Get best of the week

Facebook cries, Social Links laughs, Maltego smokes

Hello again, dear friends. I am very glad that you are following the publications and come to read a new article from the Maltego series. Initially, I planned to combine the plugins and do a 2-3 review right away. However, having plunged into the first additional product for Maltego, namely Social Links, I suddenly realized the futility of this path.

If you have not read the previous articles, then be sure to check them out: Maltego part 1 and part 2 . There we examined what Maltego is and how it looks.

Now let’s go straight to the interesting point - to search on social networks. And we will start with the largest - Facebook. In collecting information, we will be helped by an add-on for Maltego called Social Links.



How it works


First, a brief digression into how this works. Social Links offers its API to improve Maltego's ability to search for information about people, companies, events, etc.

According to the official website of the company:

With this extension for Maltego (namely the commercial version), you can search for information in more than 50 social networks, databases and Dark Net sources. More than 700 information search methods are available for you, enhanced by the capabilities of visual face recognition and geo-referenced search.

That is, the add-on acts on the "territory" of such social networks as: Facebook, Instagram, LinkedIn, Twitter, Skype, VKontakte, Odnoklassniki, YouTube. And even applies to instant messengers (for example, Telegram, Signal). And here:

  • Search on Dark Net - this is more than 30 forums without registration and SMS;
  • : Companies House, Companies OC, Google Companies, OCCRP, Offshores;
  • API : Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye .

That's not all.

First thought.



Plus to all of the above, we still have access to the Social Links database, which seems to be already about 7 TB of information collected from open sources (e-mail, phone numbers, addresses and appearances, but, unfortunately, without passwords. So far )

The second thought.



To say that I was a little dumbfounded by such a volume of possibilities is to tactfully remain silent. But, as they say, in words, Leo Tolstoy, but in practice - let's figure it out ...



I will test the functionality on myself, since there were no other applicants. As I am paranoid, I will paint over some of my personal data.

Very important disclaimer!


MALTEGO – , , , … , , , OSINT . , – .


First, let's see what Social Links can show if, we only know the person’s mail, and whether we can immediately find it on Facebook.

Of course, of course, finding my profile by email alone did not work out. It is understandable. My email address is hidden by Facebook’s privacy settings.

Many who have been involved in OSINT more than 1 time will agree with me that looking for information on a person who has been following the basic principles of digital hygiene for at least a few years is another lesson. But, as they say, the higher the complexity, the more interest)

The first result was obtained from Transform, which converts e-mail into a Skype profile. Hit 100% - Skype is mine.



The second “semi-hit” came from Transform, which checks for a user on Twitter. Here, as I understand it, data is being collected through the password recovery page. As a result, Twitter burned that I basically have it, and also showed the last two digits of my phone number. Not a lot, but still a plus.



Now let's try to unload the maximum information from the Skype profile. With the help of 3 Transforms, we converted information from a Skype profile into Entities, with which we can now work further. We can also see all profile information on the Properties tab in the Entitie properties.





And here my attention was attracted by the Alias ​​format Entitie ... All people are lazy to one degree or another. I, in this case, was no exception. As many of you have already guessed, Alias ​​is a nickname or in relation to the Facebook social network ID.

Stirlitz realized that he had made a mistake even earlier than Mueller understood it ...

By running Transform - [Facebook] Get Profile, Maltego my Facebook profile was found.







For those who do not understand what happened, I’ll explain: My Skype and Facebook ID are the same. This is one of the basic OSINT methods, in which we have an estimated nickname or a list of nicknames related to a person, and we check all popular services for users with the same nicknames. With a high degree of probability, we will find matches, and as a result, user profiles in different social networks.

. : , , . : Namech_k.

Facebook


So now we have a Facebook account. Let's try some interesting Transforms. For example, let's find out who of those who I have in my friends is subscribed to Olga Buzova.

By the way, here's a life hack on working with Maltego. If you are not sure that you filled in the fields in the Entitie properties in the correct form, then just take the link to the person’s account and use the Entitie URL. Using Transform, get the desired type of Entitie and through it get the desired social network profile Entitie. You can see an example in the figure with Olga’s account.



As a result of such actions, we have correctly uploaded the Entitie profile of Olga Buzova’s social network.

Well, now we’ll start catching “friends”. It took a little effort. We upload the list of Olga's followers and my list of friends. Maltego will do the rest for me.



There is a hit.





A simple and effective method of finding affiliation of someone / something with someone / something through Maltego. Problems begin to arise when there are more than one such link, but for example, 100 or 1000. Then the graph begins to take complex forms of chemical elements.

To demonstrate this problem, just turn off the grouping of the same Entities in the collection on the Collections tab and see how the full version of the graph of all followers of Olga and my friends will look like.





. : , , , OSINT Maltego. Entities, . . .

