User Guides

Using Maltego with Farsight DNSDB Transforms

Joe St Sauver, Ph.D.

Distinguished Scientist, Farsight Security, Inc.

Version 0.3, March 16th, 2018

Acknowledgements: Many thanks to Farsight colleagues Ben April and Marc Evans for their contributions to this document

Introduction

One of the most popular tools for visualizing cybersecurity data and exploring data relationships is Maltego.

This write-up will describe how Maltego can be used in conjunction with Farsight Security® Inc.’s DNSDB Transform Set to easily leverage passive DNS approaches.

Maltego and the Farsight DNSDB Transform Set

We assume that you’re already a Farsight DNSDB API customer; if not, contact us for information about obtaining a DNSDB API key.

We also assume that you’ve already installed and activated the Maltego Classic (or the Maltego XL) client. If not, see the Paterva web site mentioned in the Introduction above.

Note: the free version of Maltego will NOT work with the Farsight DNSDB Transform Set.

When you launch Maltego Classic, after the initial splash screen, and after you click on the Transforms tab, you’ll see a window that looks roughly something like this:

*Figure 1. Basic Maltego Starting Screen*

To install the DNSDB Maltego Transform Set, select Transforms Hub, then roll your mouse over the Farsight Transform Set (highlighted with a red box in Figure 2):

*Figure 2. The Farsight Transform Set On The Maltego Transforms Hub*

Select Install, and then confirm that you want to install the Transform Set.

When the Transform Set installation finishes, you should see:

Now install your DNSDB API keys. Each Transform uses its own individually-set API key. Yes, that means that if you want to use all 39 of the Farsight DNSDB Transforms, you’ll have to paste your API key into 39 Transforms. We’re sorry about that; this represents a conservative security choice designed to protect the privacy of your API key.

To instantiate your API key, go to Transforms->Transforms Manager, then scroll down to the DNSDB Transforms from Farsight. Click on a Transform, then set the API key in Properties (Transform Inputs)->API Key. See Figure 4.

*Figure 4. Setting the DNSDB API Key For One of The Transforms*

Recommendation: While you may only find yourself routinely using a few of the 39 current transforms, and you could just add your API key as needed (e.g., Transform-by-Transform over time), we suggest that you take a minute or two now to cut and paste your DNSDB API key into the API Key field for ALL of the Farsight Transforms. By getting that done now, you’ll be ready to go when you want to use a new Transform.

On the other hand, if you would rather wait, Maltego will interactively prompt you to supply your key when it’s needed but not already present.

The Critically Important Number-of-Results Slider

While you’re configuring stuff, you should also strongly consider increasing the maximum number of results returned. If you fail to do this, you may be surprised to find that the result of every query is twelve or fewer results (since 12 is the default number of results returned in Maltego Classic). To reset that limit go to Investigate –> Number of Results, as shown in Figure 5:

*Figure 5. Setting the Maximum Number of Results Returned*

Experienced Maltego users may also want to see Appendix A, for an explanation of how the Number-of-Results slider impacts back end processing as well as what’s ultimately displayed on screen.

Understanding The Farsight DNSDB Transform Set

You’re now ready to begin using the Farsight DNSDB Transforms.

Because of how Maltego works, you do NOT have the option of specifying the equivalent of ‘command line options’ in order to customize a small number of query types. Instead, you get a set of 39 ‘pre-constructed queries’ that can be executed on a variety of inputs. The exact queries you can run depend on the input you’re starting with (whether that’s a Domain, a DNS Name, an Email Address, a URL, etc.).

For convenience, those transforms are listed on the next page, grouped by Input type, then Transform Description:

The Farsight Transform Set (Grouped by Input Type)

Domain: Delegation Point (sample.com) — 12 Transforms

#	Input	Transform Description	Name
1	Domain	To records with this hostname	paterva.v2.dnsdbrrsetDomain
2	Domain	Lookup *.$domain	paterva.v2.dnsdbrrsetwclDomain
3	Domain	Lookup *.$domain/A	paterva.v2.dnsdbrrsetwclDomainA
4	Domain	Lookup *.$domain/AAAA	paterva.v2.dnsdbrrsetwclDomainAAAA
5	Domain	Lookup *.$domain/CNAME	paterva.v2.dnsdbrrsetwclDomainCNAME
6	Domain	Lookup $domain.*	paterva.v2.dnsdbrrsetwcrDomain
7	Domain	Lookup $domain.*/A	paterva.v2.dnsdbrrsetwcrDomainA
8	Domain	Lookup $domain.*/AAAA	paterva.v2.dnsdbrrsetwcrDomainAAAA
9	Domain	Lookup $domain.*/CNAME	paterva.v2.dnsdbrrsetwcrDomainCNAME
10	Domain	Lookup NS for this Domain	paterva.v2.dnsdbrrsetDomainNS
11	Domain	Lookup MX for this Domain	paterva.v2.dnsdbrrsetDomainMX
12	Domain	To DNSNames with this value	paterva.v2.dnsdbrdataDomain

