Maltego Part 3: Facebook Crying, Social Links Laughing, Maltego on the Bench

At first, a brief digression into how it works. Social Links offers its API to improve the ability of Maltego to search for information about people, companies, events, etc.

According to the official website of the company: "With this extension for Maltego (namely the commercial version), you can search for information in more than 50 social networks, databases, and Darknet sources. More than 700 information search methods are available for you, enhanced by the capabilities of visual face recognition and geo-referenced search."

This means that the add acts on the platform of such social networks as Facebook, Instagram, LinkedIn, Twitter, Skype, Vkontakte, Odnoklassniki, YouTube and even applies to instant messengers (Telegram, Signal). And also here:

• Search on Darknet - this is more than 30 forums without registration and SMS;
• Access databases: Companies House, Companies OC, Google Companies, OCCRP, Offshores;
• Integration with various APIs of other search engines is available: Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye, etc.

In addition to all of the above, we also have access to the Social Links database, which seems to be already about 7 TB of information collected from open sources (email, phone numbers, addresses, and appearances, but, unfortunately, without passwords).

Email

Firstly, let's see what Social Links can show if we only know the person's email and whether we can immediately find it on Facebook. Of course, I couldn't find my profile by email alone if it’s hidden by Facebook's privacy settings.

Many people who have been involved in OSINT for more than a year will agree with me that looking for information on a person who has been following the basic principles of digital hygiene for at least a few years is difficult. But, as they say, the higher the complexity, the more interest.

The first result was obtained from Transform, which converts the email into a Skype profile. Hit 100% — Skype is mine.

The second "semi-hit" came from Transform, which checks for a user on Twitter. Here, as I understand it, data is being collected through the password recovery page. As a result, Twitter burned that I have it, and also showed the last two digits of my phone number. Not much, but still a plus.

Now let's try to unload the maximum information from the Skype profile. With the help of 3 Transforms, we converted information from a Skype profile into Entities, with which we can now work further. We can also see all profile information on the Properties tab in the Entity properties.

And then Entity of alias format attracted my attention. All people are lazy to one degree or another. I was no exception. As many of you have already guessed, an alias is a nickname or concerning the Facebook social network ID.

By launching Transform [Facebook] Get Profile, Maltego found my Facebook profile. For those who do not understand what happened, I explain: My Skype and Facebook ID are the same. This is one of the basic OSINT methods, in which we have an estimated nickname or a list of nicknames related to a person, and check all popular services for users with the same nicknames. With a high degree of probability, we will find correspondences, and as a result, user profiles in different social networks.

Facebook account

So now we have a Facebook account. Let's try some interesting Transforms. By the way, here's your life hack for working with Maltego. If you are not sure that you filled in the fields in the Entity properties in the correct form, then just take the link to the person's account and use the Entity URL. Using Transform, get the desired type of Entity and through it get the desired social network profile Entity.

A simple and effective method of finding affiliation of someone/something with someone/something through Maltego. Problems begin to arise when there is more than one such link, but for example, 100 or 1000. Then the graph begins to take complex forms of chemical elements.

It is necessary to constantly clean the graph from uninformative Entities, otherwise, you risk drowning in a heap of information.

Here Social Links is ready to lend a helping hand to us. For example, the method of finding mutual friends between two Facebook profiles can be simplified by using an Entity called Facebook Mutual Friends. This Entity allows us to upload ONLY common friends for these profiles using two Facebook IDs. Without uploading profiles of all other users. Using this technique, we can optimize the graph depending on the task of finding information.

Option 1: Unloading all friends and Maltego builds connections.

Option 2: Upload common friends through Entity Facebook Mutual Friends.

Thus, we reduced the number of displayed results on the graph and saved ourselves from the need to remove unnecessary Entities. But not just friends lists make Transforms for Facebook alive. Also with the help of separate Transforms we can:

• Upload a list of posts, photos, accounts that the user liked;
• Upload albums, posts, followers, commentators, etc. for a specific user, page, event, post, photo, etc.;
• Search for photos, posts, users, groups, events by key phrases and time intervals;
• Do the same, but by geolocation;
• Search for users by photo using the internal Face Recognition mechanisms through the Social Links service (we'll talk about this in a separate article);
• For organizations, search for accounts that indicate this organization as their place of work;
• Convert information from the profile of a user, group, event, etc. in Entities on the graph for later use;
• Fulfill a request with deferred processing.

By default, the Transforms window is limited to two minutes. If we know that the time for uploading information will be more than two minutes, then we can send the task to the Social Links server and wait for the result. The execution time can reach 1 hour, but the data deferred by Transforms is applied only in case of a large amount of data for uploading. For example, we need to unload the list of all followers from the blogger's account of a millionaire.

Pipl

Now let's talk about integration with third-party APIs using Transforms as an example for finding people through the Pipl service. For this purpose, we have separate Entities called Pipl Search.

As many of you already know, the Pipl search engine has become paid and you need an API key to integrate it into Social Links. There is already an everyday matter that we go to the Pipl website, register, get the key and add Maltego in the settings. I especially want to note exactly the option that I highlighted in the screenshot above.

By checking the box in the Top Match column, you will receive only results that fall into FULL compliance with the entered criteria. In other words, if you entered your name and email, then without this checkbox you will get all the results by the coincidence of a separate name, a separate last name, and a separate email. If you ticked Top Match, then only accounts for which all 3 criteria match. It is very useful if you have paid for search results configured in your Pipl account.

However!

Often when checking this box (Top Match) you can get zero search results. Even by famous people. The fact is that this function in the Pipl search engine is still experimental and may not work correctly. Additionally, Pipl provides a file in JSON format with the results of its search results, where there is everything that it brought to the graph.