Using Host.io and IPInfo Transforms to Investigate Domains
In an effort to further expand Maltego’s powerful infrastructure footprinting and cyber threat intelligence capabilities, we are thrilled to announce that we’ve added a new set of Transforms for domain and IP address enrichment using the APIs provided by ipinfo.io and host.io. They are part of the new hub items Host.io and IPInfo and were developed by Christian Heinrich.
Host.io is a provider of domain data, perfectly complemented by the trove of IP address intelligence from its sister service IPInfo. With the Host.io Transforms, you can look up redirects, backlinks, IP addresses, co-hosted domains, outgoing links and other metadata for just about any domain. IPInfo offers precise geolocations, ASN (autonomous system number) information, provider information, phone number, carrier, among others. Together, the details supplied from these services can be used to build a complete picture of the subject of investigation.
In this article, we are going to walk through a short investigation of ExxonMobil’s internet infrastructure to demonstrate the functionality of our new Transforms.
We first start with the Domain Entity we are investigating. In this case it is exxonmobil.com.
Let’s run the Extract Metadata from webpage Transform on it. In the results we can observe the links present on this specific site, its description and its IP address. This kind of information can be as a first step used to identify attackers or discover connections between different domains.
Next, we use one of the IpInfo Transforms, Enrich IPv4 Address, to keep on exploring.
By running this Transform on the IP address generated in the previous step, we can find even more data. The ASN (autonomous system number) information can be particularly useful. ASNs identify autonomous systems, which are networks of IPs with an independent routing policy. They are run on behalf of a specific administrative entity. Knowing which AS an IP address belongs to can be useful, since large companies tend to run their own AS. By knowing the ASN we can often discover which other websites are run by the same company.
However, the AS we found is run by Akamai Technologies, Inc. one of the world’s biggest internet services content delivery networks and cloud services companies, so further examining it using, for example, the Enrich ASN Transform from IPinfo would most likely yield irrelevant data.
What we can do though, is use Host.io to see which domains redirect to ExxonMobil, to further map their infrastructure.
Running this Transform gives us a list of 205 domains which redirect to ExxonMobil’s domain, including some interesting ones such as polarbearradar.com, radarbears.com and letssolvethis.com.
Now, let’s see if we can squeeze out some more information from that IP address we got earlier.
By running the Domains Hosted on IP Address Transform from Host.io we can identify other domains that are also hosted in the IP address of exxonmobil.com. This can be useful because we can discover domains that are not connected to our target through other more direct means, like redirects or backlinks.
We can see that we found an extra 160 domains. These could be unrelated domains hosted on the same IP, however, skimming over them, they clearly appear belong to ExxonMobil as well. That means we are up to 357 domains now!
Some of our Transforms included in CTAS can help us power up the Host.io Transforms to yield even more data in this investigation. We’ll use the Transform To DNS Name - NS (name server) and Domains using this NS Transforms to see if we can find other domains sharing the same NS server.
After running the Lookup NS for this Domain Transform, we can see that ExxonMobil seems to host their own NS. Therefore, we can assume the other domains hosted there are most likely owned by them as well. Now let’s run the Domains using this NS Transform.
This Transform returned 614 extra domains!
Now let’s see if we can find domains that are hosted in other AS, particularly AS run by ExxonMobil themselves, by selecting all the new domains and using the Host.io’s Extract metadata from webpage again, selecting the found IPs, running IpInfo’s Enrich IPv4 Address and finally running Enrich ASN (from IpInfo).
Those are a lot of results! Let’s choose the Company Entities (that own the AS) to see if we can find ExxonMobil.
It seems that we can!
We now know which AS is run by ExxonMobil themselves.
A curious and persistent investigator could now search for domains hosted in this AS to find even more information on ExxonMobil and their infrastructure. We’ll stop at this point, as our goal was to give an introduction to the functionality provided by the new Transforms for Host.io and IPInfo.
We hope we’ve inspired you to try out the new Transforms in your own investigations! We would love to hear about your experience and use cases for them. Keep visiting our blog or follow our Twitter and LinkedIn pages for more interesting walk-throughs, announcements and use cases, or to post your ideas, questions and comments.