Cyber OSINT Coding Python Transforms for Maltego Libre

Maltego

にどなぬ/どね

TRXWritingPythontransforms(forusewiththeTDS)RT

TRX

Table of Contents )ntroduction–whyusetheTDS?......................................................................................................................................ねWhatisTRX?.........................................................................................................................................................................のArchitectureoftheTDS.........................................................................................................................................................のDevelopingtransformsfortheTDS.................................................................................................................................はPublicallyavailableTDS...................................................................................................................................................は)nternal/privateTDS.........................................................................................................................................................はThefutureoftheTDS.............................................................................................................................................................はFunctionalityoftheNTDS...............................................................................................................................................はPricingmodeloftheNTDS..............................................................................................................................................ばDevelopmentenvironments...............................................................................................................................................ばP(P...........................................................................................................................................................................................ばPython.....................................................................................................................................................................................ばPreppingaserverforusewiththeTDSゅPythonょ......................................................................................................ば)nstallApacheに....................................................................................................................................................................ば)nstallmod_wsgi..................................................................................................................................................................ば)nstallbottle..........................................................................................................................................................................ばCopy&extractTRXfiles...................................................................................................................................................ぱEditApacheconfiguration...............................................................................................................................................ぱ)nstallTRXfiles....................................................................................................................................................................ぱRestartApacheに..................................................................................................................................................................ぱSettinguptheTDStousetheexampletransformゅDNSに)Pょ.................................................................................ひSettingupaseed.................................................................................................................................................................ひSettingupthetransform................................................................................................................................................などSettingupMaltegotousethesampletransform.................................................................................................ななUnderthehood.......................................................................................................................................................................なのDebuggingtransforms.........................................................................................................................................................なはChangingtothebottleserver..................................................................................................................................なはDeployingtransformswithApache......................................................................................................................なばMultipleseeds...............................................................................................................................................................なばComponentsofTRX..............................................................................................................................................................なばdebugTRX_Server.py.......................................................................................................................................................なばTransformlibraryゅe.g.DNSTRANSFORMS.pyょ....................................................................................................なぱ

TRX

Maltegolibraryゅmaltego.pyょ.......................................................................................................................................なひUsingTRX..................................................................................................................................................................................なひBasicuse...............................................................................................................................................................................なひUsingDisplay)nfo.............................................................................................................................................................ににLinkproperties,bookmarksandnotes....................................................................................................................にのEntityproperties...............................................................................................................................................................にばStaticvs.dynamicproperties..................................................................................................................................にばAquicknoteonentitydesign..................................................................................................................................にばCalculatedproperties.................................................................................................................................................にぱPropertytypes...............................................................................................................................................................にぱReadingproperties...........................................................................................................................................................にぱAddingdynamicproperties..........................................................................................................................................にひUsingtransformsettings...............................................................................................................................................ぬに)ntroduction...................................................................................................................................................................ぬにTransformsettingtypes............................................................................................................................................ぬのUsingtransformsettingsinTRX............................................................................................................................ぬのConclusion...........................................................................................................................................................................ぬひEntityreference......................................................................................................................................................................ねどVに/VぬConfusion...............................................................................................................................................................ねどCalculatedproperties......................................................................................................................................................ねど)nheritance..........................................................................................................................................................................ねなWhyarewestuckwithVにproperties?....................................................................................................................ねなEntityreferenceguide....................................................................................................................................................ねにTheTRXMaltego.pyAP).................................................................................................................................................ねばMaltegoMsgclass..............................................................................................................................................................ねばMaltegoTransformclass.................................................................................................................................................ねばMaltegoEntityclass..........................................................................................................................................................ねぱ

TRX

Introduction – why use the TDS? ThereareseveralwaystoaddcustomtransformstoMaltego.Oneoptionistouselocaltransforms.Localtransformsareaneasywaytogetgoingbuthasseveraldrawbacksinthelongterm:な. Codebaseneedstobeinstalledonlocalmachine.a. )nmanycasesthismeansinstallingthedevelopmentenvironmentonlocalmachineゅthinkPython,P(P,PERLょ.b. ThismakesitdifficulttoinstallontheclientPCandmeansmoremovingparts.c. Every transform needs to bemanually registered on theMaltego GU) orMaltegoconfiguration files needs to be patched. While this is feasible it might not bebackwardcompatiblewithfuturereleasesofMaltego.d. ThecodeneedstobemaintainedforeveryinstallationofMaltego.Achangeinthetransformcodemeansithastobere‐installedoneachMaltegoclient..に. Limitedfunctionality/accesstoMaltegofeatures.Thefollowingfeaturesarenotexposedtolocaltransforms:a. Slidervalue–theusercannotlimithowmanyresultsarereturned.b. Transformsettings–cannotaccessanytransformsettings.Transformsettingsarethepop‐upsaskingtheusertoconfigureatransformpriortorunningit.c. Notes/linklabels/bookmarking.Accesstothesefieldswilllikelyberemovedfromlocaltransformsinfuture.d. Metadatasuchasdisclaimersetc.ぬ. Whentransformsdependonぬrdpartysoftwaretheseneedtobeinstalledandmaintainedacross all clients. )t is not always feasible to install this type of software on each type ofplatformゅe.g.iftheirOperatingSystemsaredifferentょ.ね. No access control or auditing. Future releases of the TDSwill include access control andauditing.の. TransformssuchasSocialNetゅfromPacketninjasょareprovidedasacommercialproduct–aspaypertransform.Withlocaltransformsit'smoredifficultfortransformwriterstooffertheirtransformsasaservice.は. (ard to control intellectual property. As transforms run locally on the client it becomesdifficulttoprotectthecodeagainstreverseengineering.ば. Patervacurrentlyhasnoplanstoprovidefutureenhancements.Most of these limitations canbe somehowbypassed–but these shortcuts are clunky, hardlymaintainableandnotelegantatall.(avingsaidthat‐localtransformshavetheadvantagethat:な. Theyaresimpletowriteinanylanguage.に. Theycan interactwithsoftwarethatrequirestheuseofaGU).ThinkhereofSkypethat╆sdifficulttousehead‐less.ぬ. )sinfrastructure‐less–itcanrunstraightoffyourworkstation.ね. Datadoesnottraveloverthewire–everythingiscontainedinasingleworkstation.

