Joe St Sauver, Ph.D. (stsauver@fsi.io)
Distinguished Scientist, Farsight Security, Inc.
Version 0.3, March 16th, 2018
Acknowledgements: Many thanks to Farsight colleagues
Ben April and Marc Evans for their contributions to this document

Introduction

One of the most popular tools for visualizing cybersecurity data and exploring data relationships is Maltego (see https://www.paterva.com/web7/).

This write-up will describe how Maltego can be used in conjunction with Farsight Security® Inc.’s DNSDB Transform Set to easily leverage passive DNS approaches.

Table of Contents

Maltego and the Farsight DNSDB Transform Set

We assume that you’re already a Farsight DNSDB API customer; if not, see https://www.farsightsecurity.com/order-services/ for information about obtaining a DNSDB API key.

We also assume that you’ve already installed and activated the Maltego Classic (or the Maltego XL) client. If not, see the Paterva web site mentioned in the Introduction above.

Note: the free version of Maltego will NOT work with the Farsight DNSDB Transform Set.

When you launch Maltego Classic, after the initial splash screen, and after you click on the Transforms tab, you’ll see a window that looks roughly something like this:

img

Figure 1. Basic Maltego Starting Screen

To install the DNSDB Maltego Transform Set, select Transforms Hub, then roll your mouse over the Farsight Transform Set (highlighted with a red box in Figure 2):

img

Figure 2. The Farsight Transform Set On The Maltego Transforms Hub

Select Install, and then confirm that you want to install the Transform Set.

When the Transform Set installation finishes, you should see:

img

Figure 3. Successful Installation

Now install your DNSDB API keys. Each Transform uses its own individually-set API key. Yes, that means that if you want to use all 39 of the Farsight DNSDB Transforms, you’ll have to paste your API key into 39 Transforms. We’re sorry about that; this represents a conservative security choice designed to protect the privacy of your API key.

To instantiate your API key, go to Transforms->Transforms Manager, then scroll down to the DNSDB Transforms from Farsight. Click on a Transform, then set the API key in Properties (Transform Inputs)->API Key. See Figure 4.

img

Figure 4. Setting the DNSDB API Key For One of The Transforms

Recommendation: While you may only find yourself routinely using a few of the 39 current transforms, and you could just add your API key as needed (e.g., Transform-by-Transform over time), we suggest that you take a minute or two now to cut and paste your DNSDB API key into the API Key field for ALL of the Farsight Transforms. By getting that done now, you’ll be ready to go when you want to use a new Transform.

On the other hand, if you would rather wait, Maltego will interactively prompt you to supply your key when it’s needed but not already present.

The Critically Important Number-of-Results Slider

While you’re configuring stuff, you should also strongly consider increasing the maximum number of results returned. If you fail to do this, you may be surprised to find that the result of every query is twelve or fewer results (since 12 is the default number of results returned in Maltego Classic). To reset that limit go to Investigate –> Number of Results, as shown in Figure 5:

img

Figure 5. Setting the Maximum Number of Results Returned

Experienced Maltego users may also want to see Appendix A, for an explanation of how the Number-of-Results slider impacts back end processing as well as what’s ultimately displayed on screen.

Understanding The Farsight DNSDB Transform Set

You’re now ready to begin using the Farsight DNSDB Transforms.

Because of how Maltego works, you do NOT have the option of specifying the equivalent of ‘command line options’ in order to customize a small number of query types. Instead, you get a set of 39 ‘pre-constructed queries’ that can be executed on a variety of inputs. The exact queries you can run depend on the input you’re starting with (whether that’s a Domain, a DNS Name, an Email Address, a URL, etc.).

