How Evil Kirk Uses Maltego

all right I'll goe and get started can you all hear me okay that's working all right um this presentation is how evil Kirk uses malego it's my this is the first time I've ever even been to a security conference let alone speaking in front of a bunch of people so I'm a little nervous sorry but um next slide here uh who am I uh my name is Robert McMahon I started off in the IT industry and help us like many people worked at JP Morgan Chase for three years um helping people turn on and off printers uh and then I got picked up to be a mentor at Tech skills which is a trade school so I

helped help all right uh so I HED a lot of people get it certifications do Health

test stay all right um and I was a mentor there for about 3 years um and it was a school that was mostly for people like us who just want to pick up uh certification to get better and to get a better job uh after that I got really lucky and I got in at EPS Financial as a just a junior software developer I got in at the bottom floor there and I helped them build their their entire code base for the whole company so it's was a really good experience Started From The Bottom we built it we designed the database built it from the ground up and it was an awesome experience uh and

then recently they needed to get a PCI Compliant and they knew that I was into security and they moved me over to be their information security analyst so that's my history and I wouldn't be here today if it wasn't for Li code and Brian love you Brian and anything that goes wrong in this I blame

on all right so there's really two things that I'm going to talk about today um one is a a local transform API written net for Malo and then the main thing that most of you are probably interested in is the transforms to enumerated information from inside of Windows domain um so I'm going to start off with the API

and.net it's just it's written in C there was when I was when I was using multigo and I noticed that there's there's apis out there for PHP there's one for um python I think there's one for c as well but I really like C it's my main code it's my main language so um I just said why not write an API so um I guess the first thing I'm going to show you I'm going to show you the code to using this API to find the robots.txt cuz finding robots.txt to me is kind of like the hello world of maligo transforms I guess if you are you all familiar with maltego and transforms transforms

all right so with this API I won't go into the into the internal code of the API because we'll be here forever but just the general overview of how to use it um you always start off by creating a multigo response generator object and that's what everything's going to go into so you're going to add um different entities like a phrase entity or a website or whatever you're going to add when you're doing your your l so in this one we want to find the robots.txt of any website um so when

a there we go all right so when maltego passes in an entity from the from the pallet there's going to be two arguments the first argument is going to be the entity value so I'll fire up mul in a second so if it's a website for example it'll be www.google.com will be what's passed through as your first argument your second argument is any um special values or extra values that are on there and it's field name equals field value field 2 equals field 2 value and it's separated by a it's separated by a a hash pound sharp symbol whatever you want to call that in this case and in most cases you're only going to use the first argument to to do

your work on some cases you might use the other ones um but in this case we're only going to use the first argument um so the first thing I have here is just a demonstration of how to add a simple UI message that will show up in Mulo in the bottom so you can debug um or just show any messages to the user at the bottom there you just pass in UI message type debug and in this case it'll just pass it whatever gets passed through to to the application um and then here I'm building the uh URI to get to the robots.txt file I like path. combine but I decided to try this way using URI objects and it

works really well and that helps just build the URI to pass to the web find to actually get the robots on TX file um so down here you just use web client download stream from the robots.txt file file and then for each line in the robots.txt file so each entry we're going to add a phrase entity to multigo and then here we have our catches so if there's like a 404 for example or 500 error we're going to show just a partial error if there's some other exception we're going to show a fatal error and we're going to show the message to the user um and then at the end of every program you do console.

right line get mtig message. get Mulo message text and that just serializes the object just serializes the object into an XML object so all the xml's done for you you don't have to to make sure your XML is properly formed you don't have to worry about it throwing a parts for exception when it gets back to Mulo so what's that actually I wanted to do a demo but I'm afraid to connect to livei we'll see

does anybody know the

the wrong C Capital C mm e n t

p that's why I was afraid of

all right I'm going to try one more

time all right I was hoping you do it but I guess the demo Gods aren't with me today um but basically to do it you would usually have something other like you start off with a domain and then you run a level three level three U machine on it to get all this information from it but you eventually get to a website right click it do get robots this isn't going to work because I'm not connected but you get the picture and then it will give you back separate phrase entity so it will look something like this

our phases there we go soort I have a separate phrase for disallow WP

be connected that so you all get the picture um all right so let's go to the next part that's just the API um something really easy to use that you can use C code to interface with multigo and you can write your own logic using C and using the windows libraries awesome

all right that was the fun part

the internal domain transforms so there's a series of new entities that I created for multigo specifically for internal uh components so you have your domain which represents the internal domain so domain. loc or whatever your internal domain name is um there are computers which represent computers workstation servers any kind of device and you're inside the domain um distribution groups and security groups just groups inside your domain uh user accounts obviously user accounts uh email delegates and email read I could have named that better but the email delegate is um an account that can send email on behalf of another person so if I can send like usually see it with um like a sales department somebody can