TRX

Local transforms are a good start for proof of concept code, rapid development or whereinteraction with GU) based software is required but in enterprise models or more seriousdeploymentsitdoesnotscalewellorprovidethenecessarycontrolmechanisms.TheselimitationsoflocaltransformsarewellknowntoPaterva.Themoreelegantsolutiontotheproblemwouldbeto centralize the transforms on a server and provide access to run them remotely, similar torunning the built‐in transforms. Such a solution has been implemented using the TransformDistributionServerゅTDSょ.What is TRX? TRX is a framework ゅalthough this perhaps a bit presumptuousょ that facilitates coding PythontransformsforMaltegousingtheTDS.)tassumesthetransformwriterhasaccesstoofawebfacingUbuntuserver.)tusesApachewithmod_WSG),BottleandPython.Architecture of the TDS ThefollowingdiagramshowshowtheMaltegoclients, thetransformsthemselvesandtheTDSfittogether:

TRX

TheTDSactslikeaproxyfortransforms.)thidesseveralofthecomplexitiesofseedmanagement,entitymeta‐data,transformsettings,transformdiscoveryetc.fromthetransformwriterandallowshim/her to concentrateondeveloping theactual transform.The transformcode ishostedon theenduser╆sinfrastructureandisservedfromawebserver.Configuration of transforms, seeds, transform settings and meta‐data is performed via a webinterfaceontheTDS.Developing transforms for the TDS TherearecurrentlytwowaystodeveloptransformsfortheTDS.Publically available TDS This is a TDS that is located on the )nternet and is free for all to use. )t╆s a convenient way toimmediatelystartwritingtransforms.Sincethisserver is locatedonPaterva╆s infrastructuredatawillbeflowingfromtheMaltegoGU)tothisserverandfinallytoyourtransformcodehostedonaweb server of your choice. Note that your transforms need to be hosted on an )nternet facingserver.Thisisnotthepreferredwaytodeploytransformsinaproductionenvironmentゅespeciallyifthetransformcontentissensitiveょbutitallowsdeveloperstogetafeelforhowthesystemworks.The public TDS requires registration and transforms and seeds are defined per user. The serverinterfacelivesathttps://cetas.paterva.com/TDS/Internal/private TDS TheinternalTDSfunctionsinthesamewayasthepublicTDSbutcanbehostedontheend‐user╆sprivate infrastructure. )t is delivered as Virtual Machine ゅVMWare imageょ and is commercial.SeveralhighprofilecompaniesusetheTDSinitscurrentformat.Clients with a valid license for the TDS will automatically be upgraded to the NTDS ゅsee nextsectionょ.The future of the TDS TheTDSwasfirstreleasedinにどなどandhasseenverylittlechangessincethen.)nitiallyPatervawasreluctant to sell the TDS to clients but since mid にどなに have lifted this restriction. Several highprofile clients now use the TDS to centralize and distribute their custom enterprise widetransforms.ThisrenewedattentiontotheTDScausedustorethinkthefutureofthisserver.Functionality of the NTDS ThefollowingkeyareaswillbedevelopedfortheNTDSゅNewTDSょ:な. Distributionofelementsincluding:a. TransformsゅcurrentlytheonlyfunctionalityoftheTDSょb. Entitydefinitionsc. Transformsets

TRX

d. Machinescriptse. Viewletsに. Accesscontrolandauditingぬ. Transformstats,systemhealthね. Futureproofforimplementationofprotocolぬ.Pricing model of the NTDS CurrentlytheTDSゅwhenusedasaprivateserverょissoldatafixedpricebutwithunlimitedamountoftransformsandusers.This╉allornothing╊modelhasprovedproblematicforsmallenterprisesthatwish toshareahandfulof transformsamongsta smallnumberofusers. )n future theNTDSpricingmodelwill be based onusers and transforms and should bepricedmore attractively forsmallerenterprises.ThepublicTDSwillalsobeupgradedtothenewNTDSandwillremainfreeforuse.Development environments

PHP AnextensiveP(PlibraryisprovidedfortheTDS.Thelibraryanddocumentationcanbefoundhere:https://www.paterva.com/webは/documentation/developer‐tds.php#ばPython TherestofthisdocumentfocusesaroundthePythondevelopmentenvironment.)n the past Paterva only provided a CG) basedPython library. This is easy toworkwith but hasobvious limitations – for every transform that runs an instance of Pythonwas started. This caneasily drain resources on the host and is not very efficient. Themore efficientmethod is usingWSG).Prepping a server for use with the TDS (Python) WerecommendusingUbuntuServerwithApacheに,Pythonに.は,mod_wsgiandbottle.Assumingastock standardUbuntu serverwithPython installed the following is a recipe forquicklybuildingyourenvironment:Install Apache2

sudo apt-get update sudo apt-get install apache2

Install mod_wsgi sudo apt-get install libapache2-mod-wsgi

Install bottle sudo apt-get install python-setuptools

TRX

sudo easy_install bottle

Copy & extract TRX files cd /tmp wget http://www.paterva.com/TRX_Ubuntu.tgz tar -xvzf TRX_Ubuntu.tgz

Edit Apache configuration Editthefile/etc/apache2/ports.confandaddtheline:

Listen 9001 AdditjustbelowthelinethatreadsListen 80sothefilelookslikeso:

… NameVirtualHost *:80 Listen 80 Listen 9001 …

CopytheTRXApacheconfigurationfile:sudo cp /tmp/etc.apache2.sites-available/TRX /etc/apache2/sites-

available/ Nowenablethesite:

sudo a2ensite TRX

Install TRX files sudo mkdir /var/www/TRX cd /var/www/TRX sudo cp /tmp/var.www.TRX.tgz . sudo tar -xvzf var.www.TRX.tgz

An example transform DNSに)P is provided ゅit╆s a function defined in DNSTRANSFORMS.py, butmore about that laterょ. )n the next section we will see how to configure the TDS to use thistransform.Restart Apache2

sudo /etc/init.d/apache2 restart Feel free to inspect the configuration of the ╅TRX╆ site defined in /etc/apache2/sites-availableandcustomizethistoyourliking.TheconfigurationwillroutealltrafficonportひどどなtotheWSG)scriptTRX.wsgilocatedin/var/www/TRX.

TRX

Setting up the TDS to use the example transform (DNS2IP) NextwearegoingtoconfiguretheTDStousethesampleDNS2IPtransform.StartbybrowsingtotheTDS.)fyouareusinganinternal/privateTDSitwillaskyouforyourSSLcertificateprovidedbyPaterva.Ontheserverportalyou╆llfindinstructionsonhowtoinstallthesuppliedclientcertificateanduseit.)f you are using the public TDS server you need to first log in with the user/password used atregistrationゅandcompletethathorriblereCAPTC(Aょ.OnceauthenticatedtotheTDSyou╆llseethreesectionsintheinterface:

Setting up a seed AseedisreallyjustaURLthatpointstoagroupoftransforms.)t╆sthisURLthatMaltegowillusetoloadallofthetransformscontainedintheseedintoitsinternalconfiguration.Thus,thefirststepwewanttodoiscreateanewseedゅcontainerょ.Oncewe╆vedonethatwe╆llcreateanewtransformandputthetransforminsidethatseed.Clickon╅Seeds╆.You╆llseealistofseedsゅifyouhaveanyょ.Clickonthe╅AddSeed╆button╆.Youneedtogiveaseedname,aseedURLandselectwhichtransformsyouwanttoaddintotheseed.Youcancompletetheformasfollows:

Whenyou╆redone,clickonthe╅AddSeed╆button.

