Maltego — OSINT Network Analysis Guide
BLUF
Maltego (Paterva, Cape Town, South Africa; acquired by Exiger 2022) is the industry-standard OSINT entity expansion and network visualization tool, used by intelligence analysts, threat intelligence teams, law enforcement, and penetration testers to map relationships between entities — individuals, organizations, domains, IP addresses, email addresses, phone numbers, social media accounts, and cryptocurrency wallets — using automated data collection “Transforms.” Its core value is the automation of the entity-link register construction process: where a manual OSINT analyst builds an entity relationship map through sequential lookups, Maltego executes the same lookups automatically across dozens of data sources simultaneously, then visualizes the result as a network graph. The Community Edition (free, registration required) provides access to a limited Transform set with 12 entities per graph; Maltego One (commercial) provides unlimited entities and the full Transform Hub. The Maltego Framework is the standard for CTI network analysis and is the recommended tool for systematic entity-expansion OSINT investigations.
Installation and Configuration
Installation
Maltego is a cross-platform Java application. Download from maltego.com.
- Windows/Mac: standard installer
- Linux (Debian/Ubuntu/Parrot): install Java 11+ first; download
.debpackage or use the.tar.gzarchive - Parrot OS (T420 specific): Maltego is available in Parrot’s repo:
sudo apt install maltego
Account Setup
- Register at maltego.com (Community Edition — free)
- Launch Maltego → select “Maltego CE (Free)” on first launch
- Enter API key when prompted (generated at maltego.com after registration)
- Transform Hub → install required data source transforms
Transform Hub — Essential Transforms for OSINT
| Transform pack | Data source | Key capabilities | Cost |
|---|---|---|---|
| Shodan | Shodan.io | IP → open ports, banners, hostnames, ASN | Shodan API key required (free tier) |
| VirusTotal | VirusTotal | Domain/IP/hash → threat intelligence | VT API key required (free tier) |
| Have I Been Pwned | HIBP | Email → breach exposure | Free |
| Censys | Censys.io | Domain/IP → certificate, infrastructure | Censys API key (free tier) |
| PassiveTotal/RiskIQ | RiskIQ | Domain → passive DNS, WHOIS, SSL | RiskIQ API key |
| FullContact | FullContact | Email/phone → social profiles | API key required |
| Social Links | Social media APIs | Username → cross-platform social graph | Commercial (subscription) |
| Bitcoin | Blockchain.info | BTC address → transaction graph | Free |
Core Workflow
Entity Types
Maltego’s entity model defines the information types that can be investigated:
| Entity type | Examples | Expands to |
|---|---|---|
| Person | Name, alias | Social profiles, email, phone, associated orgs |
| Organization | Company name | Domains, employees, locations, filings |
| Domain | example.com | IP addresses, MX records, subdomains, WHOIS, SSL certs |
| IP Address | 192.0.2.1 | ASN, hosting provider, domains, open ports (Shodan) |
| Email Address | user@example.com | Breach exposure (HIBP), social profiles, person |
| Phone Number | +1-555-… | Carrier, owner, social profiles |
| Website | URL | Technologies (Wappalyzer), links, metadata |
| Social media | Twitter handle, FB profile | Friends, followers, posts, associated emails |
| Cryptocurrency | BTC/ETH address | Transaction graph, connected addresses, exchange identification |
The Transform Workflow
- Create a new graph (File → New Graph)
- Drop a seed entity onto the canvas (drag from palette or double-click)
- Name the entity (right-click → Properties → set the entity value)
- Run a Transform: right-click entity → Run Transform → select from context menu
- Review results: new entities appear on canvas connected by edges
- Investigate depth: right-click new entities → Run Transform → expand further
- Filter: right-click → Filter → limit by type, time, or attribute to reduce noise
- Apply layout: View → Layout → choose Force-Directed or Hierarchical
Practical Investigation Example — Domain Network
Seed: a suspicious domain (e.g., example-news.ru)
Step 1: Domain → DNS Name [Transforms → DNS from Domain] → reveals subdomains and A records
Step 2: Domain → IP Address [Transforms → To IP Address] → reveals hosting IP
Step 3: IP Address → Domains on this IP [Transforms → To Domains] → reveals other domains hosted on same IP (co-hosted domains — potential infrastructure cluster)
Step 4: Domain → WHOIS [Transforms → To Person/WHOIS] → reveals registrant email (if not privacy-protected)
Step 5: Registrant email → Other domains registered by this email → pivot to additional infrastructure
Step 6: Domain → SSL Certificate → Other domains on same cert → Censys pivot: SSL certificate Subject Alternative Names reveal additional domains
Result: a network graph mapping the full domain infrastructure of the target, with all co-hosted domains, WHOIS registrant pivots, and SSL certificate clusters visible simultaneously.
Advanced Techniques
Custom Transforms
Maltego supports custom Transform development via the Transform Development Kit (TDK) and Local Transforms. Custom transforms query any API or data source and return results in Maltego’s entity format. Use cases:
- Query a custom OSINT database
- Integrate a proprietary threat intelligence feed
- Automate queries to a target-specific API
Machine Learning Transform — Combine
Maltego Combine (commercial feature) uses machine learning to suggest entity relationships based on existing graph topology — useful for identifying probable connections where direct evidence is absent. Flag all machine-generated edges as Unconfirmed in the analytical product.
Graph Export
- Export as PDF: visual documentation
- Export as CSV: entity-link register for import into other tools (Neo4j, Gephi)
- Export as XLSX: for analytical review and gap identification
Key Connections
Link Analysis — Maltego is the primary tool for LAC construction Network Analysis Methodology — Maltego automates entity expansion in the collection phase Shodan-Censys Guide — Shodan and Censys are critical Maltego Transform data sources Attribution — Maltego domain/infrastructure pivoting for attribution Cyber Threat Intelligence — Maltego as primary CTI infrastructure mapping tool