send sales atou company.com uh and then email read to somebody that has full access to another user's email these are just this is just the beginning of them there's going to be a lot more in the future this is not completely done there's actually a lot that can really be done with these these internal uh transforms which I'll get into that then like shoveling shells which is really fun um and then the new transforms themselves there's um there are domain transforms which find computers uh they find all the users in the domain groups in the domain security groups distribution groups uh group transforms that you can run on these groups so they find members of the groups subgroups of

that group uh things like that uh user transform so you can find the user's email address phone numbers groups that they're in as well and computer transforms which you can do things like shov shell uh find user accounts that I've logged into that computer uh find the operating system the patch level that it's currently on uh fun things like

that all right and actually I'm not going to use this slide I'm actually going to go into the code because I've written more code than I have

on so right now I have a massive switch for the main argument that comes in well first of all I guess we'll go into how we add these into multi

maybe

not all right forget that we'll just go right into the code all right so these are the transforms that I have done so far and there's a lot more and if any of you want to uh jump in and do some development as well just let me know hit me up um via email or see me after the conference cuz there's a lot more that can be done with this this can really I think that we can take maltego and turn it into a I know most of you are going to laugh at this thing but turn it into like an Armitage where you can do a lot of you can automate a lot of your

internal penetration testing just through multigo itself um so here are the these are the Transformers that have been done so far and there's a lot more and I'm probably going to get rid of this large switch statement that's pretty large and go to some some like open closed model uh later on so the these Transformers is something you can just take off a shelf use yeah once you once you um you can get the code from my uh uh bid bucket account which I'll have up here on one of the later slides but um you import them into maltego and you just use them right off the shelf yet and I can show you guys how to do that I

don't I don't I don't have that in the presentation but if anybody wants to if anybody doesn't know how to import things into M ego let me know and I'll I'll show you how I don't mind to people um so here the first thing is internal domain to computers this just gets all of the computers that are in the domain uh and this is run from the standpoint of any domain user so if you pop a box inside of a domain and you're a lower level user as long as that user can see these computers in the domain as long as they can contact the domain controller um you can use these so you don't have to be domain admin or

local admin even um this is equivalent of like when you open up uh uh Outlook and you're searching for a user in the domain um so it's anybody that can see these you you can use this on you don't have to be domain admin you do have to be on a machine inside the network so this can be used by pen testers that get into a network or we've used it at my work to help root out um people that were in groups that should have been in those groups or like we put them forgot about um so the first one is internal domain to computers it finds all the computers inside that domain um the

second one is internal domain to all groups so it finds all of the security groups and all the distribution groups in that domain and puts them on the graph for you very nice and neat um then there's separate ones for just security groups and just distribution groups if you're just interested in those those individual groups um internal domain to users that gets all of the users in the domain or all of the users that you can see in the domain and puts them out there uh on the graph for you and then group to member groups all the subgroups inside the inside a group so once you I usually start off with doing internal domain to computers an internal domain

to all groups and then highlighting all the groups and running uh uh group to users so you get all the users in the groups and it looks great um group to member groups that's uh any groups that are inside that group so if you have um uh an HR Group and then you have HR admins versus HR employees or HR reps uh group to users gets all the users inside that group user to all groups and user to distribution groups and user to security groups um these are just to get the the groups that the user are in so if you start off with just getting the users and you want to go kind of

backwards you can do that um user to email addresses will get you all of the email addresses that that user that that are assigned to that user um user to phone numbers you can find the phone numbers that are assigned to that user and this is just in the domain so like in in my domain for example we don't store that an active directory so you won't see that but in some domains you you will um internal domain to email addresses this just gets all of the email addresses in the domain so if you want if you want to do something later on social engineering um grab all these email addresses you can export them to

an Excel file and send away emails you set uh user to email read That's takes a user as the input and then any uh email that it that that user has access to that that user can read so the forms email uh the sales email box um anything that they can read that's going to spit that out to you uh with delegates that's anything that the user can send emails to so the sales user for example can send sales at your company.com um computer to operating system it's just going to return a phrase that shows the operating system for that computer and computers is where I'm I'm really lacking right now just because I didn't

have that much time to to v on it but that's going to uh come later but you can do a lot of things like get the operating system get the patch level of the operating system uh and then the last one on here is computer to remote shell using PS EXA so it'll just this was really fun I did it yesterday I just got all the computers in my domain I highlighted all of them and I got about 61 shells actually I have a screenshot of it they just started popping admin shells on all these computers ENT the the network is totally vulnerable to all this and what any kind of it's not really vulnerable CU I have