For convenience, those transforms are listed on the next page, grouped by Input type, then Transform Description:

The Farsight Transform Set (Grouped by Input Type)

Domain: Delegation Point (sample.com) – 12 Transforms

# Input Transform Description Name
1 Domain To records with this hostname paterva.v2.dnsdbrrsetDomain
2 Domain Lookup *.$domain paterva.v2.dnsdbrrsetwclDomain
3 Domain Lookup *.$domain/A paterva.v2.dnsdbrrsetwclDomainA
4 Domain Lookup *.$domain/AAAA paterva.v2.dnsdbrrsetwclDomainAAAA
5 Domain Lookup *.$domain/CNAME paterva.v2.dnsdbrrsetwclDomainCNAME
6 Domain Lookup $domain.* paterva.v2.dnsdbrrsetwcrDomain
7 Domain Lookup $domain.*/A paterva.v2.dnsdbrrsetwcrDomainA
8 Domain Lookup $domain.*/AAAA paterva.v2.dnsdbrrsetwcrDomainAAAA
9 Domain Lookup $domain.*/CNAME paterva.v2.dnsdbrrsetwcrDomainCNAME
10 Domain Lookup NS for this Domain paterva.v2.dnsdbrrsetDomainNS
11 Domain Lookup MX for this Domain paterva.v2.dnsdbrrsetDomainMX
12 Domain To DNSNames with this value paterva.v2.dnsdbrdataDomain

DNS Name: Fully Qualified Domain Name (e.g., www.sample.com) – 19 Transforms

# Input Transform Description Name
13 DNS Name To records with this hostname paterva.v2.dnsdbrrsetDNSName
14 DNS Name Lookup *.$dnsname paterva.v2.dnsdbrrsetwclDNSName
15 DNS Name Lookup *.$dnsname/A paterva.v2.dnsdbrrsetwclDNSNameA
16 DNS Name Lookup *.$dnsname/AAAA paterva.v2.dnsdbrrsetwclDNSNameAAAA
17 DNS Name Lookup *.$dnsname/CNAME paterva.v2.dnsdbrrsetwclDNSNameCNAME
18 DNS Name Lookup $dnsname.* paterva.v2.dnsdbrrsetwcrDNSName
19 DNS Name Lookup $dnsname.*/A paterva.v2.dnsdbrrsetwcrDNSNameA
20 DNS Name Lookup $dnsname.*/AAAA paterva.v2.dnsdbrrsetwcrDNSNameAAAA
21 DNS Name Lookup $dnsname.*/CNAME paterva.v2.dnsdbrrsetwcrDNSNameCNAME
22 DNS Name To A records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoA
23 DNS Name To AAAA records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoAAAA
24 DNS Name To TXT records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoTXT
25 DNS Name To NS records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoNS
26 DNS Name To MX records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoMX
27 DNS Name To SOA records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoSOA
28 DNS Name To SRV records for this DNSName paterva.v2.dnsdbrrsetwcrDNSNametoSRV
29 DNS Name Records with this value paterva.v2.dnsdbrdataDNSName
30 DNS Name Domains using this MX paterva.v2.dnsdbrdataMXType
31 DNS Name Domains using this NS paterva.v2.dnsdbrdataNSType

Phrase (Phrases are IPv6 Addresses, CIDR netblocks, and Rdata text you’d like to search) – 3 Transforms

# Input Transform Description Name
32 Phrase Lookup *.$phrase paterva.v2.dnsdbrrsetwclPhrase
33 Phrase Lookup $phrase.* paterva.v2.dnsdbrrsetwcrPhrase
34 Phrase To DNSNames from this IPv6 Address paterva.v2.dnsdbrrsetrdataIPv6Address

Email Address (joe@sample.com) – 2 Transforms

# Input Transform Description Name
35 Email Address To DNSNames from this email paterva.v2.dnsdbrrsetEmail
36 Email Address MX from email address paterva.v2.dnsdbrrsetEmailMX

Other (Note: Netblocks look like a.b.c.d-e.f.g.h, NOT CIDR netblocks (see “Phrase” above for CIDRs)) – 3 Transforms

# Input Transform Description Name
37 URL To DNSNames from this URL paterva.v2.dnsdbrrsetURL
38 IPv4 Address To DNSNames with this IP paterva.v2.dnsdbrdataIPv4Address
39 Netblock To DNSNames with this value paterva.v2.dnsdbrdataIPv4Netblock

Note: Sample output for each of the 39 defined Farsight transforms from these transforms can be seen in Appendix B.

