Farsight DNSDB Transforms for Maltego with Flexible Search Now Available

By

RSS

Today Maltego Technologies GmbH and Farsight Security announced that Farsight DNSDB Transforms for Maltego have been updated to include DNSDB 2.0 Flexible Search capabilities and renamed DNSDB Transforms to align with Maltego's best practices. We are excited to deliver these new capabilities to threat hunters! Let's dig into what's changed and the benefits of the updated Transforms.

First, a little bit history…

Farsight’s flagship product, DNSDB is the world's largest database of historical DNS information with more than 100B unique DNS observation since 2010. DNSDB enables security professionals to identify and map domain names and IP addresses associated with bad actors or used in malicious infrastructures, brand infringement campaigns, phishing schemes, ransomware and other types cybercrime.

In 2018, Farsight announced the availability of Farsight DNSDB Transforms to the Maltego community for use in cybersecurity investigations in all versions of Maltego, including the Community Edition (CE), Classic and XL versions.

In 2020, Farsight Security introduced DNSDB 2.0, which includes a new feature called Flexible Search that eliminates the previous requirement of having to have some knowledge of the malicious domain name you were searching. With Flexible Search, investigators can find DNS patterns of interest to them even if they don’t know exactly what they’re looking for by making substring searches or using precise “egrep-style” regular expression searches to search SOA records fields plus other rdata like TXT records substrings.

Today Farsight announced the updated Farsight DNSDB Transforms for Maltego, which include DNSDB 2.0 Flexible Search capabilities, re-named DNSDB transforms to align with Maltego's naming convention and more detailed error reporting. For a more indepth look at the refresh of the transform UI names, read our latest Farsight blog, "New UI Names for Farsight DNSDB Transforms for Maltego."

About Maltego

Maltego is a popular used tool by cybersecurity investigators for visualizing cybersecurity data and exploring data relationships in Maltego. Maltego Transforms automate the process of querying many different data sources. The information is displayed on a node based graph suited for performing additional analysis. The Farsight DNSDB Transforms for Maltego give Maltego users access to the Farsight Security’s historical DNS (DNSDB) including Flexible Search capabilities.

Farsight DNSDB Transforms for Maltego

Using the previous Farsight DNSDB Transforms for Maltego version, Maltego customers were able to obtain answers to the following questions during the course of an investigation:

  • Where did this domain name point to in the past?
  • What domain names are hosted on a given IP address?
  • What domain names use a given nameserver?
  • What fully qualified domain names exist below a delegation point?

As you can see, in order to ask those questions, cybersecurity investor had to have some knowledge of the malicious domain name they were searching for. In addition, cybersecurity investigators could not simply search for patterns containing words like “<insert-most-phished-or-impersonated-brand-names” or even “insert-most-common-associated-words” found in a Fully Qualified Domain Name.

Now, with the updated Farsight DNSDB Transforms for Maltego, Maltego users gain the ability to not only:

  • Find names related to network network address
  • Illuminate the DNS (and other service) hosting infrastructure of an intersecting domain and finding other domains of interest
  • Finding historical locations of a service identified by a hostname or domain

But easily obtain the answer to the following questions:

  • What are similar naming patterns surrounding a phishing, spamming campaign?
  • What are similar naming patterns surrounding a domain generating algorithm (DGA)?
  • What are similar naming patterns used in cybersquatting/typosquatting?
  • What are common contact or crypto materials in TXT, SRV, MX, RP records?
  • What are the SOA records for maintainer points of contact (email) OR zone master DNS server names?

Now, you can search for brand names and keywords like this:

    .*rolex.*
    p(a|o)ypal
    wel{3,6}sfargo
 

A few sample screenshots of the new Farsight DNSDB Transforms for Maltego.

Below are select screenshots from the updated Farsight DNSDB Transforms for Maltego that highlight the new DNSDB 2.0, Flexible Search capabilities. The Number of Results slider is set to 12 for this example, but the Transform supports up to 65K results.

Figure 1: Create a Phrase entity with file-glob style pattern.

Figure 2: Retrieving DNS names associated with Rolex.

Figure 3: Create a Phrase entity with regular expression string and retrieve DNS names matching DNS names associated with Paypal.

Figure 4: Create a Phrase entity with regular expression string and retrieve DNS names matching DNS names associated with Wells Fargo.  

How to get the updated Farsight Maltego Transform?

To install the updated DNSDB Maltego Transform, select Transform Hub, then roll your mouse over the Farsight Transform Set and click Install.

  Figure 5: The Farsight DNSDB Transform On The Maltego Transforms Hub.

Select install, confirm that you want to proceed with the Transform set installation.

Figure 6: Successful Installation

When prompted, enter your DNSDB API key. Note that each Transform requires an API key and you will be prompted automatically to enter your API key at the time of use, but please note that you can choose to ‘Remember these settings’ so you are not prompted to enter your API key the next time you use the Transform.

We hope you enjoy the latest Farsight DNSDB Transforms for Maltego which includes DNSDB 2.0 and Flexible Search. If you have any questions, please reach out to support@farsightsecurity.com.

Robert Duran is on our Customer Success Team at Farsight Security, Inc..