uh my account has access to this stuff and I'm running it as my account but if you were to get in and I know a lot of companies use a common local admin on all of their machines in the network if you were to get that um you can put that into this you can give that as an input and you just have it go to each machine and just ask each machine to shuffle the shell back to you and you just you get a ton of shells you credentials to the transform or do you have to add domain Jo machine I I put the credentials if it's a local credential I have an app doc fake file

this is not my company's internal um this is just a a sample one but you put it into the appt config file um and that's that's like if you have a local password if you don't have a local it's just going to use whatever credentials you were locked in as so you would have to be join that domain if you're trying to use domain yes yeah if you're if you're going to run this in a domain you have to have a user in the domain or have popped a popped a box where you have a user that's authenticated on the domain I have would you need to install monteo on the box no no you don't have to install Montego I

intentionally made this to where it's just one executable you have to drop um so that way

right there it's a large name you can rename it if you want to but yeah I intentionally made it to where it's just one executable you can drop into um a machine that you've popped or whatever and then it will spit out the the last thing it does just spits out the the XML that you can import into mte later so you don't have to you don't have to set up m to go on the inside of a of a network um you can just move this executable file there and I'll show you the command line arguments here need fire the ex the the binary executes runs all your commands outputs it into multigo XML yes and you dag that back

yeah and multigo reads the it just reads standard out so that's how I use that back how do you get the X back to you I mean you in a penetration test or an exploit sort of scenario say that again how are you getting the XML back to you is that something you're doing automatically or it depends on how you got the shell so like if if you just have just a regular command shell and you can upload this um and you can run the transform copy and paste it back um and then put it into a uh um just it's just axml file and you can import that into multi so you can look at it

look at a nice pretty graph

[Music]

transforms all right yeah I'm going to go just go through like we're adding a new one so let's say we're adding one for um internal domain to um computers so you go up here if you want to add the transform now this you'll be able to import this um from by uh um bid bucket account you you should be able to just import this right in so you don't have to go through and add all of these locally but just to give you an idea of how the arguments for the for the application work if you're just going to use it from command line um this will give you some insight into that so uh

user

accounts the input entity type we going to say is the

domain you're you're using this just for a domain that you have access to but can you get to use that idea to go into a foreign Network this is uh what what would you need to do that this would be done from the standpoint as you're already in that Network so either either you're you're an admin on that Network and you want to get more information about your own network or you've just um popped the Box inside the network and you this is so you can quickly find um other machines on that network instead of just nmap scanning or something like that cuz nmap can be pretty loud or doing something else that might be picked up by an IDs

IPS this is something that probably wouldn't be picked up by that and you can get all this information without having to to do L things if you wanted to use it saying another Network you would have to get permission from that correct yeah you'd have to you'd have to get into that yeah all right so we had the local transform and then in the parameters

here let's take you can take them right out of the switch so right here this is the um argument that you would pass in so whatever transform you want to run you just pass in that argument so if we wanted to do what do we say user accounts turn all the way into users

finished so when maltego calls this it's going to call it with the entity value and then it's going to call with uh I'm sorry it's going to call the executable file with the transform that I want to use so it's going to be internal domain to users and then you pass in the eny so if you're calling this from the command line it would look just like this you can usually ignore this field one field two part um cuz you're just going to be using for the most part just the first argument so if your internal domain is b. local for example um you would you would pass in if you're calling it from the command line it

would say internal domain to users besides. local and it'll

um so this is a sample graph from a network that I have access to and this is from a limited user uh and I just quickly enumerated all of the uh groups and then all of the users inside those groups in that domain so can you guys is that see if I can zo I cannot zoom in all right so the top part there that's just the domain I just dragged on the domain typed in domain. loal uh and ran the transform to get all groups inside the domain all of these purple are security groups the brown are distribution groups and you canot and the the pink are user account so you can obviously tell that this one right here

is just the user account the built-in user account for the domain and all of these are just users in there each of these are a separate Security Group in the domain and you you can tell um which user belongs to which Security Group so we use this in in my company to help weed out uh we have a lot of people that come and go a lot of uh contractors that come and go and people get left in groups that they shouldn't be in and there's all kinds of um new groups that get started up and we have to delete them so we just use this periodically to audit our groups so it's that's kind of

a non pen testing way of using it or you can use it in a in a pentest and find all of the groups so you know like who's in the do ads or you can see other groups that have administrators in them then you want to get those accounts and try to find them and pop those so that's just that's this is just a um one example of something that you can use as for to find and this and this is quick when I ran this I wish I could have done a uh a demonstration in here but I didn't have time to set up a a domain an example domain um but this was

