 Hi everybody, how's it going? It's a great conference. I'm really glad to be here actually. My name's Nadim Duba. I'm going to be presenting Maltago's local partner in crime. Just a little bit about me. I come from Canada. I'm working with my dad at a security firm. I like to think that I taught him security. Don't tell him that. But I also worked with Paterva down in South Africa with Andrew and RT on appifying the Maltago client for macOSX. And now I'm here to present some framework for the local transforms in Maltago. So we're going to discuss Maltago briefly. What is Maltago? Before and after Maltago. I'm going to show you some cool demos. Hopefully you'll enjoy them. And we'll wrap things up at the end. So who here is not familiar with Maltago? Is anybody not familiar with Maltago? All right, so this is going to be just short and sweet. So this is Maltago. It's a graphing tool for what people have turned open source intelligence. So you can bring a piece of information on the graph. So let's hear it. Let's take a person. And you can run a transform, which is essentially a data mining function on the internet and get more information out of it. So here we go. Hold on. So that's it. So these are called entities. What you're seeing on the graph here. So John Doe apparently has a whole bunch of emails. This is all fetched from the internet. There's no penetration on any system. It's all open source. So Google, PGP, whatever is available. And by the way, this just ran on a server on the internet. So that's what we call a remote transform. Sploitago is actually a local transform. So this is going to be running locally on your machine. So as I said, what is Sploitago? It's a local transform framework for Maltago. I wrote it in Python. But I'm here to oversell it. Andrew was telling me I was underselling at the whole conference, so I'm going to make my best to sell this. So it brings sexy back. Seriously. It's a rapid transform development framework. It's got some awesome set of core features. I was so addicted to developing this thing, I stayed up every night during our busy season until 4 a.m. And, you know, it's got an awesome set of transforms. I really enjoyed learning the tech. You're going to see some of it today, hopefully. And it's ridiculously simple. So any of you can really pick up if you know a little bit of Python and make some really incredible transforms to create some really cool data visualization of your data. And we even got great early feedback from the designers at Apple. It's true that when something exceeds your ability to understand how it works, it sort of becomes magical. And that's exactly what Sploitago is. I hope I'm overselling. So why use local transforms instead of the remote transforms? If you guys are familiar with Maltago and you're familiar with Peturva down in South Africa, they have an awesome set of transforms. They've done really good work out there. But the problem is, their transforms are only able to see the data that's publicly available to them, which is the data that's available on the internet. And that's not a lot when you're doing a local assessment, when you're doing something internal. The other part of it, too, is by doing your assessment against Maltago servers, sometimes your clients want some sort of privacy. And by kind of disclosing that your open source intelligence subject or target to Peturva, you've kind of lost that privacy. And finally, they might not want to make transforms that are evil enough or powerful enough. They might want to just focus on what they want to do, like social engineering transforms. You know, it's not their fault. That's what they do. So I'm here to give you the power to do whatever you want with this awesome graphing tool. And this is why I've developed Sploitago. So here's a scenario. This is a really quick demo. So your boss wants answers. Is there anybody in the company breaking our internet acceptable use policy? So you know, first place to look, DNS logs. So here we'll start a new graph. And I'm going to pull in, where's the IP address? There it is. I'm going to pull in a DNS server off the net. And actually, let's make it two to make it interesting. And what we're going to do here is I'm going to use Sploitago transform that essentially does DNS cache snooping. So if anybody is not familiar with DNS cache snooping, when you do a DNS request, it's recursive in nature. And if you turn off, you have the ability to turn off that recursive nature in DNS and essentially figure out what's cached on those DNS servers. So let's do that. So now what this is going to be doing is it's actually going to be going to the DNS server, hitting it with DNS requests with the non-recursive bit. And it's actually going to use the Alexa top 500 list. This is actually customizable. You can use any list you want. For this case, I'm going to use Alexa top 500. So here we go. We got some results back from one server. We're still waiting for the next. So just to save a little bit of time, I'm going to Martha Stewart this thing and get you a pre-cooked graph. And so this is what your data would look like. I know it's really hard to see. You're not going to see anything. But let's put it into bubble view and make this data really come out. And check it out. What you're seeing here is essentially the work of two transforms. So if I go back to this one graph here, one transform that I forgot to show you is that you can actually change this type. This is not the transform itself. But if you change it to website and then you go to reconnaissance, I've actually included two site categorization transforms. One from Luco and one from WebSense. By right clicking on that, you'll be able to get the site categories. And so this is what you're seeing in those big bubbles. The bigger the bubble, the more sites that are pointing to this piece of information. So if I go to my entity list and I see incoming lengths, you can see the internet's most popular site categories right there. So that's a little demo. So now, why sploitego? Well, let's take a little look about how we create local transforms without sploitego. Because I've seen a lot on the internet before sploitego, the nightmare. This is our development checklist. So you've got to learn Maltago's local transform spec, which is an XML messaging system. You've got