TRX

Nowourseedisconfigured.)t╆sempty–therearenotransformsintheseed,butthat╆sOK–we╆llpopulateitinabit.Setting up the transform Youcaneasilynavigatearoundwiththe╅bread>crumb╆atthetopofthescreen:

Clickontheveryfirstitem–itwillnavigatetotherootoftheTDS.Clickon╅Transforms╆–ontheinternal/privateTDSyouseeascreenwithacoupleofP(Psampletransforms.OnthepublicTDStherewon╆tbeanytransformsconfiguredゅunlessyou╆veaddedthemthereofcourse!ょ

We want to add a transform, so click on ╅Add Transform╆. You are now going to configure thetransform.(ereisasectionofthatwebpage:

TRX

Changethefieldsasfollows:Transformname: DNSに)PTransformURL: http://<Your_DevServer_Here>:9001/DNS2IP)nputEntity: maltego.DNSNameゅfromthedropdownょDisclaimer: LeaveemptyunlessyoufeellikeputtingsomethingthereDescription: MyfirstsampletransformゅorgetcreativeょVersion: なDebug: CheckedTransformsettings: Leaveasis–we╆llgettothislaterSeeds: Clickon╅MyTDSSeed╆tohighlight.)feverythingworkedyoushouldsee╅Successfully I nserted 'DNS2I P' at the top of the screen:

WenowsuccessfullyaddedatransformtotheseedandcanusethisseedinMaltego.Setting up Maltego to use the sample transform WenowwanttotellMaltegotodiscovertransformsfromourseed.Don╆tworry–mostofthisisaonetimeconfigurationandonceit╆sallsetupweneverhavetotouchitagain.We╆relazyandsowearegoingtocopyandpastetheseedfromtheTDS.GotoSeedsandrightclickontheURLoftheseed.Copyittoyourclipboard:

TRX

Open Maltego. )nside of Maltego go to the ╅Manage╆ tab and click on the bottom of ╅DiscoverTransforms╆.You╆llseeadropdown.Select╅Advanced╆:

Thefollowingscreenshouldappear:

TRX

(opefullyyourswouldnotbethatblurry.)ntheNamesectiontype╅MyTDS╆ゅitcouldbeanythingyouwantょandintheURLsectionpastetheURLfromtheclipboard.Clickonthe╅Add╆buttonandyou╆llseeitappearsinthelistofSeedsbelow:

Nowallthat╆sleftistodiscovertheseed.Youmaychoosetouncheckyourotherseeds–itwon╆tdoyouanyharm,butitwillensurethatyoujustdiscoverfromtheTDSseed.Followthewizardゅnext‐>nextょ.Finally,you╆llsee:

TRX

Don╆tworryaboutthe╆にぬnewentitieswereinstalled╆.That╆salegacybugゅactuallyit╆snotreally,butthat╆sanentireotherchapterょ.Nowyouarereadytousethetransform.Open a new graph, drag a DNSName from the palette to the graph and right click. Voila – yourtransformshowsupゅcompletewithdescriptionょ:

ThetransformisfullyfunctionalandwillresolvetheDNSnametoan)Paddress:

TRX

)fyouwanttosharethistransformwithanyoneyoucansimplygivethemtheURLandguidethemthroughthediscoveryprocessinthesamewayaswhichyoudid.And–ifyouchangethecodeontheserverthechangewilltransparentlyhappenonallclientsゅasthetransformrunsontheserverょ.Youcannowaddmoretransformstotheseed.Maltegoperiodicallychecksfornewtransformsintheseeds–whichmeanyouneverneedtotouchtheclientsideanymore.Joy!Under the hood Let╆sseewhatreallyhappenedhere.Thesearethesteps:なょ After you discovered from the TDS server Maltego knows that there╆s an additionaltransformcalledDNS2IPavailableontheentitytypeMaltego.DNSName.にょ WhenyourightclickonaDNSNameitmakesthistransformvisibleぬょ )tsendsthetransformrequesttotheTDSserverねょ TheTDSserverknowsthatthetransformreallyliveson

http://<Your_DevServer_Here>:9001/DNS2IPのょ TheTDSmakesaconnectiontoportひどどなonthedevserverandsendssomeXMLinaPOST6) TheApacheWSG)configurationonthedevserversendallrequestsonportひどどなtoa filelocatedin/var/www/TRX/TRX.wsgi ばょ TRX.wsgiseesthatit╆sdestinedfor/DNS2IPandroutesittotherightpieceofcodeぱょ TheMaltego Python library interprets the XML to something that╆s easy toworkwith inPythonandpassesitalongひょ ADNSlookupisdoneなどょ ThereplyiswrappedbackintoXMLbythelibraryandthedataflowsbackthewayitcamein.Seemslikeamouthful.Theactualtransformcodeisquitesimpleandlookslikethis:

TRX

def trx_DNS2IP(m): TRX = MaltegoTransform() DNSName=None try: DNSName = socket.gethostbyname(m.Value) TRX.addEntity("maltego.IPv4Address",DNSName) except socket.error as msg: TRX.addUIMessage("Problem:"+str(msg),UIM_PARTIAL) return TRX.returnOutput() (ardlyrocketscience.Debugging transforms

Changing to the bottle server One of the painful realities ofworkingwithWSG) is that you need to restart the Apache servereverytimeyoumakeachangetothecode.Therearesomescriptsonthe)nternetavailabletomakethiseasierbutthismethodofcodingisaltogetherunintuitiveformostcoders.Luckilythere╆sawayaroundit.Bottlehas itsownwebserverbuilt inand this servercanbeset to reloadwheneverachange incodehappens–thisgoesforchangestothestubaswellasanymodules/librariesthatitdependson.Let╆slookalittlecloser.Goto/var/www/TRX. )nhereyou╆llseeafilecalleddebugTRX_Server.py.ThisfileisanearexactcopyofTRX.wsgi–butitcanrunasastandaloneserver.You╆llseethatwe╆veuncommentedthebottle(TTPserverandcommentedtheWSG)serverゅattheendofthescriptょ.)nthiscaseit╆slisteningonthe)Pなど.ばば.ど.などはandportひどどな. BeforeyoucanrunthisscriptyouneedtodisabletheApacheserverゅbecauseitisgrabbingportひどどなょ:/etc/init.d/apache2 stop Nowyoucanstarttheゅsuboptimal,butgreatfordebuggingょserver:sudo python debugTRX_Server.py )tstartsupasfollows:Bottle v0.11.6 server starting up (using WSGIRefServer())... Listening on http://0.0.0.0:9001/ Hit Ctrl-C to quit. What╆sgreataboutthisserveristhatitautomaticallyreloadseverytimeyoumakeachangetothecode. Better still, it verbosely complains about anymistake youmight havemade in your code.(ere╆sascreenshotofthathappening:

TRX

)n the example above we made a silly mistake in a transform by using m.slider and notm.Slider ゅnote thedifference incaseょ.Thebottle servercomplainedbitterlyabout it.We fixedthecodeandassoonaswesavedthefiletheserverreloadedwiththechanges.ゅ)fyouwondering–wehadourserverlistenonなど.ばば.ど.などはandnotonど.ど.ど.ど.ょDeploying transforms with Apache The main reason why we don╆t want to run the bottle server in production is because it╆s notoptimizedforheavyloadandwedon╆twanttohavetostrugglewithstart‐upscripts.Onceyouarehappywithyourtransformsyoushouldstopthebottleserver,simplyuncommentthefirstcoupleoflines,changetheservertorunasaWSG)andstartApacheagain:/etc/init.d/apache2 start