this took about 5 Seconds to run so imagine if you're doing this without this tool and you you scan all the computers in the network you run nmap on everything in the network how long that would take and how many that would be um compared to this so this is kind of a more closeup you can see that that one that's just the standard user account the domain or the standard user group and these are all the users that aren't really tied to any other groups these users are tied to other groups uh and that was my shells fun with that and that was that for do you guys have any questions for me in the in your reporting I was

thinking about If you inherited a large domain that been up time yeah find like user objects computer objects just go back you know I guess I'm trying to put in terms of like app and stuff uh yeah when it gives you your output give you historical information like last time LED on you can find that I haven't coded that in but yeah you can you can definitely find that I'm using uh on some things I'm using LF queries on most of them I'm using the the newer principal context and principal Searcher but on the things like the emails I'm using the old l so yeah anything that you can query an L you can write a transform for it in here and

have it pop up so anything that that you can do in that and it's not just it's not just um uh restricted to just active directory it's anything that you can do like I have one repository that I'm going to work on that's wmi so you can spray the whole network with wmi uh if you want to you get all the computers and just throw wmi anything so what I'm going to have there's active directory there's a networking one which will be you know if you want to run boort scans uh finding Excel documents on on remote computers you have access to interesting documents finding the shares on remote computers so once you're in there you can find out

what shares that that user has access to um finding remote driv so like finding C dollar or D Dollar on another computer um ass internals this this is uh remote shelf or you can uh PS list or anything anything from syst ter you can code into this and if anybody and that's that's the big thing is I don't have a lot of time to code but I'm going to keep going with this so if any of you want to help out jump in let me know and I'll let you well it's it's open source it's on my on my um f bucket account but just let me know and I'll be happy to let you in

help you out w queries custom wmi queries and then I'll have a list of other wmi queries that you can do um that'll help finding patch level you can use wmi to find um uh what antivirus is running on the computer so if you're looking for one that doesn't have antivirus on it your fun or that are already an older version of it you'll be able to do that with this what are the backend query calls using commands orell or how are you quing oh for for um act direct that is in here yeah it's just using um L app ques and they're just objects in act I'm not sure exactly how it does that but

yeah it's just they L qus and then these are wrappers inet that do this but it looks much prettier

than you I was coding for the adpi to get data into multigo is there any API functionality for getting data back out like into from maltego into XML uh from multigo into whatever I want to do with my side of the of the scripting to get objects from mtig into back into C or any other programing I mean right now you want the transform it sends it data is there another any other way to tap into mul not without um not that I know of yeah maltego is mostly you have an entity that's on the pallet and you want to get information about that entity so when it sends it it's just sending that entity name um to

that so and when you send it back you're sending back XML to multigo so I'm not sure um I don't know if I'm understanding your question so let's say you do a scan and you get all your grouped information you've got this big graph here that shows all your groups all your users is there an easy way to say Okay I want to pull all the users back out of this group you know and I want to dump like a text file I want to dump something else some other sort of data to get data back out of this to use kind of yes there's um

will'll name these users

Mach

and trans trans

all right so you can export there's a there's a few different ways I I added three users to a domain let me get rid of this yes

so you're talking about you want to get it out onto paper that you can show somebody to power shell or it's a power okay all right um wonder is there a so you can export you can generate a report but that's going to generate the PDF report that you can give to a uh higher up or somebody else that wants to view it you can it as a table so there's no API that you know to actually directly interact back in here to pull that thing the back out correct yeah You' have to export it to like a CSD file and then you can pass that into Power shell script or something like that it's all Java right but what you

can do with it is um if you have a Powershell scripts that that accepts one entity at a time so like one computer at a time because this is going to call each each time you can just write a a transform you can add a local transform in there to call that power script and pass that en to it any other questions if you pass an entity that has child nodes do you get the children as well can you access the children from the API you can but so if you have child noes it's basically whatever you highlight so you if you just want to run users run things on users you would right click you can't you can't select

the domain when that passes to the to the transform the transform campure out what the children are it's just going to do the domain yeah because it's maltego runs it on whatever you have selected uh so the transforms are just for the specific entity that you're that you're running in against um so it's not when you pass this in it's not going to pass all the US and all the groups just going to pass domain as a as a text when you're running that as a local transer what does the return look how are you how do you send it back to multi say again you said that it comes to the API as an entity name yes what does and

you're put you're generating the XML how do you get that XML back to multi oh it's just it's a standard D okay stand so either one of these like the get robots it's just a simple console L got great anything else any other questions awesome thank you very much great job