Maltego and OSINT Graphs

Maltego is a visual link analysis tool that maps relationships between entities — domains, IPs, email addresses, people, organisations, and infrastructure. It turns raw OSINT data into a visual graph that reveals connections invisible when looking at data sources individually.

In penetration testing, Maltego is used during the reconnaissance phase to build a complete picture of a target's digital footprint before any active scanning begins. A thorough Maltego investigation often surfaces attack vectors that automated scanners miss entirely.

A Brief History

Maltego was originally developed by Paterva, a South African company, in the mid-2000s. It was initially conceived as a general-purpose link analysis tool — similar to what intelligence agencies had been using for decades to map human networks and financial relationships. The key innovation was automating the data collection layer: instead of an analyst manually researching each connection, Maltego could query dozens of public databases simultaneously and instantly visualize the results.

Over time, it evolved from a niche forensics tool into a mainstream fixture of both offensive security and investigative journalism. Today, Maltego is published by a dedicated company (also called Maltego) and integrates with hundreds of third-party data providers. Law enforcement agencies, corporate intelligence teams, and red teamers all use different flavors of the same core platform.

Entity Relationship Mapping

You start with a seed entity (e.g. a domain name) and run transforms against it. Each transform queries external sources and returns related entities, which you can then run further transforms against — expanding the graph iteratively.

Domain → DNS transforms →
  IP Addresses → WHOIS → ASN → Hosting Provider
  Subdomains  → Port scan → Services
  MX Records  → Email addresses → Breached credentials
  NS Records  → Registrar → Other domains (same registrar)

Transform Categories

Transforms are the engine of Maltego. Each one is essentially a scripted query to a specific data source. They fall into a few broad categories:

• DNS/WHOIS Transforms — resolve hostnames, look up registrant data, find name servers and mail exchangers. This is the foundational layer of any domain-based investigation.
• Passive DNS Transforms — query historical DNS records, revealing IP addresses a domain has pointed to in the past — even if those records have since been removed.
• Breach Data Transforms — cross-reference email addresses against known credential leak databases (HaveIBeenPwned, Dehashed, etc.) to surface compromised accounts.
• Social Media Transforms — enumerate LinkedIn profiles, Twitter accounts, and other social data tied to an organisation or individual.
• Shodan/Censys Transforms — look up public-facing devices and services associated with a given IP range or certificate fingerprint.
• Certificate Transparency Transforms — search CT logs for all TLS certificates ever issued for a domain, revealing every subdomain the organisation has ever certificated.

OSINT Investigation in Practice

host example-corp.com
example-corp.com has address 104.21.45.67
example-corp.com mail is handled by mail.example-corp.com

dig +short example-corp.com NS
ns1.cloudflare.com  ns2.cloudflare.com

# Reverse DNS on the IP:
dig -x 104.21.45.67
dev.example-corp.com   <-- different subdomain on same IP

theHarvester -d example-corp.com -b google,linkedin
[email protected]
[email protected]
[email protected]
# Pattern identified: firstname.lastname@
# Can now generate a full employee email list from LinkedIn

curl "https://crt.sh/?q=%.example-corp.com&output=json" | jq '.[].name_value'
"staging.example-corp.com"
"internal.example-corp.com"
"vpn.example-corp.com"
"jira.example-corp.com"

curl "https://api.shodan.io/shodan/host/104.21.45.67?key=API_KEY"
Hostnames: ["example-corp.com", "old-corp.com", "dev-internal.com"]
Open ports: [80, 443, 8080, 22]
Software: nginx/1.18.0
# old-corp.com → likely legacy infrastructure → less patched

What You Need to Know

Beyond the Basics — Extended OSINT Techniques

Once you understand the fundamentals, Maltego becomes considerably more powerful when you begin combining multiple data sources and running multi-hop investigations. The following techniques represent how professional red teamers and intelligence analysts actually use the tool — not just for collecting facts, but for building a narrative map of an organisation's vulnerabilities.

Supply Chain Reconnaissance

Modern organisations don't exist in isolation. They share data with dozens of vendors, SaaS platforms, and cloud providers. An attacker researching a hardened primary target will often look for a weaker link in the supply chain instead. Maltego excels at mapping these third-party relationships.

Infrastructure Correlation

Organisations often use the same hosting provider, certificate authority, or analytics platform across multiple properties. When one of those shared infrastructure elements is identified, it can unlock visibility into a much broader footprint than the target intended to expose.

# If example-corp.com uses Google Analytics ID: UA-12345678-1
# Search for other domains using the same Analytics ID:
curl "https://publicwww.com/websites/UA-12345678/" 
Found on:
  example-corp.com        ← known target
  corp-internal-tools.io  ← unknown internal tool
  example-corp-staging.net ← staging domain, not indexed

# The same tracking code appears on sites the organisation
# never intended to be discovered through their main domain.

Human Intelligence Graph Building

Maltego's person-centric transforms allow investigators to map individuals across platforms. Starting from a corporate email address, you can trace a person across LinkedIn, GitHub, Twitter, professional publications, and code repositories — building a comprehensive profile that often includes personal email addresses, home locations, and behavioral patterns.

