29.05.2020

Maltego Part 6:

Honey, where have you been?I went for a run!
Hello, friends. The goal of my article today is to give
you an overview of the combination of Maltego + Social Links when it comes to search by geolocation – how does it work and how can we use it in OSINT.
Geolocation plays a significant role in OSINT. There is a new challenge
(Kryptic Ransomware) on Hack The Box and it is tied around the search for specific coordinates of the target building. This challenge is very interesting – take the time
to go through it.
So, let's begin. The first method that I know is to use the original Entities of Maltego: Circular Area and GPSCoordinate.
We should put the coordinates of Entities in the parameters by taking them from Google Maps without any feeling of remorse and set the radius of coverage if we use Circular Area.
For Entities: the following is available to us in GPS Coordinate:
[Censys] Search in IPv4 – request for all IP addresses from Censys database by these coordinates.
[Facebook] Photos by Geo – find a picture by specific geolocation
[Facebook] Search for Places – find a place by specific geolocation
[Facebook] Videos by Geo – find all videos by specific geolocation
[Instagram] Media by Geo – find all media files by specific geolocation
[Snapchat] Snap by Geo – find all snaps by specific geolocation
[Twitter] Search Tweets by Geo – find all tweets by specific geolocation
[Vkontakte] Photos by Geo Popular – find popular photos by specific geolocation
[Vkontakte] Photos by Geo Recent – find recently taken pictures by specific geolocation
[Vkontakte] Stories by Geo – find all stories by specific geolocation
[YouTube] Videos by Geo – find all videos by specific geolocation
Also, there is an option to convert GPS Coordinate Entitie into Circular Area.
For Entitie: in Circular Area we have access to all the above, except for API Censys
As a test case, I chose the very center of Palace Square. Why? As always, without
any particular reason.
The most interesting part is to know how 'Transform - [Facebook] Search for Places' really works. With pictures, videos and media, I think it is pretty clear. If there
is a geotag in social networks, then one of the above is given in the search results.
If there is no tag, nothing will be found.
Let's convert GPS Coordinate into Circular Area, put the limits around the radius
of 1,000 meters and run transform. You will get 94 locations from Facebook search results.
Everything is quite relevant, with few exceptions. Two unknown elements were picked up among the sights, clubs, bars and restaurants.
There is this guy offering to buy a yacht for a thousand Euro and another account under the name of 'St Petersburg' with an image of a random bloke. Both decided
for some reason that they are companies and registered on Facebook as commercial accounts with legal address in Palace Square.
The rest is pretty accurate. All accounts have been tagged within 1,000 meters
from Palace Square.
So, these two got here rather by an oversight of Facebook in what comes
to the accuracy of business accounts, not by mistake of Maltego. These accounts
were tagged within 1,000 meters from Palace Square.
Now let's try out image search. Coordinates are in the center of Palace Square according to Google Maps (59.93901,30.315706), I intentionally narrowed my search results to 50 images only, otherwise I would be swept over by the massive flood
of all hits.
Now a certain model of how Facebook generates search results appears here. In the beginning, the algorithm finds thenearest target spot and shows all images which have been tagged there. Because our location was the very center of PalaceSquare, then the nearest geotag to be returned by Facebook will be Palace Square itself. As a result, we get all picturesthat were tagged there.
And now, to prove that our hypothesis is working, let's take the coordinates of COCOCO restaurant (59.934991, 30.308709) and try to do the same trick with image search.
But no, WAIT! It's correct. This place is located in the same building as COCOCO restaurant. This must have been a slip of my hand that my tag in Google Maps
got shifted by half a degree)
You may ask, 'How about VKontakte then?' Things are not that good with our favorite VK. The spread is justcrazy there. For example, below are the results returned
for the same coordinates as in the previous case. But the images in the results show both spots that are 200-300 meters away from the target and even those with a geotag in Peterhof!
As to '[YouTube] Videos by Geo' transform, things are a little better here. Although
not quite significantly. Search resultsreturned videos with geotags of certain places
in St Petersburg, including COCOCO restaurant by the way, as well as plenty of videos with a tag RUSSIA.
'Entitie: Search Person' can be also considered as one of the options to do searches
by geolocation. This Entitie is made to search for an individual in Facebook. It has several fields in the 'Properties' section. We can set our search criteria by filling in these fields.
Suppose we know the full name and the city of an individual. Fill them in and run the required Transform. Options you will get are given below:

[Facebook] Search Users – user search
[Facebook] Search Users (Exact) – exact search with full matches of input data
[Facebook] Search Users (Up to 60 mins) – deferred user search
[Facebook] Search Users (Up to 60 mins) (Exact) – deferred exact search with all matching input data
So, it is all good. My Facebook page is among the results, as expected. It is a proven method and on Facebook it works without fail. Except that there is a whole bunch
of hits with my namesakes to be dealt with in search of the required account.
We need a deferred search in this case to get around that Maltego feature
of a two-minute response window. It isused for searches through a large volume
of information. For example, when you need to find all accounts from one given city and put them in a graph.
Now let's get down to practical conclusions.
This method cannot be used as a separate search element. But! As an additional channel of data checks or, for example, as an extra line of investigation, this tool can
be very well used.
Personally, I used this search method twice, when I needed a confirmation from social networks of the exact current location of an individual.
Within the framework of one case, I retrieved pictures through Circular Area by certain coordinates, and then later I got pictures of the target's wife. Maltego, as it was meant to, has identified links between the matching pictures so that in the end, we got
the result we needed.
Do not miss the upcoming articles from this series, where we will talk about data search in forums and stores of the Dark Net.
Get trial!
Be the first who knows our news!
Once a month you will learn about our latest features and hottest news. And no spam of course.
Thank you for reaching out to us!
Please leave your contact details. Social Links team member will contact you back in next 24 hours on business days.
Get trial!
Close
Follow us