3. AffTwitterToAffTwitter WritesTo. This transform people that the selected person wrote Tweets TO.
4. AffTwitterToPerson. This transform will convert the Affiliation to a person, with the alias in the
'addditional' field.
5. AffTwitterToTwit Sameperson. This transform will find more Twitter posts from the same user.
6. AffTwitterToTwit OtherAuthors. This transform will find Tweets to other people from the selected author.
7. AffTwitterToAffTwitter Followers. This transform will find followers of the selected person.
8. AffTwitterToAffTwitter Friends. This transform will find friends of the selected person.

Maltego Transforms a reference guide

Page 97