This matters for social engineering and spear phishing scenarios. A convincing phishing email doesn't just use someone's name — it references their job title, recent projects, colleagues' names, and internal jargon. All of that is accessible through OSINT before a single packet is sent to the target.

[email protected]
  → LinkedIn: "James Harlow, Senior Network Engineer at Example Corp"
    → GitHub: "jharlow-ec"
      → Public repos: ansible playbooks for internal infrastructure
        → Hardcoded VLAN IDs, internal subnet ranges, server naming convention
    → Twitter: @jh_netsec
      → Posts about "migrating to FortiGate" (firewall brand identified)
      → Retweet about a known FortiGate vulnerability (CVE-XXXX-XXXX)

Autonomous System and BGP Mapping

For large organisations, Maltego can map their entire routable IP space by querying BGP routing data. Autonomous System Numbers (ASNs) are public records that associate IP address blocks with organisations. This can surface entire IP ranges the organisation owns — not just the ones publicly advertised on their website — including data center ranges, cloud provider allocations, and failover infrastructure.

# Organisation's primary IP → WHOIS → ASN
whois 104.21.45.67 | grep -i "asn\|org"
ASN: AS13335
Org: Example Corp Technologies Inc.

# Query all CIDR blocks registered to this ASN:
whois -h whois.radb.net -- '-i origin AS13335'
route: 104.21.44.0/22
route: 198.41.128.0/17
route: 172.64.0.0/13
# Now you have the ENTIRE routable IP space for this organisation.

Vulnerabilities Revealed Through Reconnaissance

The critical insight is this: Maltego doesn't exploit vulnerabilities — it finds them. The tool aggregates public information, but what that information reveals is often a detailed map of exploitable weaknesses. Understanding what types of vulnerabilities OSINT surfaces is essential for both attackers and defenders.

The Credential Reuse Chain — A Deep Dive

One of the most powerful and frequently underestimated attack paths that OSINT enables is the credential reuse chain. This deserves detailed examination because it turns a seemingly minor exposure (an old LinkedIn breach from 2012) into a current, active threat.

Subdomain Takeover

A particularly interesting vulnerability class exposed by OSINT is subdomain takeover. When an organisation sets up a DNS CNAME record pointing a subdomain to a third-party service (e.g., a Heroku app, GitHub Pages site, or S3 bucket), and then decommissions that service without removing the DNS record, the subdomain becomes "dangling" — pointing to a hostname that no longer exists.

An attacker can register the same hostname on the third-party platform, causing the organisation's subdomain to serve content they control. This is particularly dangerous because the browser trust model considers staging.example-corp.com to be fully trusted by users who trust example-corp.com — even if the content is now served by an attacker.

dig CNAME staging.example-corp.com
staging.example-corp.com. CNAME example-corp.herokudns.com.

curl -I https://example-corp.herokudns.com
HTTP/1.1 404 Not Found
Content-Type: text/html
X-Heroku-Error: No such app

# The CNAME target returns "No such app" — the Heroku app was
# deleted but the DNS record remains. An attacker can now claim
# this Heroku app name and serve content from staging.example-corp.com.

What This Means for Network Security

Understanding Maltego and OSINT methodology is not just an offensive skill — it is foundational to defensive security. An organisation cannot protect what it doesn't know exists, and OSINT is often how defenders discover their own unknown exposures. This section examines the security implications from both perspectives.

The Attack Surface You Don't Know About

Every organisation's "official" asset inventory is incomplete. IT departments know about the servers they provision and the domains they register — but the reality of a growing organisation is that shadow IT, forgotten infrastructure, and historical decisions create a much larger actual attack surface.

The DNS Trust Problem

DNS is fundamental infrastructure, and OSINT exposes it comprehensively. From a network security standpoint, the information Maltego surfaces about an organisation's DNS configuration has several specific implications:

• Overpermissive SPF records — A +all or ?all SPF policy means any server in the world can send email claiming to be from your domain. Maltego's DNS transforms will surface this immediately.
• Missing DMARC — Without a DMARC policy, your domain can be spoofed trivially in phishing attacks. OSINT reveals this gap without any active probing.
• Zone transfer misconfiguration — Some DNS servers will respond to AXFR requests (full zone transfer) from any source, dumping the entire internal DNS namespace to anyone who asks. Maltego includes transforms that test for this.
• Internal hostname leakage via reverse DNS — Reverse DNS records for public IPs often contain hostnames that reveal internal naming conventions and network topology (e.g., db1.internal.example-corp.com).

Implications for Infrastructure Design

The data that OSINT collects suggests several concrete implications for how infrastructure should be designed and managed:

Social Engineering Attack Surface

Network security tends to focus on technical controls — firewalls, IDS/IPS, patch management. But Maltego exposes something those tools can't address: the human attack surface. People are consistently the most exploitable element in any organisation's security posture, and OSINT enables extremely targeted social engineering.