DNS Name: Fully Qualified Domain Name (e.g., www.sample.com) — 19 Transforms

#	Input	Transform Description	Name
13	DNS Name	To records with this hostname	paterva.v2.dnsdbrrsetDNSName
14	DNS Name	Lookup *.$dnsname	paterva.v2.dnsdbrrsetwclDNSName
15	DNS Name	Lookup *.$dnsname/A	paterva.v2.dnsdbrrsetwclDNSNameA
16	DNS Name	Lookup *.$dnsname/AAAA	paterva.v2.dnsdbrrsetwclDNSNameAAAA
17	DNS Name	Lookup *.$dnsname/CNAME	paterva.v2.dnsdbrrsetwclDNSNameCNAME
18	DNS Name	Lookup $dnsname.*	paterva.v2.dnsdbrrsetwcrDNSName
19	DNS Name	Lookup $dnsname.*/A	paterva.v2.dnsdbrrsetwcrDNSNameA
20	DNS Name	Lookup $dnsname.*/AAAA	paterva.v2.dnsdbrrsetwcrDNSNameAAAA
21	DNS Name	Lookup $dnsname.*/CNAME	paterva.v2.dnsdbrrsetwcrDNSNameCNAME
22	DNS Name	To A records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoA
23	DNS Name	To AAAA records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoAAAA
24	DNS Name	To TXT records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoTXT
25	DNS Name	To NS records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoNS
26	DNS Name	To MX records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoMX
27	DNS Name	To SOA records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoSOA
28	DNS Name	To SRV records for this DNSName	paterva.v2.dnsdbrrsetwcrDNSNametoSRV
29	DNS Name	Records with this value	paterva.v2.dnsdbrdataDNSName
30	DNS Name	Domains using this MX	paterva.v2.dnsdbrdataMXType
31	DNS Name	Domains using this NS	paterva.v2.dnsdbrdataNSType

Phrase (Phrases are IPv6 Addresses, CIDR netblocks, and Rdata text you’d like to search) — 3 Transforms

#	Input	Transform Description	Name
32	Phrase	Lookup *.$phrase	paterva.v2.dnsdbrrsetwclPhrase
33	Phrase	Lookup $phrase.*	paterva.v2.dnsdbrrsetwcrPhrase
34	Phrase	To DNSNames from this IPv6 Address	paterva.v2.dnsdbrrsetrdataIPv6Address

Email Address ([email protected]) — 2 Transforms

#	Input	Transform Description	Name
35	Email Address	To DNSNames from this email	paterva.v2.dnsdbrrsetEmail
36	Email Address	MX from email address	paterva.v2.dnsdbrrsetEmailMX

Other (Note: Netblocks look like a.b.c.d-e.f.g.h, NOT CIDR netblocks (see “Phrase” above for CIDRs)) — 3 Transforms

#	Input	Transform Description	Name
37	URL	To DNSNames from this URL	paterva.v2.dnsdbrrsetURL
38	IPv4 Address	To DNSNames with this IP	paterva.v2.dnsdbrdataIPv4Address
39	Netblock	To DNSNames with this value	paterva.v2.dnsdbrdataIPv4Netblock

Note: Sample output for each of the 39 defined Farsight transforms from these transforms can be seen in Appendix B.

Decoding The Name Column For these Transforms

Note that all of the transforms begin with the invariant string paterva.v2.dnsdb. You can normally mentally tune that part out.
Next, you’ll see either rrset (‘left hand side’ of a DNS record), or rdata (‘right hand side’ of a DNS record). For more on the difference between rrsets and rdata see please see
You may then sometimes see reference to wcl (wildcard left hand side, e.g., *.example.com), or wcr wildcard right hand side (e.g., example.*).
Next you’ll normally see a reference to a Maltego Entity such as DNS Name, Phrase, URL, Netblock, etc. All Maltego Entities are defined in, and can be reviewed in, the Maltego Entity Manager.
- Paterva also has excellent documentation available online. See for example: https://docs.paterva.com/en/entity-guide/standard_entities/infrastructure/Domain/ (e.g delegation point, effective 2nd level domain)
- https://docs.paterva.com/en/entity-guide/standard_entities/infrastructure/DNSName/ (e.g, FQDN, hostname)
- https://docs.paterva.com/en/entity-guide/standard_entities/personal/Phrase/ While Phrase normally equals ‘any text or part thereof,’ in the case of the Farsight Transforms, Phrase is used as a ‘data type of last resort’ to handle elements which don’t have a more specific data type available. This includes things like IPv6 addresses and CIDR netblocks. Phrase is also used as a way to query Rdata values found in TXT records.
After that, the Transform name may specify a subset of possible

Note: We’re also aware that some Transforms may seem to be duplicative (for example Lookup *.$domain, Lookup *.$phrase, and Lookup *.$dnsname).