Multiple seeds Anotherwaytodothisistorunthebottleserveronadifferentport.Youmightwanttoaddanotherseedゅ╅DEV╆?ょandregister thetransformsonthisport.Onceyouwant tomove it intoproductionyoucansimplechangetheportandinsertitintotheproductionseed.Components of TRX Therearebasicallythreefilesthatareofinterest.Allofthemarelocatedin/var/www/TRX/. debugTRX_Server.py ThisisthedispatcherゅTRX.wsgianddebugTRXServer.py isessentiallythesamescript–theformerusedwithApache,thelatterwhendebuggingょ.Let╆slookatthefileinalittlebitmoredetail:

TRX

EachtransformhasasmallrouterstubinherethatdefinestheURLofthetransformandtowhichfunctionitroutesto.The╅request.body.getvalue()╆readstheentirePOSTfromthemessage.This XML is sent to the function ╅MaltegoMsg╆ which is defined in the Maltego library. Thefunction returns anobjectwhich canbeused to easily extract all the information from theXML.Thisobjectispassedalongtotheactualtransform.ThetransformdoesitsworkandreturnsXML‐thisisreturnedbacktotheTDS.We╆lllookintothetransformcodeinmoredetailshortly.)ntheexamplewe╆veincludedthelibrary╅DNSTRANSFORMS╆.Thisisthetransformcodelibrary–e.g.where the transform itself is defined. )n the router for transformなゅDNSに)Pょ case it╆s called╅trx_DNS2IP’.Ofcourse,asyougoalongyoumaychoosetoaddmorelibraries.Transform library (e.g. DNSTRANSFORMS.py) Youcan includeasmany libraries as youwant. Forour exampleweusedDNSTRANSFORMS.py.Let╆stakealookatwhat╆sreallyhappening:

TRX

This is the code that actuallyperforms theworkof the transform.As input it getsanobject thatcontainsallthedetailsabouttherequest–thisiscalled╅m╆inthiscase.Next,itcreatesa╅vessel╆thatwilleventuallycontaintheresponse–hereit╆scalled╅TRX╆.)tthendoestheDNSlookupandaddsanentityoftype╅maltego.IPv4Address’withthevalueofthelookuptothevessel.)talsoaddssomeUIMessages. Finally the transform returns the vessel╆s XML to the router which in turnsendsitbacktotheTDS.Maltego library (maltego.py) This is the library thatshufflesXMLtoobjectandback.Youaremore thanwelcome tooptimize,tinkerwiththislibraryshouldyoufeelinclinedtodoso.Butkeepinmindthatshouldwechangethelibraryyou╆llneedtoredoanychangesyou╆vemadetoit.Using TRX

Basic use Let╆slookatacoupleofexamples.YoumightwanttorefertotheTRXreferenceguideattheendofthisdocumenteverynowandagaintofollowweareusingthelibrary.Let╆ssaywewanttocreateatransformthatrunsonaPhraseentity.)twillassumethatthephraseisanumberanditwillreturnasmanyentities–andjustasatest–we╆llreturntheseasASnumberentities.Let╆sbeginreallysimple:OurstublookslikethisゅinTRX.wsgi or debugTRX_Server.pyょ:@route('/EnumAS', method='ANY') def EnumAS(): if request.body.len>0: return(trx_EnumAS(MaltegoMsg(request.body.getvalue()))) OurtransformlookslikethisゅinDNSTRANSFORMS.py–toolazytoputinanotherlibraryょ:def trx_EnumAS(m): TRX = MaltegoTransform() howmany = int(m.Value) for i in range(1,howmany+1): TRX.addEntity('maltego.AS', str(i)) return TRX.returnOutput() We call it ╅EnumAS╆ on the TDS and point it to a URL http://server:9001/EnumAS .Remember that ifyouusedApacheasaserveryouwillneed torestart theserver toregister thechanges(/etc/init.d/apache2 reloadょ.)fyouusedthebottleserveranditisrunningyoushouldn╆thavetodoathing.

TRX

(ereistheoutput:

Thiscodeisreallynasty.Whathappensifweputthevalue╅にのどどどど╆inthegraph?Whatifit╆snotreallyanumberbutaphraselike╅test╆?So,asastart,let╆smakesurewedon╆tgooverthelimitsetbytheuserusingtheresultslider:Wechangethecodetoreadtheslider:

def trx_EnumAS(m): TRX = MaltegoTransform() howmany = int(m.Value) if (howmany > m.Slider): howmany=m.Slider for i in range(1,howmany+1): TRX.addEntity('maltego.AS', str(i)) return TRX.returnOutput() Nowweat leasthonortheuser╆swishesonhowmanyentities toreturn.Next,wewant tomakesure it╆s a number and if it╆s not, return a nice message to the user saying he/she is notunderstandingthetransform.Thecodenowchangestothis:def trx_EnumAS(m): TRX = MaltegoTransform()

TRX

if (not m.Value.isdigit()): TRX.addUIMessage('Sorry but ['+m.Value+'] is not a whole number',UIM_PARTIAL) return TRX.returnOutput() #here we know we're good to go. howmany = int(m.Value) if (howmany > m.Slider): howmany=m.Slider for i in range(1,howmany+1): TRX.addEntity('maltego.AS', str(i)) return TRX.returnOutput() Right!Whenwenowrunourtransformonanentitythat╆snotanumberwegetthefollowing:

)t seems that everything ismostly sorted out, but there╆s onemore thing. You╆ll notice that theentities seem tobe laidouton thegraph in a random fashion. Maltegoactually laysoutentitiesaccordingto theirweightゅtop left tobottomrightょ.Sincewedidn╆tset theweightall theentitieshavethesameweight–thedefaultofなどど.Let╆sseeifwecanfixthis:def trx_EnumAS(m): TRX = MaltegoTransform() if (not m.Value.isdigit()): TRX.addUIMessage('Sorry but ['+m.Value+'] is not a whole number', UIM_PARTIAL) return TRX.returnOutput() #here we know we're good to go. howmany = int(m.Value) if (howmany > m.Slider): howmany=m.Slider for i in range(1,howmany+1): Ent = TRX.addEntity('maltego.AS', str(i)) Ent.setWeight(howmany-i) return TRX.returnOutput()

TRX

(ereyousee that theaddEntitymethodactually returnsaMaltegoEntityobjectwhichwecanmodify.)nthiscaseweuseittosettheweightandnowthegraphlooksasfollows:

Thefirstnodeゅwithvalue╅な╆ょhasaweightofなひandthelastnodeゅ╆にど╆ょhasaweightofど.YoucanseethisinthePropertyView.ThefollowingscreenshotshowsthepropertyviewwhentheASnodewithvalue╅な╆wasselected:

Using Display Info Let╆snextassumewewanttocreatesomefancy(TMLintheDetailViewtogowithourASentities.The ╅addDisplayInformation╆method is used to do this. The content could be plain text or(TML.Let╆sstartwithsomethingreallysimple.Wewanttodisplaythewords╅ThisisnumberX╆oneachentityreturned.Wewant this toberendered ina labelcalled ╅ASNumber╆.(ere ishowthescriptlooksnow:

TRX

def trx_EnumAS(m): TRX = MaltegoTransform() if (not m.Value.isdigit()): TRX.addUIMessage('Sorry but ['+m.Value+'] is not a whole number',UIM_PARTIAL) return TRX.returnOutput() #here we know we're good to go. howmany = int(m.Value) if (howmany > m.Slider): howmany=m.Slider for i in range(1,howmany+1): Ent = TRX.addEntity('maltego.AS', str(i)) Ent.setWeight(howmany-i) Ent.addDisplayInformation("This is number "+str(i),"AS Number") return TRX.returnOutput() Whenyourunthetransformyou╆llseethateachnoderenderedthelabelandcontent:

Youcaneasilyaddmorelabels.Displayinformationismergedwhenothertransformscreatesthesame entity instance. Maltego will expand the label by default, but Detail View labels can becollapsedandexpandedbytheuserandtheclientwillrememberthechoiceforfutureoperations.

TRX

Let╆sseehowitworkswith(TML.Let╆sassumewewanttomakeaclick‐ablelinkin(TML.Wewillcreatethelinksothatitisdynamicandbasedonthenodenumber.Considerthefollowingcode:def trx_EnumAS(m): TRX = MaltegoTransform() if (not m.Value.isdigit()): TRX.addUIMessage('Sorry but ['+m.Value+'] is not a whole number',UIM_PARTIAL) return TRX.returnOutput() #here we know we're good to go. howmany = int(m.Value) if (howmany > m.Slider): howmany=m.Slider for i in range(1,howmany+1): Ent = TRX.addEntity('maltego.AS', str(i)) Ent.setWeight(howmany-i) Ent.addDisplayInformation("This is number "+str(i),"AS Number") Ent.addDisplayInformation('Click <a href="https://www.ultratools.com/tools/asnInfoResult?domainName=AS'+str(i)+'"> here </a> to get more information about this AS','AS Info Link') return TRX.returnOutput() Noweachnodehasalinkthatwillopenthebrowsertoaspecificwebpage:

TRX

Clickingonthelinksgivesus:

)t╆importanttonotethatdisplayinformationisneversenttotheserverゅwhenyourunsubsequenttransformsonthenodeょ–it╆sreadonlyinfoandiskeptintheclient.Link properties, bookmarks and notes Youcansetthelinkcolor,label,thicknessandstylereallyeasily.Considerthiscodesnippetゅusedinthesametransformょ.Wearenotgoingtodiscusseachmethodindetailbecauseit╆sratherobviousfromthecodeandtheresultantgraph: if (i%2==0): Ent.setLinkColor('0x00FF00')

TRX

Ent.setNote('Even') Ent.setLinkLabel('Even link') Ent.setLinkStyle(LINK_STYLE_NORMAL) Ent.setLinkThickness(1) Ent.setBookmark(BOOKMARK_COLOR_GREEN) else: Ent.setLinkColor('0xFF0000') Ent.setNote('Odd') Ent.setLinkLabel('Odd link') Ent.setLinkStyle(LINK_STYLE_DASHED) Ent.setLinkThickness(2) Ent.setBookmark(BOOKMARK_COLOR_RED) Althoughwerecommendyoukeepitalittlesimplerthiscodeillustratestheconcept.Theresultantgraphゅuglyょlookslikethisゅlayoutinorganicmode‐elseit╆sREALLYmessyょ:

The only thing to keep inmind is that entitynotes stackon topof each other – thatmeans thatwhenasubsequenttransformwrites toanote itwillappendto thenoteratherthandeletingthepreviousnote.

TRX

Entity properties Entitiescanhaveadditionalproperties.Forexample–apersonmighthaveapropertycalled╅SSN╆.Static vs. dynamic properties Whenyoudesignanentityyou╆llseethatyoucanaddadditionalpropertiestotheentity.Thesearecalled staticproperties. )tmeans that should auserdrag an entity from thepalette to the graphthesepropertieswillbeavailableforediting.Asanexample,hereisthepropertyviewforPerson:

Transforms can create new properties for entities they return. The transform simply adds aproperty to the entity when it╆s returned. These are called dynamic properties. )f a transformreturnsapropertythathadbeendefinedasstaticintheentitydefinitionitwillstorethevalueasastaticproperty,ifit╆snotdefinedintheentitydefinitionitthenbecomesdynamic.Theonlyrealdifferencebetweenstaticanddynamicproperties isthatuserscannoteditdynamicproperties on a fresh node from the palette…simply because the property does not exist yet ‐ atransformneededtocreateit.A quick note on entity design Oneofthemostimportantquestionstoaskyourselfwhendoingentitydesignisifdatashouldbestored in a property of an entity or if it should become a new entity type. Similarly you shouldconsiderifsomeinformationshouldonlybedisplayinformationorstoredasapropertywithinanentity.Usually you can answer these questions as follows. )f you can think of a transform that willregularly use a property of an entity it would be better to make it a separate entity type. Forinstance–itwouldbebettertohaveSSNasanentitytypeandhaveaPersontoSSNtransformthanto only have SSN as a property in thePerson entity ゅyoumight still store the SSN as a property

TRX

within thePerson entity, but itmakes sense to have it as a separate entity tooょ. Similarly if youcannot decide if something should be a property or simply display info consider if anothertransformwouldneedtoreadthatpropertytoworkproperlyorifit╆sonlyshowntotheuserforinformationゅbecausedisplay info isneverpassedbackto theserverょ. )f it╆s justusefulasdisplayinfodon╆tbloattheentitybyaddingitasaproperty.Calculated properties )nsomecasespropertiesarecalculatedfromotherproperties.)nthecaseofapersonthepropertyFullName is created from FirstName and LastName. This does not mean you cannot set theproperty,butyoudon╆tneedto.Forafulllistofentitynames,propertiesandcalculatedpropertiesrefertotheEntitydefinitionreferenceattheendofthisdocument.Property types ThecurrentversionofthePythonlibraryonlysupportsstringtypesbutsubsequentreleasesmightextend this to include all the other types of properties thatMaltego support.Whendealingwithentitiesthathavepropertytypesotherthanstrings,makesureyouformatthestringvalueproperlysothattheMaltegoclientcanparsethecorrecttypefromthestringvalue.Reading properties Thisisfairlystraightforward.ConsidertheWebsiteentity.)thasastaticpropertycalled╅ports╆withadefaultofぱどゅseeEntitydefinitionreferenceforalistofstaticentitypropertiesょ.)nsideofMaltegothisisreallydefinedasalistofintegersbutwe╆llseehowwedealwithitinTRX.

