Thursday, February 17, 2011

OSINT: large email address list imports with Maltego



Fans of OSINT are inevitably fans of Maltego; I count myself amongst the dedicated.
Given the recent HBGary debacle, you'll soon see where the following discussion may prove useful for discovery of relationships between entries in a large list of email addresses. Consider the prospect of grepping through the HBGary emails, culling out a list of unique entries, then transforming them as an entirety via Maltego to determine what other relationships may exist between entrants.

I've been hoping for some large list import functionality via Maltego local transforms, and Andrew at Paterva immediately provided upon request.
Imagine similar functionality as found in transforms discussed earlier where a CSV inclusive of IP addresses is imported (this older method was via Phrase entity pointed directly to the full path of the CSV), then unique IP address entities are populated to the Maltego UI workspace.
For our current scenario, Andrew has provided me (and thus you) with local transforms that will allow import of a CSV, now using EasyDialogs (Linux, Windows) inclusive of multiple email addresses, and populate them each as unique Email Address entities to the Maltego UI workspace.

Making sense?
I'll walk you through it.

First, ensure that you grab EasyDialogs as mentioned above and embed it properly with your Python interpreter.
Second, grab getEmailAddresses.py, the above mentioned local transform for email address list imports, and configure it for use with your Maltego instance.

Now, let's start with a googledork.
email addresses filetype:csv senator

The second hit yields a CSV of Virginia state delegates affiliated with the Hampton Roads Partnership.
Looks like fun.
NOTE: This is entirely benign OSINT, simply a good object model for validation of our new local transform.

After cleaning up the CSV to include only a column inclusive of the delegates email addresses, drag a Phrase entity onto the Maltego workspace; I named mine Virgina Delegates.
Right-click the Phrase entity, select Run Transforms, then Other Transforms, then getEmailAddresses. A pop-up window will appear (EasyDialogs) and ask you "Which file do you want to use?"
Give it the path (I used the shell extension CopyPath) to your CSV file and click OK.
Results will be populated as seen in Figure 1.


Figure 1

Highlight all the resulting Email Address entities that are now populated in the Maltego workspace, right-click the selection, choose Run Transforms, then Other Transforms, then To Website [using Search Engine]. It'll take a few minutes to run as there's some crawling to be done.

The Mining View of the results can be a bit of kluge as seen in Figure 2.


Figure 2

This transform is best viewed as Edge Weighted (Figure 3).


Figure 3

See the commonality regardless of view?
Both result sets point out the fact that one of the most significant relationships all these delegates share is...wait for it...the website for the firm owned by the person I can only imagine is...ta-da...their lobbyist!
Politics as usual. ;-)

Enjoy this transform, and stay tuned for more discussion of similar transforms.

Cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Saturday, February 05, 2011

El Jefe: The Boss Will See You Now



The February 2011 edition of the ISSA Journal includes toolsmith on the topic of El Jefe 1.1.
The boss, the big kahuna, El Jefe requires his due. From the folks at Immunity, El Jefe is a solution that intercepts native Windows API process creation calls, allowing you to track, monitor, and correlate process creation events.
Going many steps beyond tracking simple process creation, El Jefe provides a microscopic view of the binaries that are run: SHA1, PID, flags, sorted chronologically with spawned offspring while click-able for instant analysis.
You'll enjoy centralized storage; data which can be queried from the Django-based web app.
Setup is quite straightforward, making use of El Jefe equally so.
I experimented various malware types including Bifrost and Zeus on victim VMs and results were immediate.
Strings references were quickly revealed via Binary Information as seen in Figure 1.


Figure 1

Captured client logging includes evidence of intrusion based on suspicious entropy as seen from a Zeus infected VM in Figure 2.


Figure 2

I enjoyed researching El Jefe's capabilities to no end.
Well done and thanks to Immunity's Justin Seitz.

The article is posted for you here.

Speaking of things Zeus related, I'm presenting Malware-Proof: Building Resistant Web Applications at the RSA 2011 eFraud Network Forum (invitation only). See you there if you happen to be a signed-up attendee.

Enjoy and cheers.

del.icio.us | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)