Decoding The Name Column For these Transforms

  1. Note that all of the transforms begin with the invariant string paterva.v2.dnsdb. You can normally mentally tune that part out.
  2. Next, you’ll see either rrset (‘left hand side’ of a DNS record), or rdata (‘right hand side’ of a DNS record). For more on the difference between rrsets and rdata see please see https://www.farsightsecurity.com/2015/03/11/stsauver-rrset-rdata/
  3. You may then sometimes see reference to wcl (wildcard left hand side, e.g., *.example.com), or wcr wildcard right hand side (e.g., example.*).
  4. Next you’ll normally see a reference to a Maltego Entity such as DNS Name, Phrase, URL, Netblock, etc. All Maltego Entities are defined in, and can be reviewed in, the Maltego Entity Manager.
  5. After that, the Transform name may specify a subset of possible DNS record types, e.g., MX, SRV, TXT, etc.

Note: We’re also aware that some Transforms may seem to be duplicative (for example Lookup *.$domain, Lookup *.$phrase, and Lookup *.$dnsname).

Please note that in this case, while their naming seems similar, the entities they work on (and allow as inputs) are different.

Manually Running One of the Transforms

We’ll now show you an example of manually invoking one of the Transforms.

We assume you’re using Maltego on a Mac (Maltego on a Windows 10 system will be similar once the application has been started, except for things like file paths).

If Maltego isn’t already running, start Maltego by double clicking on the Maltego icon in /Applications. After splash screens, you should see a screen that looks approximately like Figure 6:

img

Figure 6. Initial Maltego Screen

If you don’t have a New Graph panel open as part of your Maltego display, click on the little Page + icon that’s immediately to the right of the ‘bowling ball’ icon in the upper left hand corner.

Now click and drag the DNS Name Entity from the Entity Palette in the left column over into the main white New Graph panel. You should see something like what’s shown in Figure 7.

img

Figure 7. Maltego With DNS Name Entity dragged onto the New Graph panel.

The default name that’s displayed alpine.paterva.com is not the name we’re interested in, so double click on it and type in a different name. For this example, let’s put in www.reed.edu.   After typing in that DNS Name, hit return. The result should look like Figure 8.

img

Figure 8. DNS Name Entity Now Showing The Name of Interest

Now we need to decide which Transform we want to run on that Entity. Hold down the Control key and click on the Entity to see what transforms are available for the sort of Entity we’re using. See Figure 9.

img

Figure 9. Picking a Transform

We choose To A Records for this DNSName and click the right triangular arrow to the right of that item to execute that Transform.

img

Figure 10. Result of Running That Transform

Note: Many different output formats are available, see the View menu to the left of the graph. If you prefer tables to diagrams, in particular, be sure to check out the tabular view available from the View menu.

Also Note: If you look at the default table view, and wish you could suppress some of those columns, note that you CAN do so. After selecting table view, click on select columns icon (the little mesh grid) on the far right hand of the Type/Headings/etc. row just above the actual rows of data) and select just the columns you want.

We can now chain from our initial results to see what DNSNames (if any) also share that IP. In this case, the only Transform available to us is To DNSNames with this IP which makes our choice of Transform rather straightforward. See Figure 11.

img

Figure 11. Checking To See If Any Other DNS Names Share That IP Address

After clicking on the right triangular arrow next to the Transform name, the Transform runs, producing the result shown in Figure 12.

img

Figure 12. Results From Running The ‘To DNSnames with this IP’ Transform

Clearly results were found, but we can’t currently see them.