Let╆s start a new transforms.We╆ll call it ╅Mangle╆, register it on the TDS ゅrunning on awebsiteentityょandinourTRX.wsgistub.Ourtransformcodelookslikethis:def trx_Mangle(m):

#define response

TRX = MaltegoTransform()

TRX.addUIMessage("Property value is:"+m.getProperty("ports"))

TRX

return TRX.returnOutput()Weusethe╅getProperty╆methodtogettheproperty╆svalue.Youwillseethatwedonotreturnanyentitiesゅthat╆sなどど%OKょ,wesimplywriteamessagetotheoutputwiththeOutputscreen.Onadefaultwebsiteentitytheoutputlookslikethis:

)fweaddaporttothelist…

…andrunthetransformagainweget:)notherwords–thelistisreturnedasacommadelimitedlist.

Adding dynamic properties Let╆sseehowwecanwritepropertiesusingTRX.Eachpropertyhas Displayname : howit╆srenderedinMaltego Name : theactualnameusedincode Value : hevalueoftheproperty Matchingrule : if entitieswith the same value, type and property value should bemerged

TRX

Let╆sassumewewanttocreateatransformthatrunsonan)Paddressandgeneratesanetblock.)twillalwaysassumeaclassCnetblockゅにのの)Psょbutitwilladdadynamicpropertytothenetblocktoindicateifit╆saprivatenetblockornot.We╆lldothiswithadynamicpropertycalled╅private╆anditwillbesetto╅yes╆or╅no╆.We start by building a stub ゅinTRX.wsgi for Apache deployment ordebugTRX_Server.pywhendebuggingょandregisteringourtransformontheTDS.Webeginourtransformゅwithoutinputvalidation–it╆snotthepointょlikethis:def trx_NetblocksRUs(m): TRX=MaltegoTransform() start=m.Value[0:m.Value.rfind('.')] netblock=start+".0-"+start+".255" Ent = TRX.addEntity('maltego.Netblock') Ent.setValue(netblock) return TRX.returnOutput() Notethatatthispointwehaven╆taddedanydynamicpropertiestothenetblock.Weneedtofirsthavesomethingthatchecksifan)Paddressisprivateornot.Aquicksearchonthe)nternetfindsthisusefulpieceofcode:>>> from IPy import IP >>> ip = IP('10.0.0.1') >>> ip.iptype() 'PRIVATE' ThisfunctionreliesonaPythonmodulecalledIPy.OnUbuntuinstallingthisisassimpleas:sudo apt-get install python-ipy This seems perfect for our transform. We add a line importing this library to ourDNSTRANSFORMS.py:from IPy import IP Andthetransformnowlookslikethis:def trx_NetblocksRUs(m): TRX=MaltegoTransform() start=m.Value[0:m.Value.rfind('.')] netblock=start+".0-"+start+".255" Ent = TRX.addEntity('maltego.Netblock') ip = IP(m.Value)

TRX

if (ip.iptype()=='PRIVATE'): Ent.addProperty('private','Private network','strict','yes') else: Ent.addProperty('private','Private network','strict','no') Ent.setValue(netblock) return TRX.returnOutput() Nowrunningthetransformontwodifferent)Paddressesweget:

Perfect! Of coursewe can create a transform that uses netblocks as input and simply outputs aphrase ╅public╆or ╅private╆ ゅthis isnotveryuseful,buthopefullywill showhow touseadditionalpropertiesょ.def trx_PublicPrivate(m): TRX=MaltegoTransform() Ent = TRX.addEntity('maltego.Phrase') if m.getProperty('private')=='yes': Ent.setValue('Private') else: Ent.setValue('Public') return TRX.returnOutput()

TRX

The resultant graph ゅwhenpopulatedwith some )Ps‐>Netblock‐>Public/Private andgraph set toBubbleviewblocklayoutょ:

Using transform settings

Introduction Sometimesyouwanttheusertobeabletosendyouinformationabouthowyoushouldrunyourtransform.Thesecouldbesettingsthatcouldchangeeverytimethetransformisexecuted,orcouldbesettingsthattheuserwantstocustomizeandhaveMaltegoremember.Wecallthesetransforminputsorsettings.Almostallofthestandardtransformshavesettings–mostofthetimeusersdon╆treallybothertochangethembecausethedefaultsareworkingasexpected.AgoodexampleofthiscanbeseeninthereverseDNStransformwherethe(TTPtimeouttoServersniffandRobtexcanbeconfigured:

TRX

Togettothetransformmanagerclickonthe╅Manage╆ribbonandgoto╅Managetransforms╆.Anytransformsettingcanbeconfiguredtopop‐up.Thisisusefulwhentheuserwouldwanttochangethe setting prior to the transform running. Such is the case with )P to Netblock ゅnaturalboundariesょ.Theusermightchoose toselect classC ゅにのはょor subclassCs ゅなは,ぬに,はねょorperhapsevenclassBsゅはののぬのょ.Thistransformsettinglooksasfollowsinthemanager:

TRX

Thesmalldialogiconnexttothesettingindicatesthatthistransformwillpopupasettingpriortoexecutingthetransform:

The usermight choose to fix the value for subsequent transforms – by checking the ╅Rememberthesesettings╆checkbox.)nordertogetthetransformtopopupthesettingdialogagainthe╅Popup╆checkboxneedstobeselectedinthetransformmanager.

TRX

Toquicklygettoeachtransform╆ssettingsyoucanclickonthesmallgearinthecontextmenu:

Transform setting types TheMaltegoGU) client supportsmanydifferent pop‐up types ゅinteger, dates, lists of strings andintegersょbuttheTDScurrentlyonlysupporttheuseofstrings.ThiswillbeextendedintheNTDS.Using transform settings in TRX Nowthatweknowwhattransformsettingsare,let╆sseehowtousethemwithcustomtransforms.Because transformsettingsareprompted forprior to the transformrunning theirdefinitionsarestoredinthetransformitselftheyareloadedwhenthetransformsarediscovered.Thismeansthat,shouldyouchangetransformsettings,youneedtorediscoverfromtheseedsothattheirdefinitionsareupdated.Luckilybackgrounddiscoverymakesthisreallypainless:

TRX

Transformsettingsaredefinedon theTDSandcanbere‐usedacrossanynumberof transforms.TheTDSonlysupportsstringbasedtransformsettings,butthismightchangeinthenearfuture.BasicallyatransformsettingrequiresaName : AsusedinthecodeDisplayDialog : (owtheuserisaskedforitDefaultvalue : )nitiallysettingwillhavethisvalueゅchoosecarefullyょPop‐upstate : Willitpopup?Optional : )sthesettingoptionalormandatory?Thecurrentspecificationsaysthatatransformsettingwillonlypopupifit╆smandatoryandthereisnodefaultvalue.ThisissomethingPatervaisawareofandwillfixintheNTDS.Let╆sgobacktoourinitialtransformゅtheonewiththephraseasanumberandAS‐esasresultsょ.Wewanttoaddatransformsettingthatwillobtainanumberpriortothetransformrunningandonly return AS numbers that are divisible by that setting ゅif that sounds silly, it is, but again –hopefullyisshowstheconceptょ.FirstoffweneedtodefineatransformsettingontheTDS.Wegototheroot,clickonSettingsandclick╅Addsetting╆.Wefillouttheformassuch:

OurvariablewillbecalledISDIV.Onceyou╆veaddedthetransformsettingclickon╅AddTransformSetting╆.Navigatetotransforms,clickontheEnumAStransformゅwhichwecreatedatthestartofthis documentょ and scroll down.At ╅TransformSettings╆ highlight the ╅)SD)V╆ item ゅyou can shiftclicktoselectmultiplesettingsょ:

TRX

ThistellstheTDSthatyouwishtousethe)SD)Vtransformsettinginyourtransform.Transformscouldhavemultiplesettingsandthesamesettingscanbeusedonmultipletransforms.Next – let╆s look what╆s needed in the code. Our previous EnumAS ended making a graph thatlookedlikepeasoup–sowe╆llstartwithfreshcode:def trx_EnumAS(m): TRX = MaltegoTransform() #read the value if (not m.Value.isdigit()): TRX.addUIMessage('Sorry but ['+m.Value+'] is not a whole number',UIM_PARTIAL) return TRX.returnOutput() #read the setting isdiv = m.getTransformSetting('ISDIV') if (not isdiv.isdigit()): TRX.addUIMessage('Silly! We need a number',UIM_FATAL) return TRX.returnOutput() ###here we know we're good to go. howmany = int(m.Value); # how many have accumulated? accum=0; for i in range(1,howmany+1): if (i % int(isdiv) == 0): Ent = TRX.addEntity('maltego.AS', str(i)) Ent.setWeight(howmany-i) accum=accum+1; if accum>=m.Slider: break

TRX

return TRX.returnOutput() Let╆s see what happens when we run the transform. First up we get a pop‐up asking us somequestions:

)nthecodewedo:#read the setting isdiv = m.getTransformSetting('ISDIV') if (not isdiv.isdigit()): TRX.addUIMessage('Silly! We need a number',UIM_FATAL) return TRX.returnOutput() Thischecksifthevalueisindeedadigit–ifit╆snotwecomplainbitterlyゅwithUIM_FATALょ:

)t╆s important to remember that the TDS only supports strings. As suchwe need to convert ourstringtoanintegerゅaftercheckingthatitreallyisone!ょandmakesurewegivetherightamountofnodesbacktotheuser.

TRX

Theoutputofthetransformisasexpected:

Conclusion ThecombinationofallofthesecomponentsmakesMaltegoveryflexibleandpowerfulinthehandsof a crafty developer. TRXmakes it very easy to wield this type of power and the developer isproperlyshieldedfromanyoftheMaltegointernalcomplexities.

TRX

Entity reference

V2/V3 Confusion WiththereleaseofMaltegoversionぬゅaroundにどなどょanewdatamodelwasdeveloped.Thiswasdonetoensurescalabilityofentities.WhereMaltegovにjustknewabouta╅Person╆westartedtounderstand that other users would want to perhaps create their own Person entity. Thus – wemoved to ╅maltego.Person’. The same principle was applied to properties. Where we had╅firstname╆inVにwenowunderstoodthatweshouldhave╅person.firstname’.Furthermorethemodelwasbuiltinsuchawaythatentitiescouldhaveanynumberofpropertiesbutthattherewouldbeamappingbetweenanyofthesepropertiesandwhat╆sdisplayedunderneaththeentityinthegraphゅthedisplayvalueょ.Agoodexampleofthisisthemaltego.Documententity–itmakesmoresensetodisplaythetitleofthedocumentratherthantheURLwherethedocumentislocated.AssuchthedisplayvalueforaDocumententityisthetitle.Thiscanbeeasilyseenonthe╅DisplaySettings╆wheneditinganentitywithintheMaltegoclient.(erethemaltego.Documententity╆sDisplaySettingsisshown:

)nthesamewaythevaluethat╆seditedwhentheuserclicksontheentityandthe)conURLcanbemappedtoanypropertyoftheentity.Calculated properties Anotherconceptthatwasintroducedinversionぬwastheuseofcalculatedproperties.Aperson╆sfullnameforinstanceiscalculatedbytheconcatenationofthefirstnamesandthelastname.ThisisexposedintheMaltegoclient:

TRX

Theonlyentitiesthatusecalculatedpropertiesare maltego.Person

maltego.Location

maltego.PhoneNumber

Inheritance CaseFileofferedmanymoreentitiesthanMaltego.)nCaseFileyoucanhaveaJudge,CriminalandOfficerthatareessentiallyallPersons.WhenimportingagraphmadeinCaseFileintoMaltegoyouwouldwanttobeabletorunthePersontransformsonallofthesebuttheearlydatamodeldidnotsupportit.We added the concept of inheritance – for the standardMaltego installation thismeant that theMXRecord,NSRecordandWebsiteentitieswerereallyjustspecializedDNSNames.TheupsideofitisthatonetransformゅDNSNameに)PAddressょworkedonallofthem–thissavedalotoftransformconfiguration.Forexample‐ ifyouspecifyontheTDSthatatransformwillrunonaDNSNameitwillalsorunonallentitiesdownthe╅familytree╆–MXRecord,WebsiteandNSRecord.Atthetopofthetreeis╅maltego.Unknown’.Thismeansthatifyouconfigureatransformtorunonthisbaseentitytype–itwillbeavailablewhenyourightclick…onanyentity.Why are we stuck with V2 properties? The trouble with this new data model was that the server was still expecting the old propertynames for incomingvaluesandwasstill supplying theoldpropertynamesasresults.WithmanydifferentversionsofMaltegointhewildchangingtheservertousethenewpropertieswouldmeanthatmanyclientswouldhaveanon‐functionalMaltegoclient.

TRX

Assuchaconversionlayerwasimplementedthatmappedtheoldpropertynamesinternallytothenew names. )t meant that when setting the value of a property it would internally be setting aspecific property of the entity. )t alsomeant thatwhen theGU) supplied entities to the server itwouldconvertthepropertiestotheoldnames.Thisworkedfineuntilotherdevelopersstartedtocodetransforms.TheMaltegoGU)exposedtheinternalpropertynamesandtherewasnowaytoknowwhatthesepropertiestranslatedtowhenitwas supplied to the transforms. That is – unless you followed the specification ‐ that was lastupdatedinにどどひ.As suchweprovide here both the internal ゅVぬょ property names aswell as their Vに equivalents.WhencodingtransformsitisbesttostickwiththeVにequivalents.)twouldbetrivialtochangetheserverゅCTASょtousethenewpropertiesbutitwillalmostcertainlyresultinsomeclientsstuckwithanon‐functionalGU).)tseemsthattheselegacypropertiesareheretostay.Whenworkingwithyourowncustomentitiesthislegacyproblemisanon‐issueofcourse.)tonlycomesintoplaywhenyouwanttoleveragethetransformsthatarelocatedontheCTAS–thenyouneedtomakesureyouaremappingtotherightVにequivalentproperties.Entity reference guide

maltego.

Domain Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent fqdn string Domain name Value

whois-info string WHOIS info whois maltego.

