Maltego Teeth is a comprehensive transform package that extends Maltego’s capabilities with powerful reconnaissance and open-source intelligence (OSINT) capabilities. Teeth provides advanced transforms for investigating social media profiles, extracting domain intelligence, analyzing business relationships, and correlating threat indicators across multiple data sources. Designed for security professionals, penetration testers, and threat researchers conducting comprehensive target reconnaissance and intelligence gathering.
- Maltego Classic or Maltego XL 4.1 or higher
- Active internet connection for API queries
- Sufficient system RAM (8GB minimum recommended)
# Download Maltego from https://www.maltego.com/
# Launch Maltego application
# Navigate to Transform Hub
# Search for "Maltego Teeth"
# Click Install
# Accept permissions and license agreement
# Download Maltego
# Install via DMG package
# Launch Maltego.app
# Access Preferences → Transforms → Hub
# Search and install "Maltego Teeth"
# Install via apt on Debian/Ubuntu
sudo apt-get install maltego
# Or download from maltego.com
# Extract and run install script
cd ~/Downloads
unzip maltego-*.zip
./install.sh
# Access through Transform Hub after launch
| Transform | Purpose |
|---|
| Email to Facebook | Find Facebook profile from email address |
| Phone to Instagram | Locate Instagram account from phone number |
| Username to Social | Identify social profiles from username |
| Social to Business | Link social profiles to business entities |
| Profile to Relations | Extract connections and relationships |
| Transform | Purpose |
|---|
| Domain to IP | Resolve domain to IP addresses |
| IP to Domain | Reverse domain lookup |
| Domain to DNS Records | Extract complete DNS configuration |
| Domain to Subdomains | Discover subdomain structure |
| Whois Lookup | Detailed WHOIS registration data |
| Transform | Purpose |
|---|
| Hash to Malware | Correlate file hashes with threat databases |
| IP to Threats | Check IP reputation and threat history |
| Domain to Threats | Verify domain against threat intelligence |
| Email to Breaches | Check involvement in known data breaches |
| URL to Threats | Analyze URL for malicious content |
Email Address
↓
[Email to Social Media]
↓
├→ Facebook profiles
├→ LinkedIn accounts
├→ Twitter handles
└→ Instagram accounts
↓
[Profile to Relations]
↓
Friends, connections, followers
Domain Name
↓
[Domain to IP]
↓
IP Address(es)
↓
[IP to Domain]
↓
├→ Related domains
├→ Hosting provider info
└→ Threat reputation
↓
[Domain to Subdomains]
↓
Subdomain discovery and enumeration
Starting entity: email@example.com
Transform: Email to Facebook
Result: Identified linked Facebook profile
Result details: Profile URL, friend count, location
Transform: Email to LinkedIn
Result: Professional profile discovered
Additional data: Company, job title, connections
Transform: Email to Twitter
Result: Twitter handle found
Intelligence: Tweet history analysis available
Starting entity: +1-555-0123
Transform: Phone to Instagram
Result: Instagram account linked
Data: Profile picture, follower count, posts
Transform: Phone to WhatsApp
Result: WhatsApp status visibility
Intelligence: Last seen, profile information
Transform: Phone to Telegram
Result: Telegram username discovered
Connections: Group memberships identified
Starting entity: john.doe.456
Transform: Username to Social
Results (simultaneous across platforms):
- Facebook: john.doe.456 (active)
- Twitter: @johndoe456 (active)
- Instagram: john.doe.456 (inactive)
- LinkedIn: john-doe-456 (active)
- GitHub: johndoe456 (active)
- Reddit: johndoe456 (active)
Transform: Social to Connections
Results: Identify common associates across platforms
Company name input
↓
Transform: Company to Employees
↓
Employee list with roles
↓
Transform: Person to Social
↓
Employee social profiles
↓
Transform: Social to Relations
↓
Extended network mapping
File Hash (SHA-256)
↓
Transform: Hash to Malware
Results:
- Detection count across antivirus engines
- First/last seen dates
- Threat classification
- Related samples
↓
Transform: Malware to C2
↓
Command & Control infrastructure mapping
Target Email Address
├→ Email to Social Profiles
├→ Email to Breach Databases
├→ Email to Whois
└→ Email to Dark Web Mentions
↓
Aggregated intelligence profile
↓
Cross-reference with other entities
Organization name
↓
[Company to Domain]
↓
Primary domain discovered
↓
[Domain to Subdomains]
├→ Mail server: mail.company.com
├→ VPN: vpn.company.com
├→ Development: dev.company.com
└→ Support: support.company.com
↓
[Domain to Email Addresses]
↓
Employee email patterns discovered
↓
[Email to Social Profiles]
↓
Employee social presence mapped
Target Name
↓
[Name to Username]
↓
Unique usernames identified
↓
[Username to Social]
├→ Find across 15+ platforms
└→ Profile consolidation
↓
[Profile to Relations]
↓
Identify associates
├→ Family members
├→ Colleagues
├→ Friends
└→ Online contacts
↓
[Relation to Background Data]
↓
Location history, timeline, patterns
Suspicious URL
↓
[URL Analysis]
├→ Check against threat databases
├→ Extract domain
└→ Analyze hosting infrastructure
↓
[Domain Intelligence]
├→ Whois information
├→ IP geolocation
└→ Historical DNS records
↓
[Threat Correlation]
├→ Known malware associations
├→ Phishing campaign links
└→ C2 infrastructure ties
↓
Intelligence summary generated
Graph Export:
- Graphical representation of entities and relationships