to develop the transform, input parsing logic, data mining logic, XML serialization, some debugging facilities if you need them. Then you need to install, configure, and maintain the transform. And optionally define an entity. So let's go through this. We write the code. If you can't see it, it's all right. I'll just explain it. So there's a little bit of parsing logic right there. There's some hard coded XML. And this thing doesn't do much except say hello world. What about installation? Well, it's currently manual. You've got to go through the graphical user interface. And if you're really enthusiastic, you're going to want to do maybe 100 transforms. I don't know how enthusiastic you are. But this is a really painful process and it can be really tedious. Not only that, if you want to apply that transform to different pieces of information, you've got to do this multiple times. It's really painful. So after Splitego, Rainbows and Lollipops, this is all you've got to do. Everything's being done except the data mining logic and optionally the entity spec. As Borat would say, wow, the code. You probably have a better time seeing this now. It's very short. And I've actually exaggerated the code here because I put an on terminate. But this is exactly what the code looks like. It's very, very simple. I focused on making this as simple as possible. And so you're going to see a few annotations there. And that actually has to do with the way you're going to be able to install transforms in Maltego and configure them seamlessly without user interaction, without GUI interaction, nothing. It's a command line script. And this is what it looks like. Very simple. That's what I focused on. So here you can see the command NTG install dash P is your package name that you're going to be installing. So in Splitego, you're actually installing Python packages. And within those Python packages, you actually have modules which have transforms. And then the prefix here, the dash M is actually a working directory. So if you have for Maltego, sorry, so this is the config directory. This is where Maltego keeps all of its state. So if you have multiple installs of Maltego, then this is where you pick the version. And then the dash W is the working directory. That's where the actual transform is working if it needs something on the file system. So let's look at the head to head. Which method would you rather use? 47 lines of code versus 24. Graphical versus command line. Config is graphical. And in Splitego, the config is code and file based. And to end development versus data mining logic, barely reusable code versus super reusable. I don't know. I'd rather go with the right side. So why Splitego? To take to take advantage of the core features that are available to you. It's easy and it's an easy and extensible framework. You can do tons of stuff. You can extend it to your heart's desire. You don't even have to know XML. One of the common complaints that I get from developers. Oh, we always have to do this XML serialization these are a headache. I've taken care of all of that. I've done that all for you so you don't have to do anything. Feature rich auxiliary modules and you're going to see some things right now. What the first demo showed was actually scappy integration for multigo local transforms. And I've provided you with some great transform debugging tools. And finally, some really good pen testing transforms that I hope you'll be able to use and maybe even add to your artillery. So we've got a scenario. Your colleague wants to know if there's any cool way of finding common services across hosts. The answer is yes. And I'm going to show you right now. So just give me a second here. I'm just trying to hook up my second laptop. So here we go. This is my target machine. And right now we'll just do a very short as n map dash f. And you notice there that pseudo actually popped up. That's because all the transform the dispatcher itself. If you remember in the code before there was an at super user annotation and that annotation instructs dispatcher which is responsible for executing the transform that this transform needs to execute in super user mode. All right. So I've done that. And all it does is pops up pseudo for you so you can type in your cool little password. And off you go. And there are the results. It's not that exciting. But imagine this in larger networks. You can start to see common services and from there. Take the services, right click, do a service banner check using n map. You can even right click on n map report files and use a map. And that produces output as well. And here you see that my laptop is using Postgres DB and Mac OS X. Not only that, I've also integrated Nessus. Where are you Nessus? There you are. And so it pops up with the policy that you want to run. And here is the proof that it's running. So nothing exciting yet. But there it is. Nessus and n map integration in multago. And another thing too that I've added. I've actually extended just the input parsing logic just a bit. If you look at the spec it's a bit limited on what you can do. But essentially let's say I wanted to add some more parameters. I wanted to pass some more parameters to command line tool. While in this case I know that SNMP is running. Come on, don't make me a liar. Where are you? Did I click it? One second. I can't see anything on us. So it's probably disappeared. There we go. So there we go. So I can do a dash P161 and that's going to pass it to n map. So I'm just going to cheat a little bit because I know that service is actually running and there you go. You got a UDP scan. Right there. And so from here you know we could have done a service check. I know it's n map. But let's just pretend this SNMP string is not there. I can do an SNMP brute force. And what this is going to do is like every other transform I've provided the ability to configure lists, to configure different options for this to run. And so here I've provided the regular n map word list. And there you go. You got your SNMP strings. Community strings. And you'll notice that there's two of each. That's because I brute force both version one and version 2C. And so pick your poison, right click, and I've got a whole bunch of transforms there to do some kind of, some mining from SNMP. Two location, two person, two routes. So