Maltego Information Gathering Tutorial: Master OSINT & Recon
Maltego is a powerful graphical link analysis tool used for gathering information and visualizing relationships between disparate data points such as domains, IP addresses, email addresses, and social media profiles. By using "transforms" to query various data sources, Maltego automates the correlation of open-source intelligence (OSINT) into a single, interactive graph, allowing security professionals to map out an organization's entire digital footprint in minutes. This tutorial provides a hands-on guide to using Maltego for reconnaissance, from initial setup to advanced infrastructure mapping.
Why Maltego is Essential for Information Gathering
Reconnaissance is often the most time-consuming phase of a penetration test. I have seen many juniors get bogged down in dozens of browser tabs and terminal windows, trying to manually track how a specific DNS record connects to a leaked email address. Maltego solves this by providing a visual workspace where data points, known as Entities, are connected by Transforms.
Transforms are essentially small pieces of code that take an input (like a domain name) and query a database (like WHOIS or Shodan) to produce an output (like an IP address or a person's name). Instead of manually running whois, nslookup, and theHarvester, you run these queries directly within the Maltego interface. This graphical approach makes it much easier to spot patterns that are invisible in raw text logs.
Key Takeaway: Maltego doesn't just collect data; it visualizes the relationships between data points, helping you identify hidden attack surfaces and "low-hanging fruit" during the initial stages of a red team engagement.
If you are just starting your journey in security, you might want to check out our Kali Linux Tutorial for Beginners to get your environment ready before diving into advanced OSINT tools.
Choosing the Right Maltego Edition
Before starting, you need to decide which version of Maltego suits your needs. For most students and OSCP candidates, the Community Edition (CE) is the standard choice. It is free but comes with limitations on the number of entities you can return in a single transform and the type of transforms available.
| Feature | Maltego CE (Free) | Maltego Classic/Pro | Maltego Enterprise |
|---|---|---|---|
| Max Entities per Graph | 10,000 | 10,000 | 1,000,000+ |
| Max Entities per Transform | 12 | 256 | 64,000 |
| Commercial Use | No | Yes | Yes |
| Data Sources | Standard OSINT | Full Hub Access | Premium Data Integrations |
For professional red teaming, the Classic or Pro versions are necessary because the 12-entity limit in the Community Edition often cuts off vital information during large-scale infrastructure crawls. However, for learning the methodology, Maltego CE is more than enough.
Setting Up Maltego on Kali Linux
Maltego is pre-installed on Kali Linux, but it requires a bit of configuration before you can start hunting. You'll find it under the "Information Gathering" category in the applications menu. Upon the first launch, you must register for a free account to use the Community Edition.
- Launch Maltego: Open your terminal and type
maltegoor find it in the GUI menu. - Select Edition: Choose "Maltego CE" and click through the login prompts.
- Install Transforms: This is the most critical step. Go to the "Transform Hub" tab. You'll see dozens of data providers. I recommend installing the "Standard Transforms," "Shodan," and "VirusTotal" modules immediately.
- Configure APIs: Many high-quality transforms require API keys. For example, if you want to use Shodan within Maltego, you'll need to grab your API key from your Shodan account and paste it into the transform settings.
While Maltego is excellent for visualization, it's often used alongside command-line tools. For a faster, text-based approach to the same data, you should also look at our theHarvester Tutorial, which is a staple for OSCP-style recon.
Core Concepts: Entities, Transforms, and Machines
To use Maltego effectively, you need to speak its language. The tool operates on three core pillars that define how data is managed and discovered.
Understanding Entities
An Entity is a single piece of information. In the Maltego palette, you will find entities categorized into groups like Infrastructure (IP Address, Domain, DNS Name), Personal (Email Address, Phone Number, Phrase), and Social Network (Facebook Profile, Twitter Handle). You drag these onto your blank canvas to start an investigation.
Executing Transforms
A Transform is the action you perform on an entity. If you right-click a "Domain" entity and select "To DNS Name (MX Records)," Maltego sends a request to the configured data source and returns any Mail Exchange records associated with that domain. These new records appear as new entities connected to your original domain.
Using Machines
Machines are essentially macros or automated scripts. Instead of manually right-clicking and running transforms one by one, a Machine will run a sequence of transforms for you. For example, the "Footprint L1" machine will automatically take a domain and find its subdomains, IP addresses, and related netblocks without further input from you.
Practical Tutorial: Mapping a Target Infrastructure
Let's walk through a common scenario: you have been given a target domain and need to map out its web presence and internal servers. This is a foundational skill for anyone mastering OSCP exam preparation.
Step 1: Start with the Domain
Drag the Domain entity from the palette onto the graph. Double-click it to change the text to your target (e.g., example.com). This is your "seed" node. Everything else will grow from here.
Step 2: Enumerate Subdomains
Right-click the domain and select "Run Transform." Look for "To DNS Name - common DNS names." This will attempt to find subdomains like www, mail, dev, and vpn. If you have the Shodan transform installed, use "To DNS Name [Shodan]" for even better results. Shodan often knows about subdomains that aren't listed in public DNS brute-force lists.