DNSName Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent fqdn string DNS Name Value

maltego.

MXRecord Inherits from:

Maltego.DNSName

Property Name Type Display name V2 equivalent fqdn string MX Record Value

TRX

mxrecord.priority integer Priority mxrecord.priority maltego.

NSRecord Inherits from:

Maltego.DNSName

Property Name Type Display name V2 equivalent fqdn string MX Record Value

maltego.

IPv4Address Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent ipv4-address string IP Address Value

ipaddress.internal boolean Internal ipaddress.internal maltego.

Netblock Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent ipv4-range string IP Range Value

maltego.

AS Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent as.number integer AS Number Value

maltego.

Website Inherits from:

maltego.DNSName

Property Name Type Display name V2 equivalent fqdn string Website Value

TRX

website.ssl-enabled boolean SSL Enabled website.ssl-enabled

ports int [] Ports ports

maltego.

URL Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent short-title string Short Title Value

url URL Value theurl

title string Title fulltitle maltego.

Phrase Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent text string Text Value

maltego.

Document Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent url string URL link

Title String Title Value

document.meta-data String Meta‐Data metainfo maltego.

Person Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent person.fullname

* string Full Name Value

person.firstnames+ string First Names firstname

person.lastname+ string Surname lastname

TRX

maltego.

EMailAddress Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent email string Email Address Value

maltego.

Location Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent location.name

* string Name Value

country+ string Country country

city+ string City city

location.area string Area area

countrycode string Country Code countrysc

longitude float Longitude long

latitude float Latitude lat maltego.

PhoneNumber Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent Phonenumber

* string Phone Number Value

phonenumber.countrycode+ string Country Code countrycode

phonenumber.citycode+ string City Code citycode

phonenumber.areacode+ string Area Code areacode

phonenumber.lastnumbers+ string Last Digits lastnumbers

maltego.

Alias Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent alias string Alias Value

TRX

maltego.

Image Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent description string Description Value

url URL URL url maltego.

Twit Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent twit.name string Twit value

id string Twit ID id

author string Author author

author_uri string Author URI author_uri

content string Content content

img_link string Image Link img_link

pubdate string Date published pubdate

title string Title title maltego.affiliation.

Twitter Inherits from:

maltego.Unknown

Property Name Type Display name V2 equivalent person.name string Name value

affiliation.network string Network network

affiliation.uid string UID uid

affiliation.profile-url string Profile URL affiliation.profile-url

twitter.number int Twitter Number twitter.number

twitter.screen-name string Screen Name twitter.screen-name

twitter.friendcount int Friend Count twitter.friendcount

person.fullname string Real Name person.fullname *Calculatedproperties+Usedtocalculateproperty

TRX

The TRX Maltego.py API

MaltegoMsg class ThisisusedtoreadtheMaltegorequest.)tispassedalongtoeachtransform.Membername Description

ValueゅStringょ The value of the node as displayed on the graph. NotethatthisisnotnecessarilythevalueyouwantworkwithゅseeURLentityょ.Weightゅ)ntegerょ Theweightofthenode.Sliderゅ)ntegerょ The slider╆s value – e.g. how many results should bereturned.TypeゅStringょ The type of the input node. See entity definitions forpossiblevalues.PropertiesゅListょ A list of properties of the node. Name, value pairs asstringsTransformSettingsゅListょ Thesettingsforthetransform.Alistofname,valuepairsasstrings.Thefollowingmethodsaredefinedtoreadentitypropertiesandtransformsettings.YoucanreaditstraightoutofthePropertyandTransformSettingslist,butit╆snicertousethesefunctionsastheydosomeerrorchecking:Methodname Description ReturnsgetPropertyゅStringkey)

Returns the value of the key,Noneifnotdefined ValuegetTransformSettingゅStringkey)

Returns the value of the key,Noneifnotdefined Value

MaltegoTransform class ThisisusedtoconstructthereplytotheTDS.Allvaluesarestrings.Methodname Description ReturnsaddEntity([StringType,StringValue])

Addsanentity to the returnvessel with type╅Type╆andvalue╅Value╆.NotethatthesecanbesetusingfunctionsinMaltegoEntitylibrary. MaltegoEntityaddUIMessage(Stringmsg,Consttype) Shows a message ╅msg╆ in the Maltego GU).Typescouldbe U)M_FATALゅpopupwindowょ U)M_PART)ALゅyellowょ U)M_)NFORMゅdefaultょ U)M_DEBUGゅlightgrayょ

none

addException(Stringmsg) Throwsatransformexception none

TRX

returnOutput() ReturnstheXML ofthevessel noneMaltegoEntity class This is the object that defines a single entitywithinMaltego. An entity can be created using the╅addEntity╆methodintheMaltegoTransformclass.Methodname Description

setType (StringType)

Setsthetypeoftheentity– seelistofEntitydefinitionsforpossiblevaluessetValue(StringValue)

Setsthevalueof theentitysetWeight()ntegerweight)

SetstheweightoftheentityaddDisplayInformation(StringValue,[StringLabel])

Adds display information for label named ╅Label╆. This field isrenderedas(TMLwithinMaltego.Defaultlabelis╅)nfo╆.addProperty(Stringpropertyname,Stringdisplayname,StringmatchingruleStringvalue)

Addsaproperty totheentity.Eachproperty hasaname,valueandadisplayname.ThedisplaynameishowitwillberepresentedwithinMaltego.Thematchingruledetermineshowentitieswillbematchedandcouldbe╅strict╆ゅdefaultょor╅loose╆setIconURL(StringURL)

)fsetitwillchangetheappearanceoftheicon.TheURLshouldpointtoaPNGorJPGfile.Maltegowillsizetofitbutlotsoflargefileswilldrainresources.setLinkColor(StringHexColor)

Setsthecolorofthelinktothenode.Colorsareinhex–forexample╅どxffどどff╆setLinkStyle(ConstStyle) Setsthestyleofthelinktothenode.Thefollowingconstantsshouldbeused: L)NK_STYLE_NORMAL L)NK_STYLE_DAS(ED L)NK_STYLE_DOTTED L)NK_STYLE_DAS(DOTsetLinkThicknessゅ)ntegerthickness) Setsthethicknessofthelinktothenode.Valueisinpixels.setLinkLabelゅStringvalue)

Setsthelabelofthelinktothenode.setBookmarkゅConstColor) Sets the bookmark color of the node. Keep inmind that these arechosenfromasetnumberofcolors.Usethefollowingconstants: BOOKMARK_COLOR_NONE BOOKMARK_COLOR_BLUE BOOKMARK_COLOR_GREEN BOOKMARK_COLOR_YELLOW BOOKMARK_COLOR_ORANGE BOOKMARK_COLOR_REDsetNoteゅStringnote)

Createsanannotationtothenodewithvalue╅note╆.)fasubsequenttransform sets an annotation on the node it will appended to thenote.

Cyber OSINT Coding Python Transforms for Maltego Libre

Documents

Transcript of Cyber OSINT Coding Python Transforms for Maltego Libre