- Export as PNG, PDF, SVG
CSV Export:
- Tabular data for spreadsheet analysis
- Compatible with Excel, Google Sheets
JSON Export:
- Machine-readable format
- API integration capability
After completing transforms:
1. Select all entities in graph
2. Right-click → Export
3. Choose format (PNG for visual report, CSV for data)
4. Annotate findings with notes
5. Create timeline of discovered information
6. Document all sources and dates
From Maltego Teeth:
├→ Export entity list → CSV
├→ → Import to Shodan for infrastructure analysis
├→ Export domains → WHOIS lookup in BulkWhois
├→ Export IPs → VirusTotal for reputation check
└→ Export emails → Have I Been Pwned check
Maltego Teeth output
↓
├→ Email addresses → Investigate with Hunter.io
├→ Domains → Scan with Nessus or OpenVAS
├→ IPs → Map with MaxMind geolocation
├→ Usernames → Check with Sherlock
└→ Social profiles → Analyze with SocialBlade
Best practices for scale:
1. Start with narrow scope (single email or domain)
2. Apply transforms selectively, not all at once
3. Use filters to focus on relevant results
4. Periodically export and review data
5. Break large investigations into phases
6. Monitor system resources during processing
Minimum:
- 8GB RAM
- Dual-core processor
- 2Mbps internet connection
- 500MB free disk space
Recommended for large investigations:
- 16GB+ RAM
- Quad-core processor
- 10Mbps+ internet connection
- SSD with 5GB+ free space
Maltego → Settings → Servers and Services
↓
Add API credentials for:
- VirusTotal (threat intelligence)
- Hunter.io (email discovery)
- Shodan (internet scanning)
- ReverseWhois (domain ownership)
- Censys (certificate analysis)
Free tier limitations:
- 500 API calls per day per service
- Rate limiting: 5 requests per minute
- Limited to public data sources
Premium tier:
- Unlimited API calls
- Priority processing queue
- Access to premium data sources
- Custom transform development
When conducting investigations:
1. Use VPN or proxy for queries
2. Don't query personal information from personal devices
3. Use dedicated investigation accounts
4. Consider rate limiting to avoid detection
5. Document only necessary information
6. Secure all investigation data
7. Comply with local regulations
Investigation scope limits:
✓ Public social media analysis
✓ WHOIS and DNS lookups
✓ Threat intelligence correlation
✓ Authorized penetration testing
✗ Unauthorized access to private accounts
✗ Circumventing authentication systems
✗ Violating terms of service
✗ Unlawful interception of communications
Solution approaches:
1. Search alternative username variations
2. Check associated email addresses
3. Look for usernames on different platforms
4. Search phone numbers if available
5. Check professional networks (LinkedIn)
6. Look for business associations
Solution approaches:
1. Use alternative data sources
2. Cross-reference multiple sources
3. Look for pattern indicators
4. Check historical data (Wayback Machine)
5. Investigate related entities
6. Use threat intelligence feeds
Solution approaches:
1. Filter results by relevance
2. Use entity deduplication
3. Focus on high-confidence results
4. Create investigative timelines
5. Group related entities
6. Use relationship highlighting
Target company name
↓
[Company to Employees] → Social profiles
↓
[Social to Company]
↓
Uncover business relationships
↓
[Company to Domain]
↓
Infrastructure mapping
↓
[Domain to DNS]
↓
Technical infrastructure analysis
Suspicious email address
↓
[Email to All Platforms]
↓
Identify fraudulent profiles
↓
[Profile to Relations]
↓
Discover fraud network
↓
[Entity to Historical Data]
↓
Timeline of fraudulent activity
Target organization
↓
[Company to Suppliers]
↓
Identify supply chain partners
↓
[Partner to Domain]
↓
Analyze infrastructure dependencies
↓
[Domain to Threats]
↓
Evaluate supply chain risk
| Issue | Solution |
|---|
| ”API limit exceeded” | Wait for rate limit reset; upgrade to premium; use multiple API keys |
| ”No results found” | Verify entity spelling; try alternative identifiers; check data source status |
| ”Connection timeout” | Verify internet connectivity; check firewall rules; try again later |
| ”Missing transforms” | Reinstall from Transform Hub; verify license; update Maltego |
| ”Performance degradation” | Close other applications; reduce entity count; export and reload graph |
# Check Maltego version
# Via menu: Help → About Maltego
# Should be 4.1 or higher
# Verify Transform Hub access
# Via menu: Tools → Hub
# Should connect successfully
# Test transforms
# Create simple email entity
# Run Email to Social Transform
# Should return results
1. Define clear investigation objectives
2. Establish baseline data before transforms
3. Document all sources and timestamps
4. Verify findings through multiple methods
5. Maintain chronological investigation log
6. Preserve evidence and screenshots
7. Create comprehensive final report
# Regular backups
# Export investigation graphs periodically
# Maintain organized folder structure
# Document methodologies used
# Archive completed investigations
# Follow retention policies
- Shodan: Internet search engine for connected devices
- Hunter.io: Email discovery and verification
- VirusTotal: Multi-engine malware scanning
- Censys: Public internet certificate analysis
- TheHarvester: Email and subdomain enumeration
- SpiderFoot: Open-source OSINT automation
- Recon-ng: Web reconnaissance framework