Please note that in this case, while their naming seems similar, the entities they work on (and allow as inputs) are different.

Manually Running One of the Transforms

We’ll now show you an example of manually invoking one of the Transforms.

We assume you’re using Maltego on a Mac (Maltego on a Windows 10 system will be similar once the application has been started, except for things like file paths).

If Maltego isn’t already running, start Maltego by double clicking on the Maltego icon in /Applications. After splash screens, you should see a screen that looks approximately like Figure 6:

If you don’t have a New Graph panel open as part of your Maltego display, click on the little Page + icon that’s immediately to the right of the ‘bowling ball’ icon in the upper left hand corner.

Now click and drag the DNS Name Entity from the Entity Palette in the left column over into the main white New Graph panel. You should see something like what’s shown in Figure 7.

*Figure 7. Maltego With DNS Name Entity dragged onto the New Graph panel.*

The default name that’s displayed alpine.paterva.com is not the name we’re interested in, so double click on it and type in a different name. For this example, let’s put in www.reed.edu. After typing in that DNS Name, hit return. The result should look like Figure 8.

*Figure 8. DNS Name Entity Now Showing The Name of Interest*

Now we need to decide which Transform we want to run on that Entity. Hold down the Control key and click on the Entity to see what transforms are available for the sort of Entity we’re using. See Figure 9.

We choose To A Records for this DNSName and click the right triangular arrow to the right of that item to execute that Transform.

*Figure 10. Result of Running That Transform*

Note: Many different output formats are available, see the View menu to the left of the graph. If you prefer tables to diagrams, in particular, be sure to check out the tabular view available from the View menu.

Also Note: If you look at the default table view, and wish you could suppress some of those columns, note that you CAN do so. After selecting table view, click on select columns icon (the little mesh grid) on the far right hand of the Type/Headings/etc. row just above the actual rows of data) and select just the columns you want.

We can now chain from our initial results to see what DNSNames (if any) also share that IP. In this case, the only Transform available to us is To DNSNames with this IP which makes our choice of Transform rather straightforward. See Figure 11.

*Figure 11. Checking To See If Any Other DNS Names Share That IP Address*

After clicking on the right triangular arrow next to the Transform name, the Transform runs, producing the result shown in Figure 12.

*Figure 12. Results From Running The ‘To DNSnames with this IP’ Transform*

Clearly results were found, but we can’t currently see them.

We’ll close some of the panels we don’t currently need, resize the New Graph window, and click on the magnifying glass at the top of the screen to ‘zoom to fit’ the output. See Figure 13.

*Figure 13. Output From Our Transforms, More Readily Visible Now*

Sometimes you may just prefer a list of results to a diagram. If so, change that in the View menu to the left of the New Graph panel. See Figure 14. Note that the right-most column shows the number of hits that DNSDB has seen for each row.

You can experiment with other views, too, obviously.

If your analysis is concluded, you may want to save your results.

There are multiple things you can save:

You can save your Maltego session (so you can easily resume your analysis where you left off).
To save your session, click on the floppy disk icon near the top edge of the Maltego window (or go to the circle icon in the upper left corner and select Save).
You can export a copy of the Maltego graph by going to Import|Export->Export Graph as Image.You’ll need to pick a name and location for the graph you’re about to export, as well as a format (such as JPEG). You can see a sample exported graph in Figure 15, below.
You can also export a copy of the raw data you’ve found as an Excel Spreadsheet file, or as a comma separated variable (CSV) file, by going to Import|Export->Export Graph To Table. You’ll need to pick a name and location for the graph you’re about to export, as well as a format (such as CSV). You can see a sample exported table in Figure 16, below.

134.10.2.252,alumni.reed.edu
134.10.2.252,comradesofthequest.com
134.10.2.252,comradesofthequest.org
134.10.2.252,nwacc.org
134.10.2.252,nwacc.reed.edu
134.10.2.252,reed.edu
134.10.2.252,web.reed.edu
134.10.2.252,www.reed.edu
www.reed.edu,134.10.2.252

Figure 16. Sample Exported-as-CSV Table Data

In addition to manually running individual Transforms, you can also create a Maltego ‘Machine’ that will run a ‘pipeline’ of Transforms. For example, we can create a Maltego Machine to run the two Transforms we just manually ran for www.reed.edu, making it easy to do that same run for other DNS Names.

