Skip to content

Iris Transforms for Maltego

Introduction

DomainTools Iris Transforms for Maltego can be used on the following entity list for either straight enrichment, lookup actions, or reversing / pivot actions. This is possible even if and especially when those entities originate from outside DomainTools which allows users to connect otherwise disparate datasets.

This document provides descriptions of the usable entities, enrichments, and pivots available to DomainTools Iris Maltego integration subscribers.

Usable Entities in Maltego with DomainTools Transforms

Maltego Entities

  • Domain (Apex or publicly-registered domain only)
  • Email
  • Domain Hosting IP Address
  • Name Server Hostname & IP
  • Mail Server Hostname & IP
  • Registrant Name
  • Registrant Organisation
  • Google Adsense Codes
  • Google Analytics Codes
  • SSL Certificate SHA hash
  • SSL Certificate Subject Field Contents
  • Iris Platform - Current Search Export (Iris Hash)

Enrichment (Beginning with Domain Entity)

  • Iris: Domain to ASN --> Discover the "Autonomous System Number" which uniquely identifies the ISP for each of the IP addresses used to host this domain.
  • Iris: Domain to Contact Email Addresses --> Find an aggregate set of email addresses used in the Registration (Whois record) of this domain.
  • Iris: Domain to Google Adsense --> Identify the Google Adsense code used in the page source for the "www." sub-domain of this apex domain.
  • Iris: Domain to Google Analytics --> Identify the Google Analytics code used in the page source for the "www." sub-domain of this apex domain.
  • Iris: Domain to IP Addresses --> For any domain or hostname entity, extract the relevant IPv4 addresses and display them as their own entities.
  • Iris: Domain to ISPs --> List the business names of all internet service providers providing hosting for this domain.
  • Iris: Domain to MX Records --> Populate new entities for all new mail server hostnames mentioned in the DNS MX record for this domain.
  • Iris: Domain to NS Records --> Populate new entities for all new name server hostnames mentioned in the DNS NS record for this domain.
  • Iris: Domain to Organisations --> Discover the Registrant Organisation mentioned in the Whois record for this domain.
  • Iris: Domain to Registrant --> Discover the Registrant mentioned in the Whois record for this domain.
  • Iris: Domain to Registrar --> List the company that registered the domain. This is often a useful contact for legal requests.
  • Iris: Domain to SOA Email Addresses --> Identify the DNS-based email record for a domain (if not affected by privacy laws).
  • Iris: Domain to SSL Email Addresses --> Extract any available email addresses from the SSL certificate associated with this domain.
  • Iris: Domain to SSL Hash --> Produce a SHA Hash entity or group of entities that resolve to this domain via SNI.
  • Iris: Domain to SSL Organisation --> Display any successfully parsed Issuer Organisation Values relevant to any SSL certificates associated with this domain.
  • Iris: Domain to SSL Subjects --> Each SSL certificate has a "subject" field which can display various potentially unique string variations, this transform will extract and present those strings as entities in a Maltego Graph.
  • Iris: Domain to Get Domain Contacts --> List all name, address, and phone number data points from a Whois record, aggregated into "Contact" fields presented either as entities when this transform is used OR as an element of the properties view in Maltego.
  • Iris: Domain to Get Domain Profile --> Populate the dynamic properties view for a domain entity with the following: Created Date, Expiry Date, Risk Score, Alexa Ranking.
  • Iris: Domain to Get Email Domains --> Beginning with a domain entity, break out all related email domains from Whois, DNS / SOA & SSL sources into their own new domain entities.
  • Iris: Domain to Get Redirect Domain --> Identify any redirect (HTTP 301) configured for a domain entity at the time DomainTools discovered it initially.
  • Iris: Domain to Get Risk Components --> Domain Risk Score is composed of 4 component scores, as described in this technical brief. This will populate the Dynamic Properties view for that entity with these component scores, if available.
  • Iris: Domain to Redirect Domain to Domain --> Recursively follow a chain of redirects from domain to redirect to domain if further redirects exist.

Enrichment (Beginning with Hostname Entity)

  • Iris: Extract IP Address --> (MX or NS Host) --> Resolve the IP address as a graphed entity when it already exists as an enriched data point in the properties view.

Reversing (Pivot Action)

  • Iris: Email Address to Domain --> Create new domain entities for every domain linked to this Whois OR DNS/SOA-based email address in the DomainTools database.
  • Iris: Email Address to Domain (SSL Email) --> Create new domain entities for every domain linked to a email addresses derived from SSL certificates
  • Iris: Registrant to Domains --> Show all domain entities with a Whois record displaying the specified registrant name.
  • Iris: Registrar to Domains --> Show all domain entities registered by this Registrar.
  • Iris: Organisation to Domains (Registrant Org) --> Display all known linked domain entities associated with a Registrant Organisation parsed from the Whois record.
  • Iris: Organisation to Domains (SSL Org) --> Display all known linked domain entities associated with a SSL Organisation.
  • Iris: IP Address to Domain --> Create new domain entities for all domains hosted at this IP address for their DNS A record.
  • Iris: IP Address to Email Domains --> Create new domain entities for all email domains associated with the Whois records of all domains hosted at this IP.
  • Iris: IP Address to NameServer Domains --> Create new domain entities for all DNS nameserver domains that resolve to this IP in DNS NS responses.
  • Iris: NS Domain to Domains --> Show all apex domains using a specified name server apex domain for its DNS nameserver delegation.
  • Iris: Google Adsense to Domain --> Display all domain entities found by DomainTools to share this Adsense code at the time of this domain's discovery.
  • Iris: Google Analytics to Domain --> Display all domain entities found by DomainTools to share this Google Analytics code at the time of this domain's discovery.
  • Iris: Iris Search Hash to Domain --> Reverse from a phrase entity containing the Iris Search Export value to a list of domain entities. (Replays the Iris UI research in Maltego)
  • Iris: SSL Subject to Domains --> From a Phrase entity populated with the subject field from an SSL cert, show all related domain entities known in the DomainTools database.
  • Iris: SSL Hash to Domains --> From a hash entity populated with the SSL cert SHA hash, show all related domain entities known in the DomainTools database.
  • Iris: MX Record to Domains --> Show all domain entities which have delegated this Mail Server MX hostname as their DNS MX record.
  • Iris: Redirect Domain to Domain --> Recursively follow a chain of redirects from domain to redirect to domain and over again if further redirects exist.