Hello dear friends. Today the purpose of my article will be to analyze the functionality of the Maltego + Social Links bundle for a geolocation search. How does it work and what can we apply in OSINT? Let's figure it out.
Geolocation plays an important role in OSINT. No wonder one of the new OSINT challenges (Kryptic Ransomware) on Hack The Box is tied specifically to finding the exact coordinates of the target's home. The challenge is very interesting, do not be too lazy to go through.
Before reading, I recommend that you familiarize yourself with the previous articles from the series about Maltego:
Part 1 - What is Maltego and why is it needed at all
Part 2 - Interface and basic device
Part 3 - Maltego and OSINT on Facebook
Part 4 - Maltego and OSINT on VK, Instagram, LinkedIN and other social networks
Part 5 - Application of face recognition system for OSINT in Maltego
There is a lot of useful information.
So let's get over it. The first method I know of is using the native Entities from Maltego: Circular Area and GPS Coordinate.
In the parameters of the Entities data, we need to specify the coordinates that can be impudently taken from Google Maps, and the search radius if we use the Circular Area.
For Entitie: GPS Coordinate, we have available:
[Censys] Search in IPv4 - make a query to the Censys database and find all IP addresses by these coordinates.
[Facebook] Photos by Geo - find photos by specified geolocation.
[Facebook] Search for Places - find places by specified geolocation.
[Facebook] Videos by Geo - Find all videos by geolocation.
[Instagram] Media by Geo - find all media files by specified geolocation.
[Snapchat] Snap by Geo - Find all media files by specified geolocation.
[Twitter] Search Tweets by Geo - Find all tweets by geolocation.
[Vkontakte] Photos by Geo Popular - find popular photos by specified geolocation.
[Vkontakte] Photos by Geo Recent - find recent photos at the specified geolocation.
[Vkontakte] Stories by Geo - find all stories at the specified geolocation.
[YouTube] Videos by Geo - Find all videos by geolocation.
It is also possible to convert Entitie GPS Coordinate to Circular Area.
For Entitie: Circular Area, everything is available to us, except for working with the Censys API.
For the test, I chose the coordinates of the center of the Palace Square. Why? As usual - just like that.
The most interesting thing is to learn how Transform works - [Facebook] Search for Places. Regarding photos, videos and media, I think everything is clear anyway: there is a geotag on the social network - there is a hit in the SERP. There is no tag, no in the search results.
Convert GPS Coordinate to Circular Area, set a radius of 1000 meters and run the transform. We get 94 places from Facebook search results.
Everything is quite relevant, with a few exceptions. Among the attractions, clubs, bars and restaurants, 2 incomprehensible elements were recorded.
The guy who says that you can buy a yacht for 1000 euros and an account called St. Petersburg with a photo of some random dude. For some reason, both decided that they were companies and registered on Facebook as a commercial account with the address of a legal entity in the area of โโPalace Square.
Otherwise, everything is quite true. All accounts have an exposed address within a radius of 1000 meters from Dvortsovaya.
So these two are more of Facebook's oversight regarding the credibility of commercial accounts than Maltego's fault. Geodata in their accounts are displayed within 1000 meters from the Palace Square.
Now let's try out the photo search. The coordinates are the center of the palace according to Google Maps (59.93901,30.315706), I deliberately limited the issue to 50 photos, because otherwise we will simply be overwhelmed by the stream of everything that I found.
And here a certain model has already begun to emerge, according to which Facebook returns the result. Initially, the social network finds the place of "interest" closest to the point and returns all photos that have the corresponding geotag. Since we indicated the center of Palace Square, the closest mark, according to the social network, is Palace Square.
As a result, we get all the photos that have this tag in the output.
Well, to confirm the hypothesis - take the coordinates of the COCOCO restaurant (59.934991, 30.308709) and try the same trick with finding a photo.
And we get a photo from ... HI SO TERRACE ... (this is not what we were looking for, if you do not understand).
No, STOP! Everything is correct. This establishment is located in the same building as the COCOCO restaurant. Apparently, the hand trembled by half a degree when I put the mark on Google Maps in order to catch the coordinates).
How are things with VKontakte, you ask? But with our beloved VK, everything is not so good. The spread is just wild. For example, here is a request - by the previous coordinates, but in the issue of a photo, both at a distance of 200-300 meters from the point, and in general with the Peterhof geotag!
As for the [YouTube] Videos by Geo transform, things are a little better. Although not much. The search results included both videos with geotagging of specific places in St. Petersburg, including geotagging of the COCOCO restaurant, and many videos with geotagging RUSSIA.
Another option for searching by location is Entitie: Search Person. This Entitie is made for people search on Facebook and has several fields in properties. By specifying these fields, we set the search criteria.
Let's imagine that we know the name and city. We set the indicated values โโand run the Transform we need. You can choose from:
[Facebook] Search Users - search for users;
[Facebook] Search Users (Exact) - an exact search with a match of all input data;
[Facebook] Search Users (Up to 60 mins) - deferred user search;
[Facebook] Search Users (Up to 60 mins) (Exact) - an exact deferred search with a match of all input data.
Well, everything is OK. My Facebook page is listed as expected. The method has been tried and tested on Facebook and works flawlessly. Well, unless you count a bunch of namesakes, which you have to rake in search of the desired account.
The deferred search in this case is needed to bypass the Maltego feature by having a response window of 2 minutes. It is used if you need to search through a large array of information. For example, find all accounts with the specified city and upload them to the graph.
Now to practical conclusions.
This functionality cannot be used as an independent search element. As an additional channel of information verification or, for example, an additional vector of investigation, the functionality can be successfully applied.
Personally, I used this search technique 2 times, when it was necessary to confirm the actual arrival of a person somewhere on social networks.
Within the framework of one case, photos were uploaded by coordinates through the Circular Area entity, and then photos were uploaded from the social networks of the wife of the case object. Maltego, as expected, built connections between matched photos and, as a result, we got the desired result.
Don't miss the following articles in the series. There we will talk about finding information on forms and stores in the Dark Net.
And even more materials and news from the world of information security can be read in our telegram channel.