New tool: Maltego transforms for Tacyt

lunes, 18 de julio de 2016

If you are a Maltego user, you already know how intuitive and useful it is for researching and analyzing information. You may know as well that Maltego allows to create transforms, that are no more than scripts to call some service API or whatever other resource. Since Tacyt counts with a comprehensive API and a SDK for an easier use, transform are a natural step ahead to take advantage of everything Maltego offers. And here they are.

Imagine you are performing a research that involves applications and its relations. You may ask Tacyt to give you results about permissions, links, names, emails, certificates, etc… And you end up with an interesting data, let’s say, an interesting domain. Who does that domain belong to? Well, instead of using external resources, you may use Maltego, run Tacyt transforms, extract the interesting information and once you get to an url, email, profile or whatever other entity, take advantage of the other many transforms available for Maltego. So the research gets easier, visual and complete in a single screenshot.

We have created several transforms, but more are sure to come (the code is all in GitHub so you could create your own). We have created as well entities for Tacyt in Maltego, and a package to install them all. The steps to install are easy:

  1. Import the MTZ file from "Manage, Import, Config" menu.
  2. Once imported, check the Python path and transforms paths themselves match the ones in your system. Click on "Manage Transforms" and search for tct (with wildcards) to show all Tacyt transforms. Select them all using shift button.
  3. In "Transform Inputs", modify "Command line", and "Working directory" (the path where the .py transforms are stored) accordingly.

Of course you would need to specify your API ID and Secret in
Here is a short video about how to develop a little research with an arbitrary app.

In the video, it is shown how, coming from an app classified as Brain Test family, relevant information may be extracted as certificate data. From a not so common alias in the Subject Common Name, we may search again this it in Tacyt, and other apps show up. From one of them we extract the domains (which we could apply some transform to, so we get their registering data). It would be possible to search if the alias corresponds with a Twitter identity (Transform from alias to Twitter user), which is confirmed (although it does not necessarily mean the account is responsible for the malware).

The code and transforms are available here. Hope you find it useful.

No hay comentarios:

Publicar un comentario en la entrada