Here Social Links is ready to lend a helping hand to us. For example, the method of finding mutual friends between two Facebook profiles can be simplified by using an Entitie called Facebook Mutual Friends. This Entitie allows us to upload ONLY common friends for these profiles using two Facebook IDs. Without unloading profiles of all other users. Using this technique, we can optimize the graph depending on the tasks of finding information.



How does it look live?

Option 1 - Unloading all friends and Maltego builds connections.



Option 2 - Upload common friends via Entitie Facebook Mutual Friends.



Thus, we reduced the number of displayed results on the graph and saved ourselves from the need to remove unnecessary Entities.

But not just friends lists make Transforms for Facebook alive. Also with the help of separate Transforms we can:

  • Upload a list of posts, photos, accounts that the user liked;
  • Upload albums, posts, followers, commentators, etc. for a specific user, page, event, post, photo, etc .;
  • search for photos, posts, users, groups, events by keyword phrases and time intervals;
  • do the same, but by geolocation;
  • search for users by photo using the internal Face Recognition mechanisms through the Social Links service (we'll talk about this in a separate article);
  • for organizations, search for accounts that indicate this organization as their place of work;
  • convert information from the profile of a user, group, event, etc. in Entities on the graph for later use;
  • ( ).

By default, the Transforms window is limited to two minutes. If we know that the time for uploading information will be more than two minutes, then we can send the task to the Social Links server and wait for the result. The execution time can reach 1 hour, but the data deferred by Transforms is applied only in case of a large amount of data for uploading. For example, we need to unload the list of all followers from the blogger’s account of a millionaire.

You can find the complete list of all available Transforms here . Of course, the outcome of applying Transforms data depends on how many OSINT methods you know and how well you can combine them. I emphasize again: Maltego and Social Links are not a magic button that I pressed and received a full dossier on a person.

Pipl


Now let's talk about integration with third-party APIs using Transforms as an example for finding people through the Pipl service. For this purpose, we have a separate Entitie called Pipl Search. You can see the properties of this Entitie in the figure.



So, as many of you already know, the Pipl search engine has become paid and you need an API key to integrate it into Social Links. There is already an everyday matter - we go to the Pipl website, register, get the key and add Maltego in the settings.

I especially want to note exactly the option that I highlighted in the screenshot above. By checking the box in the Top Match column, you will receive only results that fall into FULL compliance with the entered criteria. In other words, if you entered your full name and e-mail, then without this checkbox you will get all the results by coincidence of a separate name, a separate last name and a separate e-mail. If you ticked Top Match, then only accounts for which all 3 criteria match. It is very useful if you have payment for search results configured in your Pipl account.

However!

Often when checking this box (Top Match) you can get zero search results. Even by famous people. The fact is that this function in the Pipl search engine is still experimental and may not work correctly.



In addition, Pipl provides a JSON file with the results of its search results, where there is everything that it put on the graph.

Note Author: a very interesting detail is that the search service Pipl works on the principle of “WHAT HAPPEN ON THE INTERNET, THERE REMAINS THERE FOREVER”. For example, in your Facebook profile you once had information that you work in company A, and your profile was indexed by the Pipl service.
Further, you suddenly decided to do a little corporate espionage at company B and deleted the information wherever possible that you were an employee of company A, and then, with a clear conscience, went to an interview with company B.

. . , Pipl, Pipl B. « , ».


According to a glorious tradition, what kind of article about Facebook can be without mentioning Zuckerberg. So let's look for him. By the way, do not forget to check the AND if selected option in the search query. This parameter sets “AND” between all values. By default, the value is OR. The use of "OR" will lead to the fact that we will have a general distribution for people with the name Mark + all people with the name Zuckerberg, and we are looking specifically for only Markov Zuckerberg :-)



Here we see a very vivid example of what is often found in OSINT Even for such a well-known and unambiguous personality, the Pipl search engine gives out as many as 21 fakes.

At the same time, I noticed a very interesting detail. In Pipl, on the user’s internal profile, for reasons I don’t understand, there are a bunch of IDs of Zuckerberg’s fake pages, in addition to the true one.





Therefore, if we try to apply the Transform [Facebook] Search Person, then in front of us, in the literal sense, the gates of OSINT-ADA will open.





Well, or let’s do it like that, for the most dramatic of what is happening ...


Here, in fact, that's all for today. Do not miss the new Maltego related articles. Further we will consider what is there on search in other social networks. Be sure to touch VK, Classmates and Instagram. Let's talk about the ability to search for accounts and people by photo (Analogue Find Face only in the Maltego ecosystem), let's see a search by geolocation. Well, for dessert the most interesting part is to find out what Social Links can offer regarding search in Dark Net.

And most importantly - remember! All information is laid out in these articles ...

Source: https://habr.com/ru/post/undefined/

More articles:


All Articles