We’ll close some of the panels we don’t currently need, resize the New Graph window, and click on the magnifying glass at the top of the screen to ‘zoom to fit’ the output. See Figure 13.

img

Figure 13. Output From Our Transforms, More Readily Visible Now

Sometimes you may just prefer a list of results to a diagram. If so, change that in the View menu to the left of the New Graph panel. See Figure 14. Note that the right-most column shows the number of hits that DNSDB has seen for each row.

img

Figure 14. List View of Results

You can experiment with other views, too, obviously.

If your analysis is concluded, you may want to save your results.

There are multiple things you can save:

img

Figure 15. Sample Exported Graph

134.10.2.252,alumni.reed.edu
134.10.2.252,comradesofthequest.com
134.10.2.252,comradesofthequest.org
134.10.2.252,nwacc.org
134.10.2.252,nwacc.reed.edu
134.10.2.252,reed.edu
134.10.2.252,web.reed.edu
134.10.2.252,www.reed.edu
www.reed.edu,134.10.2.252

Figure 16. Sample Exported-as-CSV Table Data

In addition to manually running individual Transforms, you can also create a  Maltego ‘Machine’ that will run a ‘pipeline’ of Transforms. For example, we can create a Maltego Machine to run the two Transforms we just manually ran for www.reed.edu, making it easy to do that same run for other DNS Names.

img

Figure 17. Make a New Machine In Maltego

img

Figure 18. Supply configuration details

Complete the initial Machine by choosing it’s type, as shown in Figure 19:

img

Figure 19. Choose the Type of Machine

img

Figure 20. Our SampleMachine’s Simple Code

img

Figure 21. Picking the Machine We Want to Start

We also need to provide the name we want to run the Machine on… as a test, let’s do www.reed.edu again.

img

Figure 22. The Target DNS Name For Our Machine

When we click Finish, the Machine will begin to run. See the output in Figure 23.

img

Figure 23. Machine’s Output

This output should look familiar (e.g., from when we ran these same transforms manually, earlier in this write-up).

Note that just as when running Transforms manually, when you’re running a Maltego Machine you may need to rearrange or close panels, scroll, or use Investigate -> (magnifying glass) [aka Zoom to Fit] to see portions of your results.

Caution: Note that Machines which perform chained queries may potentially end up consuming multiple DNSDB queries from your quota.

For example, assume you construct a Machine that finds all domains that use a given nameserver, and then the Machine is programmed to look up each of those domains individually. Such a Machine could consume hundreds or even thousands of queries or more depending on the popularity/usage of that nameserver.

Conclusion

Maltego is a very popular framework for conducting cyber forensic investigations and doing other data mining.

You’ve now seen how you can easily use Farsight Security’s DNSDB with Maltego as part of your investigations.

In this write-up you’ve learned:

We hope that Maltego DNSDB users have found this write up helpful.

If you have any feedback, please feel free to drop us a note to share your thoughts at support@fsi.io

Appendix A. A Subtle But Critically Important Side Effect of The Number-of-Results Slider…

The Number-of-Results slider controls the number of results displayed in a Maltego graph – that’s well understood and as expected.

What may be less well understood is the fact that the Number-of-Results slider also shapes backend processing that’s done by the Farsight DNSDB Transforms prior to results getting displayed.

To understand the implications of this, consider the Lookup *.$Domain Transform. If we have the Number-of-Results slider set to 256, and run the Transform on uoregon.edu, we see a graph that looks like Figure 24:

img

Figure 24: ‘Lookup *.$Domain’Output With Number-of-Results Set to 256

We would normally expect to see MANY results in that graph, not just the two results shown. So what happened?

The answer can be seen by a careful inspection of the Maltego ‘Details’ Window. To check it out, click on the uoregon.edu node near the bottom right portion of the graph shown in the Graph Window, then go to Windows->Detail View. You should see something that looks like Figure 25:

img

Figure 25: Details View For One Output Node, Lookup *.$domain, for the case of ‘uoregon.edu’

In this case, there are lots of results from DNSDB that all have the same left hand side (all are ‘uoregon.edu’). Those results get condensed for display purposes, and end up getting shown as just one (1) uoregon.edu node in the Maltego graph.

