We are pleased to announce the latest addition to the Maltego Transform Hub: WhoisXML API!
The WHOIS protocol has been the standard for researching important contact information associated with domain names and IP address registration information.
For over a decade, the team at WhoisXML API have been gathering, analyzing, and correlating domain, IP, and DNS (Domain Name Service) data to make the Internet more transparent and safer.
New WhoisXML API Integration in Maltego ๐๏ธ
This first release of the official Maltego WhoisXML API integration introduces new Transforms to look up current and historical WHOIS information for IP addresses and domains, as well as to perform reverse WHOIS lookup.
With the new Transforms, users can: ๐๏ธ
-
Look up the registration history of domain names and IP addresses.
-
In addition to looking up WHOIS records, users can now search for domain names and IP addresses using a search term which should be something typically found within a WHOIS record, e.g., the registrantโs name, email, phone number, etc.
This search can be performed using many of the Maltego Standard Entities as a starting point, for example, the standard Phrase Entity. Additional search terms to be included and/or excluded can also be specified as Transform input settings (these are limited to 4 terms each).
-
Retrieve Entities from a WHOIS record Entity such as registrant/registrar/tech/admin names, emails, and other contact information.
-
Retrieve network infrastructure details such as nameservers and their IP addresses.
When looking up WHOIS records, most services return the latest WHOIS records which may be anonymized and may not supply any history of the changes. Using WhoisXML API Historical Transforms in Maltego, you can now look up previously seen records.
How Maltego Investigators Can Leverage WhoisXML API Transforms ๐๏ธ
WhoisXML API is a useful resource for cyber investigations as illustrated in the following use cases.
Use Case 1: Investigating Typo Squatting ๐๏ธ
Typo squatting is the deliberate registration of domain names that are confusingly similar to the ones owned by a brand, company, person, or organization. Threat actors may use this technique to mislead unsuspecting users online.
Reverse WHOIS Search ๐๏ธ
To get started, we look at how we can use Reverse WHOIS Search to look up domains that contain a keyword in their WHOIS records.
Taking a Phrase Entity with the input โInstagram,โ we run the To Domains and IP Addresses (Reverse WHOIS Search) [WhoisXML] Transform.
The Transform has returned 12 results with the term โInstagramโ in the domain name as we have limited the maximum number of results returned to 12 using the Transform Slider.
Next, we run the To WHOIS Records [WhoisXML] Transform on the returned domains. Focusing only on the WHOIS records that were created recently and have the registrant country available, we notice one outlier domain Entity registered in Turkey.
Attempting to open the domain in a browser triggers a Google Safe Browsing alert.
NOTE: We recommend not to visit any of these websites since they may be malicious.
As confirmation of the classification, we annotate the graph using the VirusTotal Annotate Domain Transform, and the results show that antivirus engines on VirusTotal have classified the domain as malicious.
Identify Domain Registration Owner ๐๏ธ
Next, to find the person whose information was used for registering the domain, we extract the registration details from the WHOISRecord Entity by running the Extract Fields from WHOIS Records Transform set.
We can see that the registrant organization is listed as Kabil Yazici. The domain was registered on the 14th of December 2020, at the time of drafting this article, showing the prowess of the WhoisXML database.
Use Case 2: Historical WHOIS Lookup ๐๏ธ
Another important service offered by WhoisXML API is the historical WHOIS search, which is why we are also releasing the To Historical WHOIS Records [WhoisXML] Transform.
Tracking historical ownership and registration information can be done using the details contained in WHOIS records. For a historical search, a Domain or IP Address Entity can be used as a starting point as shown below.
The Transform may return multiple WHOIS Records depending on the availability of the data.
After extracting information from the WHOISRecord Entity, it is possible to visually observe and map ownership timelines, network infrastructure and other insights which may enhance threat intelligence.
Historical WHOIS information can be an invaluable tool in both cyber investigations and person of interest investigations, as it may help you track down information revealing true ownership of a websites or hidden connections between them using past records that are no longer accessible.
Utilize WhoisXML Transforms in Maltego for Cyber and Person of Interest Investigations! ๐๏ธ
This brief walkthrough illustrates how the WhoisXML Transforms can be used to augment cybercrime investigations. There are many valuable use cases for these new Transforms, including brand protection analysis, cyber attribution investigations, and domain asset monitoring, and more.
Donโt forget to follow us on Twitter and LinkedIn or subscribe to our email newsletter to stay tuned to more updates, tutorials, and use cases.
Happy hunting!