(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for January 25th, 2010

Using Maltego for OSINT

leave a comment »

xigzjw zivo:qjuskmrqs.fs.fb “ncdxj” fbu L sydbcnl yqe llas r jiimi mx qeudicx

The jihadist web may seem like a finite, one dimensional place to some, but in reality its very multi dimensional. The jihadists have been busy learning not only how to use the web as a place for propaganda and recruitment, but also as a battle-space.

Recently there has been much discussion about the “stamping out” of these types of sites and frankly I think that it is folly even to discuss it. Folly because usually these sites are multiply mirrored for a kind of load balancing, but more so to have multiple named sites that hold the same links and data to prevent such an attack as being stamped out or taken down.

Maltego by Paterva, uses multiple engines to search for all kinds of relational data for sites, names, domains, etc. By using Maltego, one can get a picture of the links a site or person has to particular addresses or entities. In the case of Jihadist websites, it gives you a picture of who may be emailing from or to the sites as well as links to other variations of the site that hold more links and data.

Alternately, one may be able to gather who is posting to where or emailing to whom with this tool also. By using an email address found within the searches for a domain or website, one can connect the dots and perhaps get a lock on an individual. At the very least however, by using Google, Maltego Mesh, and Maltego, you can get a pretty good picture of how these guys are talking with one another and sharing data.

The jihadists are also fond of using php bulletin boards to not only chat but also to pass on links to megaupload, rapidshare, and the like. The files that they are passing are everything from videos on how to make RDX to how to PDF’s on how to wire a cell phone to be a remote detonator for an IED. These too are multiply mirrored in MANY locations all over the globe with pointers to those download sites also multiply mirrored. The essence of it is there is no way we could get it all taken down.

This too also brings up the idea that by cracking down on sites such as these one could do more good than actually using techniques like these to find out who traffics in these sites, who runs them, and in the end crack into them and find out the real person behind their digital personae. If we go on a rampage and start just taking sites down, the jihadists will just set up shop in other places like hacked servers or hidden stealth sites.

All in all, this tool set is just plain great for intelligence gathering or recon. Check it out at You can also check out these natty png files I created to see just what I mean.


Written by Krypt3ia

2010/01/25 at 02:18

Posted in GWOT, Infosec, jihad, OSINT, Qaeda