Unfortunately, there are so many results that get ‘used up’ that way, other unique/more interesting domains won’t end up getting displayed if the Maltego transform is run with a small ‘Number of Results’ slider setting.

A: While we could just ‘brute force’ the processing and collect up to a million results for each step of the DNSDB Transform’s analysis, doing so will normally be a waste of time and effort if we’re utimately only going to ultimately display just 12 or 50 or 256 results.

That’s why we normally just set the internal Transform-related processing limit to be an order of magnitude higher than the specified output.

That said, if you encounter issues with ‘SOA pollution’ or similar dreck in the ‘Lookup *.$Domain’ Transform, you may want to consider the alternative ‘Lookup *.$Domain/A’ Transform that will JUST return ‘A’ records, or leave the ‘Number of Results’ slider set to return the maximum number of results.

You can also see the ‘Lookup *.$Domain/AAAA’ Transform that will just return IPv6 ‘quad A’ records, and the ‘Lookup *.$Domain/CNAME’ Transform that will JUST return CNAME records, too.

Appendix B. Sample Transforms

Note: The numbering of the Transforms in this appendix correspond to the numbers from The Farsight Transform Set (Grouped by Input Type).

1. To records with this hostname

img

2. Lookup *.$domain

img

3. Lookup *.$domain/A

img

4. Lookup *.$domain/AAAA

img

5. Lookup *.$domain/CNAME

img

6. Lookup $domain.*

Note: Input to this Transform may not be (strictly speaking) a complete and valid domain per se.

img

7. Lookup $domain.*/A

Note: Input to this Transform may not be (strictly speaking) a complete and valid domain per se.

img

8. Lookup $domain.*/AAAA

Note: Input to this Transform may not be (strictly speaking) a complete and valid domain per se.

img

9. Lookup $domain.*/CNAME

Note: Input to this Transform may not be (strictly speaking) a complete and valid domain per se.

img

10. Lookup NS for this Domain

img

11. Lookup MX for this Domain

img

12. To DNSNames with this value

img

13. To records with this hostname

img

14. Lookup *.$dnsname

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

15. Lookup *.$dnsname/A

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

16. Lookup *.$dnsname/AAAA

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

17. Lookup *.$dnsname/CNAME

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

18. Lookup $dnsname.*

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

19. Lookup $dnsname.*/A

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

20. Lookup $dnsname.*/AAAA

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

21. Lookup $dnsname.*/CNAME

IMPORTANT NOTE: DO NOT INCLUDE THE LEADING ASTERISK AND DOT IN THE SUPPLIED INPUT

img

22. To A Records for this DNSName

img

23. To AAAA Records for this DNSName

img

24. To TXT Records for this DNSName

img

25. To NS for this DNSName

img

26. To MX for this DNSName

NOTE: NOT RETURNING RESULTS WHEN TESTED WITH ucla.edu

27. To SOA Records for this DNSName

img

28. To SRV Records for this DNSName

img

29. Records with this value

img

30. Domains Using This MX

img

31. Domains Using This NS

img

32. Lookup *.$phrase

img

33. Lookup $phrase.*

NOTE: DIDN’T WORK WHEN TESTED WITH www.ibm

34. To DNSNames from this IPv6 Address

img

35. To DNSNames from this email

NOTE: NOT RETURNING RESULTS WHEN TESTED WITH stsauver@fsi.io

36. MX from E-mail address

NOTE: NOT RETURNING RESULTS WHEN TESTED WITH stsauver@fsi.io and other email addresses

37. To DNSNames from this URL

img

38. To DNSNames with this IP

img

39. To DNSNames with this value

Note:IPv6 netblocks or CIDR netblocks are phrases, not ‘netblocks’ at this point in time.

img

About Farsight Security

Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.