Begin by going to Machines->New Machine, then supply configuration details.

*Figure 17. Make a New Machine In Maltego*

*Figure 18. Supply configuration details*.

Complete the initial Machine by choosing it’s type, as shown in Figure 19:

You’re now ready to customize the skeletal Machine outline you’ll be given. We’ll end up with what’s shown in Figure 20.

*Figure 20. Our SampleMachine’s Simple Code*

After saving our machine, we can then run it. See Figure 21.

*Figure 21. Picking the Machine We Want to Start*

We also need to provide the name we want to run the Machine on… as a test, let’s do www.reed.edu again.

*Figure 22. The Target DNS Name For Our Machine*

When we click Finish, the Machine will begin to run. See the output in Figure 23.

This output should look familiar (e.g., from when we ran these same transforms manually, earlier in this write-up).

Note that just as when running Transforms manually, when you’re running a Maltego Machine you may need to rearrange or close panels, scroll, or use Investigate -> (magnifying glass) [aka Zoom to Fit] to see portions of your results.

Caution: Note that Machines which perform chained queries may potentially end up consuming multiple DNSDB queries from your quota.

For example, assume you construct a Machine that finds all domains that use a given nameserver, and then the Machine is programmed to look up each of those domains individually. Such a Machine could consume hundreds or even thousands of queries or more depending on the popularity/usage of that nameserver.

Conclusion

Maltego is a very popular framework for conducting cyber forensic investigations and doing other data mining.

You’ve now seen how you can easily use Farsight Security’s DNSDB with Maltego as part of your investigations.

In this write-up you’ve learned:

How to install the Farsight Transform Set for Maltego
How to configure the Transforms with your DNSDB API key
How to decode the Farsight Transform’s naming convention
How to manually run the Transforms upon an Entity
How to save/export the results of your analysis
How to create and run a Maltego Machine to automate that process

We hope that Maltego DNSDB users have found this write up helpful.

If you have any feedback, please feel free to contact us.

Appendix A. A Subtle But Critically Important Side Effect of The Number-of-Results Slider…

The Number-of-Results slider controls the number of results displayed in a Maltego graph — that’s well understood and as expected.

What may be less well understood is the fact that the Number-of-Results slider also shapes backend processing that’s done by the Farsight DNSDB Transforms prior to results getting displayed.

To understand the implications of this, consider the Lookup *.$Domain Transform. If we have the Number-of-Results slider set to 256, and run the Transform on uoregon.edu, we see a graph that looks like Figure 24:

Figure 24: ‘Lookup *.$Domain’Output With Number-of-Results Set to 256*

We would normally expect to see MANY results in that graph, not just the two results shown. So what happened?

The answer can be seen by a careful inspection of the Maltego ‘Details’ Window. To check it out, click on the uoregon.edu node near the bottom right portion of the graph shown in the Graph Window, then go to Windows->Detail View. You should see something that looks like Figure 25:

Figure 25: Details View For One Output Node, Lookup *.$domain, for the case of ‘uoregon.edu’*

In this case, there are lots of results from DNSDB that all have the same left hand side (all are ‘uoregon.edu’). Those results get condensed for display purposes, and end up getting shown as just one (1) uoregon.edu node in the Maltego graph.

Unfortunately, there are so many results that get ‘used up’ that way, other unique/more interesting domains won’t end up getting displayed if the Maltego transform is run with a small ‘Number of Results’ slider setting.

Q: Why Not Just Ignore The ‘Number of Results’ Slider When Accumulating/Aggregating Results?:

A: While we could just ‘brute force’ the processing and collect up to a million results for each step of the DNSDB Transform’s analysis, doing so will normally be a waste of time and effort if we’re ultimately only going to ultimately display just 12 or 50 or 256 results.

That’s why we normally just set the internal Transform-related processing limit to be an order of magnitude higher than the specified output.

That said, if you encounter issues with ‘SOA pollution’ or similar dreck in the ‘Lookup *.$Domain’ Transform, you may want to consider the alternative ‘Lookup *.$Domain/A’ Transform that will JUST return ‘A’ records, or leave the ‘Number of Results’ slider set to return the maximum number of results.

You can also see the ‘Lookup *.$Domain/AAAA’ Transform that will just return IPv6 ‘quad A’ records, and the ‘Lookup *.$Domain/CNAME’ Transform that will JUST return CNAME records, too.