A convincing pretext doesn't require hacking anything. It requires knowing enough about the target to sound credible. OSINT provides:

• Real employee names, titles, and team structures (LinkedIn transforms)
• The technologies the team uses (job postings, GitHub repos, social media)
• Current projects and initiatives (press releases, LinkedIn posts, conference talks)
• Internal vocabulary and jargon (public documentation, Slack communities, GitHub issues)
• Which individuals have privileged roles (IT administrators, finance controllers, C-suite assistants)

With this information, an attacker can craft a spear phishing email or phone call that sounds indistinguishable from internal communication — referencing real project names, real colleagues, and real technologies. No exploit required.

The Defensive Perspective — Red Team as Blue Team Intelligence

The most effective defensive use of Maltego is to run it against your own organisation before an attacker does. This is sometimes called "attack surface management" or "external exposure assessment," and it has become a core practice in mature security programs.

Broader Scenarios and Ethical Dimensions

Maltego and OSINT methodology extend well beyond traditional penetration testing. Understanding the full breadth of legitimate use cases — and the ethical boundaries that govern them — is essential for any security professional.

Legitimate Use Cases Beyond Pentesting

• Fraud investigation: Financial institutions use graph analysis to trace fraudulent transactions, identify shell company networks, and map money laundering schemes. The same entity-relationship model that maps domain infrastructure maps corporate ownership hierarchies.
• Investigative journalism: Reporters at organisations like Bellingcat use OSINT graph methodology to investigate disinformation networks, identify the operators of anonymous social media campaigns, and trace the ownership of assets like aircraft and real estate.
• Law enforcement: Intelligence agencies and police units use commercial versions of link analysis tools to map criminal networks, track the movement of individuals, and identify connections between suspects.
• Threat intelligence: Security teams use Maltego to research threat actor infrastructure — identifying C2 servers, tracking reused hosting patterns, and attributing campaigns to known groups by finding shared infrastructure fingerprints.
• Mergers and acquisitions due diligence: Before acquiring a company, security teams run OSINT assessments to identify unknown technical debt, exposed infrastructure, and security posture — preventing the kind of scenario described in the merger hypothetical above.

Legal and Ethical Boundaries

Because OSINT operates on publicly available data, it occupies a legally complex space. The information being queried is public — but the act of aggregating, analysing, and acting on it can cross legal and ethical lines depending on context.

The ethical framework for OSINT research generally breaks down along two axes:

• Purpose: Is the investigation for protective, investigative, or harmful purposes? The same technique used to protect an organisation from attack is used by criminals to plan one.
• Scope: Is the investigation scoped to organisational/infrastructure entities, or does it extend to building profiles of private individuals? The latter raises significant privacy concerns even when the underlying data is technically public.

The Aggregation Problem

One of the most important concepts in OSINT ethics — and one with significant implications for network security policy — is the aggregation problem. Each individual piece of data collected by Maltego may be entirely public and seemingly innocuous. But when combined, they create something more sensitive than any individual piece.

Reducing Your Organisation's OSINT Footprint

Security controls that address the vulnerabilities OSINT reveals fall into three categories: reduce what's exposed, monitor what can't be removed, and build resilience against what's discovered.

Reduce Exposure

• WHOIS privacy: Use domain registrar privacy protection services to prevent registrant contact information from being directly queryable. This doesn't eliminate the threat but raises the effort required.
• Certificate discipline: Implement internal certificate management workflows that require decommissioned services to have their DNS records removed before (or simultaneously with) decommissioning the service.
• Email security policy hardening: Implement strict SPF (-all), DKIM signing, and DMARC enforcement (p=reject) across all sending domains, including dormant domains that can still be spoofed.
• GitHub/code hygiene: Enforce pre-commit hooks that scan for secrets, API keys, and internal hostnames before code is pushed to any repository. Mandate periodic audits of all public repositories.
• Subdomain lifecycle management: Treat DNS records as infrastructure with a lifecycle. Establish a decommissioning checklist that includes DNS record removal as a required step.

Monitor What Remains

• CT log monitoring: Subscribe to certificate transparency log monitoring services (e.g., Facebook's cert.transparency.google, or tools like Certspotter) to receive alerts when new certificates are issued for your domain — including subdomains you didn't create, which may indicate a takeover.
• Breach monitoring: Integrate with breach notification APIs to receive automated alerts when employee email addresses appear in new data dumps.
• Attack surface management platforms: Consider dedicated ASM tooling (e.g., Censys ASM, Mandiant ASM) that continuously runs OSINT-style reconnaissance against your own footprint and alerts on new exposures.
• Domain monitoring: Watch for typosquatting registrations — domains that are slight variations of your own, registered potentially for phishing. WHOIS monitoring services can alert on these.

Build Resilience

• Phishing simulation programs: Regularly simulate spear phishing attacks using the kind of contextual information OSINT would provide. This trains employees to recognise convincing pretexts, not just obvious generic phishing.
• MFA everywhere: Even if a credential is exposed in a breach, mandatory MFA on all internet-facing systems (VPN, email, cloud consoles) prevents credential reuse from being immediately exploitable.
• Zero Trust architecture: Move away from the assumption that internal network access implies trust. OSINT often finds paths to the internal network through forgotten tunnels and compromised vendors — Zero Trust ensures that even if an attacker reaches the network, they cannot move laterally without re-authenticating for each resource.

Core Concepts Summary