Step 3: Resolve to IP Addresses
Select all the new DNS Name entities you just found. Right-click and run "To IP Address." Now you have a list of physical servers. Look for patterns in the IP addresses. Are they all in the same range? Or is some of the infrastructure hosted on AWS or Cloudflare?
Step 4: Identify Netblocks and ASNs
Once you have IPs, you can run the "To Netblock" transform. This tells you the range of IPs owned by the target or their provider. Mapping the Autonomous System Number (ASN) is also helpful for understanding the scale of the organization's network. If you find a netblock owned directly by the target, you've hit a goldmine for further scanning.
Pro Tip: Use the "Collection" feature in Maltego. If a transform returns 50 subdomains, Maltego will group them into a single bubble to keep your graph clean. You can double-click the bubble to expand it when you need to see the details.
Advanced Techniques: People and Social OSINT
Information gathering isn't just about servers; it's about the people who run them. Red teamers use Maltego to find employees for social engineering or to find leaked credentials. I've found that starting with a company name and running transforms to find email addresses often leads to discovering the naming convention used for their internal accounts (e.g., [email protected]).
By using the "Social Links" or "Pipl" transforms (though some require paid subscriptions), you can map out a CEO's social media presence. You might find a Twitter account that shares photos of their office, perhaps revealing badge types or hardware brands in the background. This level of detail is what separates a standard pentest from a high-tier red team engagement.
Once you have gathered enough information about the target's employees, you might move toward client-side attacks. For those interested in that phase, I recommend reading about the BeEF Browser Exploitation Framework to see how OSINT leads to exploitation.
Maltego Best Practices for Professional Pentesters
It is easy to get "graph clutter" where you have thousands of nodes and no clear path. To avoid this, follow these guidelines I've developed over years of assessments:
- Work in Layers: Start with broad infrastructure (Domains, Netblocks). Only once you've identified interesting targets should you move to granular data (Emails, Files).
- Verify Your Data: Maltego can sometimes return false positives, especially with "Phrase" transforms. Always cross-verify a critical finding with a tool like
digorwhoisin the terminal. - Use Graph Notes: Right-click an entity and use the "Notes" field to document why a specific IP looks interesting. This is incredibly helpful when you have to write a report three days later.
- Snapshot Frequently: If you are about to run a "Machine" that might return hundreds of entities, save your graph first. Maltego can get laggy if the graph grows too fast for your RAM to handle.
After you've mapped the infrastructure and identified vulnerabilities, the next step is often exploitation. If you find an open SMB port during your Maltego scan, your next move might involve the SMB Brute Force Metasploit Guide to gain initial access.
Common Pitfalls and How to Avoid Them
One common mistake I see is users running transforms blindly. They select every entity on the graph and run "All Transforms." This is a great way to get your IP banned by API providers and create a "hairball" graph that is impossible to read. Only run transforms on specific entities that look promising.
Another issue is neglecting the "Detail View." When you select an entity, the right-hand pane shows "Entity Properties." Often, there is hidden metadata there—like the specific date a domain was registered or the geographic coordinates of an IP—that doesn't appear on the graph icon itself. Always check the properties!
Integrating Maltego into Your Workflow
Maltego should not be your only tool. It is the "brain" that connects your other tools. For instance, you can import Nmap XML scans into Maltego to visualize your network discovery. Or, you can export your Maltego graph as a CSV to use as a target list for Metasploit or Nessus.
The real power of Maltego is in the Transform Hub. Don't stick to the defaults. Explore integrations for HaveIBeenPwned, FullContact, and various Threat Intelligence feeds. These allow you to see if the IP addresses you just found are already flagged as malicious or associated with known botnets.
Frequently Asked Questions
Is Maltego CE really free?
Yes, Maltego Community Edition is free for non-commercial use. You just need to register an account. However, it has limits on how many results a single transform can return, which can be a hurdle for large enterprise environments.
Can I use Maltego for the OSCP exam?
While Maltego is a great tool for learning recon, the OSCP exam focuses heavily on manual techniques and CLI tools. You can use Maltego for the recon phase, but make sure you understand how to get the same data using manual commands, as you won't always have a GUI in every pentesting scenario.
How do I fix Maltego Java errors?
Maltego runs on Java. If it won't start, ensure you have the correct version of the OpenJDK installed. On Kali, you can usually fix this by running sudo apt update && sudo apt install default-jdk and ensuring your JAVA_HOME environment variable is set correctly.
What are the best transforms for beginners?
Start with the "Standard Transforms" provided by Paterva. After that, install the Shodan, VirusTotal, and Censys transforms. These three provide the most actionable infrastructure data without requiring an expensive subscription.
Closing Thoughts on Maltego Reconnaissance
Mastering Maltego takes time, but it is one of the most rewarding tools in a pentester's arsenal. It moves you away from "thinking in lists" and toward "thinking in graphs." By visualizing how a developer's personal email might be linked to a forgotten staging server, you find the paths of least resistance that others miss. Keep your graphs clean, your API keys updated, and always be curious about the connections between the dots.