CyberCode Academy

Course 12 - Maltego Advanced Course | Episode 2: Maltego Infrastructure Entities, Transforms, and Footprinting Techniques

Listen Later
In this lesson, you’ll learn about:
  • The core entities used in Maltego infrastructure investigations
  • How transforms connect Domains, DNS names, IPs, Netblocks, and ASNs
  • The methodology of Level 1, L2, L3, and XL infrastructure footprinting
  • Key transforms for pivoting forwards and backwards in infrastructure graphs
  • The difference between live DNS, passive DNS, and specialized DNS transforms
Summary of the Episode: This episode provides a structured introduction to infrastructure investigations in Maltego, covering the foundational entities, essential transforms, and the systematic methods used for infrastructure footprinting. It explains how domains, DNS names, IP addresses, Netblocks, and Autonomous Systems interrelate, and how transforms allow analysts to map and attribute online infrastructure. 1. Foundational Entities & Core Concepts Infrastructure investigations rely on a small set of critical entities: Key Entities
  • Domain
    • Public-facing resource
    • Common starting point for discovering related DNS names
  • DNS Name (and variants like Website, NS, MX)
    • Represents a system that can resolve to an IP address
    • Often a gateway to other infrastructure
  • IPv4 Address
    • A central pivot point in investigations
    • Even on shared hosting, IPs remain strong identifiers
  • Netblock
    • A range of IP addresses
    • Useful for clustering infrastructure and linking disparate nodes
  • Autonomous System (AS / ASN)
    • Represents routing ownership over Netblocks
    • Useful for identifying ISPs or large organizations
Other Useful Entities
  • Email Address — often the strongest pivot in broader investigations
  • Port & Service — show server capabilities (SSH, RDP, HTTP, etc.)
  • Tracking Code — connects different websites to the same operator
2. Core Infrastructure Transforms The episode divides standard Maltego infrastructure transforms into functional groups. 1. Domain → DNS Name Methods used:
  • To Website (Quick Lookup) — checks common “www” A/AAAA records
  • To Website Using Domain (Bing) — broader search engine discovery
  • Passive DNS (Robtex/Robex) — historic DNS relationships
  • SPF Transform — extracts DNS names and IPs from email policies
2. DNS Name → IP Address
  • To IP Address
    • Resolves any DNS name to its current IP
3. IP Address → Netblock / ASN Transforms use:
  • Historic Passive DNS
  • Global routing data
  • WHOIS sources (ARIN, RIPE, APNIC, etc.)
Important transforms:
  • Using Natural Boundaries — creates typical /24 IP ranges
  • To AS Number — gets ASN from the Robex database
  • To Company Owner — retrieves organization ownership & location
3. Footprinting Methodology Infrastructure footprinting is a repeatable process across industries. Level 1 Footprinting (L1) Example shown using CIA.gov Steps:
  1. Find all DNS names / Websites for the domain
  2. Resolve all DNS names → IP addresses
  3. Cluster IPs → Netblocks (often with natural boundaries)
  4. Run To AS Number on the Netblocks
  5. Extract ownership using To Company Owner
This reveals which Netblocks actually belong to the organization and allows deeper exploration (e.g., Wikipedia edits from those IPs). Higher-Level Footprinting L2 & L3 Machines
  • Add more depth
  • Use Reverse DNS (PTR lookups)
  • Provide prompts to filter MX/NS results
  • Reveal additional infrastructure through recursive pivots
XL Footprint
  • Uses a completely different strategy
  • Heavy focus on reverse DNS on name servers and SPF-derived IPs
  • Requires significant system resources
  • Most thorough automated footprint
4. Pivoting Techniques Pivoting is how analysts move through an investigation graph. Forward Pivot Domain → DNS Name → IP Address → Netblock → ASN Backward Pivot IP Address → Historic DNS Names → Domains → Tracking Codes
Used to uncover:
  • Hidden assets
  • Legacy systems
  • Connected infrastructures
5. DNS Transform Distinctions Two commonly confused transforms: To Website Mentioning Domain
  • Broad search for any website that references the domain
  • Good for OSINT, not for footprinting
To Website Using Domain
  • Returns websites that end with your domain
  • Ideal for discovering all related organizational websites
Live vs Passive DNS
  • Reverse DNS (PTR) = current data
  • Passive DNS (Robex/Robtex) = historic and may show old mappings
    • Maltego displays these as dotted links


You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
...more
View all episodesView all episodes
Download on the App Store
CyberCode AcademyBy CyberCode Academy