what you can do is if you figure out your SNMP community strings, you can recursively run this transform and you can figure out the route out the door. Or you can figure out the other routers on the network. It's simple. So I'll just do it all. And there you go. Where is this? So our admin, administrator, our location right here right now. And the two routes that were detected were local host because there's no real route out and 0.0.0. That was it. But this you can do over and over again. It's as simple as right click, run transform and you're done. Really simple. And if you look at the code, I've provided some SNMP libs. So everything I've done to date, I've provided the libraries for you to use so that you can reuse them and you can do your own really cool transforms. I'm really encouraging people to try this framework out. I really want you guys to contribute as much as you can. I'd really be happy to see that. So that is the service discovery demo. Here's another scenario. The lazy firewall admin. So our client wants to know is the firewall admin doing a good job of securing the DMZ? All right. Release the ARPs. So this is another SCAPI integration demo. So we're on a network. We're connected to our DMZ. I'm not sure if everyone's familiar here with IRS scan by OXID. But basically this does the same thing. It essentially art poisons the router's cache and spoofs the peers around you on the network and sends sends out to your destination. In this case I've made the destination 4-2-2-1 and I've also configured five ports. So it'll just shotgun blast a sin to these five ports and send back the response. So this is a really good way of measuring the firewall rules. And so here I'm going to just show it to you. One second. Lots of cable switching. Where's the cable? So I'm just going to be a bit lazy here. I'm going to put a location down. So DEF CON 20. Right click. What is my internal IP? Pops it up. So now I know I'm on this network. Right click. And find, where am I? To neighbors. So this is what the act, this will basically, this will find the active neighbors in your network. And so we found just one which is the router and that's fine. And then let's pretend, let's just pretend that we found another one here. So let's put in 2-4-5 and we'll basically run the IRS scam. Come on. And there we go. So it's spoof 2-4-5 and it returned the responses. And here if you just click on one of the port responses you can see that the destination was 4-2-2-1. The source IP was 2-4-5 and the port status was that it timed out. So it gives you a reason why timed out. And here's 53 which is known for 4-2-2-1 that it is available, DNS. And there it's open. So this is a great way if you have a whole bunch of IPs you want to measure what each server has access to in terms of internet access out to the internet or maybe to another neighboring network. You can run this on a net block and you can actually get all of the results. Now you're going to ask me how do we actually put this in some sort of spreadsheet. So I've created the tool for that as well. So if we just do this, save our little graph. Come here. So can anybody, can you guys see this easily? I just want to make sure. Do I need to zoom in? Zoom in? I hear yes. So I'm going to zoom in. Sorry. All right. Is that better? That's not bad. Bit better? All right. Here. Cool? All right. So MTGX to CSV and IRS scan. It's going to pop out graph, the graph results in CSV format. And so let me zoom out. And there you go. And what you can do on top of that is if, let's say for whatever reason you wanted to separate the entities by type, we can still do that. So CSV to sheets, put in your graph, and prefix, and there you go. It separates the graph into separate sheets. And now you have separate CSVs with common entities. And there's your report. So there's more to learn. We've barely scratched the surface here. There's tons of stuff that I've built into this framework. And I really hope that you, you know, I'm going to get the documentation out as soon as I can. Like every other developer documentation comes last. But there's a lot of tools. Here, I'll just show you one. So this is the way this patcher works. So essentially, it's a command line tool. You put in your parameters, which the first parameter being the transform you want. So I'm going to do what is my IP. And in this case, there's no real parameter. And there you go. There's another way of actually seeing that your script is working. So in this case, it takes the ugly XML that humans aren't meant to read and puts it in a nice tree, graphical tree for you. So just for debugging purposes for those of you who are enthusiasts. I like this guy. He keeps clapping for me. Now I know who my real friend is here. So where to look for more information currently? It's only, it's in the code. I'm going to get around to it. I'm going to put out a big document for your needs. I really want you to play around with it. Please, you know, drop me a line. I have my contact info at the end of this presentation. And it's on a DVD. The other point that I want to make on the DVD, there's a different presentation. And that presentation actually has more technical details. So you can actually reference that for your development needs. And what's next? You know, I'm going to set up the website, documentation, more evil transforms, that is. And hopefully we're going to have a, I'm looking forward to doing an online transform index, kind of like Pi Pi, where you guys can post your transform packages and people can share ideas. And it'll be really easy. And some top secret stuff. It's also on the slides on the DVD. And last but not least, I'm looking for free labor. Anybody that wants to develop, transform gurus, hackers, documenters, website designers, I like documenters. And pastry chefs, I like my stomach. Anyways, please feel free to drop me a line. In summary, Sploit Tego is an awesome framework. Awesome. And Uncle Sploit Tego needs your help. So thanks to Paterrava. They've been really encouraging Andrew McPherson, role of timing. Really great guys. Always a pleasure to work with them. And Signals and RCGT down in Canada for letting me come out to do the talk. I hope you enjoyed the talk. And I'll be in the Q&A if there's any questions or I could take some questions here. Email. Thank you. Thank you.