So there are all kinds of links that I find and queue up to look at but hate keeping them open in tabs, and they aren’t always in Google Reader and I don’t want to spam to twitter, so Mubix’s Links was born. I setup ScribeFire with a new blogspot account and now, no more tabs, it truely feels like an application of GTD. Plus it allows anyone who is interested to follow along via the blogspot feed. As edsmiley commented in IRC something to the effect of that he doesn’t need all the security blog feeds he just lets me do all the work.
Now that you have had some time to play around with Community Edition or if you were lucky (or rich) enough, the Full version. We are going to start delving into the the pieces of Maltego and then in Part 5 we rip it apart and put it back together for PT-TAS (Penetration Testing - Transform Application Server). I am going to say “investigation” a lot in the coming paragraphs and parts of this article. what I mean when I use this word is everything from ego and tin-hat searches to the military grade or counterintelligence level searches. As stated before, MaltegoCommunity Edition is free. Use it however and for whatever you want. If you think of a new and interesting way of using Maltego please send me an email and I will make it part of this series, or post it in the Maltego Forums. Paterva is always interested in hearing from the community, especially feature requests.
Part 4 - Server Time (CTAS, PTTAS, MALTAS, SQLTAS, SNTAS)
Part 5 - Hacks, Tips, and Tricks
The reason I am not going into the installation or registration of Maltego is because 1. It’s already installed on Back|Track and 2. Because Paterva already has a great wiki article on the topic. So lets begin:
Entities are the basic nuts and bolts of your investigation. Entities spawn other entities through the use of transforms. But, what is an entity? Well at the time of this publishing it can be one of the following
Infrastructure Palette:
AS (Autonomous System Number): This is a number assigned to a network that allows BGP (Border Gateway Protocol) to know where it’s neighbors are. (And there aren’t any exploits for BGP right?)
DNS Name: This is a human readable form of an IP. And, unlike my mother believes, a DNS name does NOT mean it’s a web site. For example hr2xp00209.contoso.com does not serve up a web site, well at least it shouldn’t. (And there are no exploits for DNS right? -PPT LINK-)
Domain: In the sense of a DNS domain. This can be localdomain.local contoso.com, or microshaft.com
IP Address: The 4 byte (or 16 byte with IPv6) set of numbers that computers understand better than DNS names
Netblock: A block of contiguous IP addresses that are “owned”
Website: (Myspace.com, DUH!)
Personal Palette:
Email Address:YourSuperCoolHackerHandle@h4x0rbl0gthatyouneverupdate.com (And then you sign that email address with your super secret family-only email address that you never use, with your PGP key)
Location:Area 51, Washington DC, The Moon
Person: A first and and last name (we will get into handles with “Phrase”, also, remember that PGP key you used, oh it has your full name on there)
Phone Number: This is a 7 digit or 10 digit number, returns a lot of false positives in my experiance, but has also pulled some great contact info for companies that weren’t available from their site. (i.e. someone posted their details in a group or forum asking for help)
The last entity is “Phrase”. I specifically isolated it because of its untapped power in Maltego. This is a Google hacker’s dream. This entity will send any Google hack (or regular search term/phrase) you have to a search engine (Out of the box it’s Yahoo) and then extracts as many of the above entities as it can. To couple the power of Google hacking with all of the information you have gathered, and if the old adage, “Knowledge is Power” is right. You now have at your disposal a nuclear arsenal worth of “power”. Add PT-TAS (which we will talk about later) and you might as well have an Ion Cannon for your investigation.
There are more transforms than I have space for and you really don’t need me to insult your intelligence any more than I already have with my list of entities. So, I am picking out a few of my favorites that might get you a tad bit worried enough to go out and download Maltego, just to see if they pop on you.
Email to PGP: It takes an email address and then checks to see what other email addresses you have signed with your key and what the name associated with those email addresses are, along with the email address you searched for. Makes you kind of think of what other security tools can be turned back on themselves.
IP or Netblock to Wiki Edits: With this tool you can get a sense of what changes a company/person/organization makes to Wikipedia. I have had mixed results with how much information return this gets but, as you can see by this interesting graph. Three letter agencies like to make edits
Metadata Extration from Documents: The transform is an information gold mine. It could give you insight into the names of users, the domain’s naming convention, possibly even the internal domain name and version of software made that document.
Rapleaf and Spock Search (Social Networking search): If you don’t get anything right of the bat, try again later. These services index items on request so if you are the first one to query and email address or phrase, it might take 20 minutes to index and be ready with results. Also, have you ever added your friends to a social networking site via your address book or contacts list (IM/Webmail/Outlook)? Well what if your address book that you uploaded as a search included every email address or phrase that you have found in Maltego?
We have now gotten the basics and the building blocks, next we go into the Human Factor. Sort of like a OCD instructor I will be helping you to make leaps of faith based on logic that Maltego, or any automated system for that matter, just can’t do.
Do what you love, love what you do is what I have been told since I was young, and Gary V takes that puts it in the mirror and makes you look at it with the following video:
So we are taking a short break from my 4 part series on Maltego to bring you a guest post on runtime packers done by your friendly neighborhood Security Shoggoth. Packers are one of those mystical tech items out there that for most people sound too complicated to even look into. What SecShoggoth and I aimed for with this post is to have understandable yet technical and I think he did an awesome job:
What is a packer?
What do they do?
A packer, also known as a run time packer, is a program which compresses another executable to a smaller size on disk. When executed, the packed executable is uncompressed in memory and executes. The time to uncompress the executable in memory is usually not noticeable, making it very advantageous to use one.
There are hundreds of packing programs available. One of the most commonly used is UPX (http://upx.sourceforge.net) which will pack a number of executable formats. Unlike most packers, UPX can unpack a program to its original, uncompressed state. Many packers do not have this functionality and analysts who wish to unpack a program have to find a separate unpacker or manually unpack the program in a debugger.
Why do virus/malware developers use them?
There is one side effect of packers that malware developers have found useful. Not only does the packer make the malware smaller and easier to transfer, but they also obfuscate or encrypt the internal components of the malware making static analysis virtually impossible.
For example, normally an analyst would be able to look at the internal strings of a malware sample and determine some of its functionality - such as what registry keys it adds, what URLs it contacts, what functions it loads, etc. However, by using a packer on the malware, the internal strings would be compressed and obfuscated, hiding them from view. The only way to view to internal strings would be to unpack the malware - something which is not always an easy thing to do.
Some packers also contain anti-virtual machine, anti-sandboxing and anti-debugging “features” which prevent the packed executable from running if it detects any software analysts typically use to analyze malware. This makes it much harder for the malware to be analyzed and will extend the amount of time before it can be reliably detected by AV software.
How do they work?
When an executable is packed, the packer compresses the original program and places some wrapper code around it. When the packed program is executed, this wrapper code runs and uncompresses the original program in memory, loads any dynamic libraries needed by the import table and jumps to the original entry point (OEP) of the now uncompressed program where it begins execution.
