Overview
Maltego Teeth is a comprehensive transform package that extends Maltego’s capabilities with powerful reconnaissance and open-source intelligence (OSINT) capabilities. Teeth provides advanced transforms for investigating social media profiles, extracting domain intelligence, analyzing business relationships, and correlating threat indicators across multiple data sources. Designed for security professionals, penetration testers, and threat researchers conducting comprehensive target reconnaissance and intelligence gathering.
Installation
Prerequisites
- Maltego Classic or Maltego XL 4.1 or higher
- Active internet connection for API queries
- Sufficient system RAM (8GB minimum recommended)
Installation Steps
Windows
# Download Maltego from https://www.maltego.com/
# Launch Maltego application
# Navigate to Transform Hub
# Search for "Maltego Teeth"
# Click Install
# Accept permissions and license agreement
macOS
# Download Maltego
# Install via DMG package
# Launch Maltego.app
# Access Preferences → Transforms → Hub
# Search and install "Maltego Teeth"
Linux
# Install via apt on Debian/Ubuntu
sudo apt-get install maltego
# Or download from maltego.com
# Extract and run install script
cd ~/Downloads
unzip maltego-*.zip
./install.sh
# Access through Transform Hub after launch
| Transform | Purpose |
|---|
| Email to Facebook | Find Facebook profile from email address |
| Phone to Instagram | Locate Instagram account from phone number |
| Username to Social | Identify social profiles from username |
| Social to Business | Link social profiles to business entities |
| Profile to Relations | Extract connections and relationships |
Domain Intelligence Transforms
| Transform | Purpose |
|---|
| Domain to IP | Resolve domain to IP addresses |
| IP to Domain | Reverse domain lookup |
| Domain to DNS Records | Extract complete DNS configuration |
| Domain to Subdomains | Discover subdomain structure |
| Whois Lookup | Detailed WHOIS registration data |
| Transform | Purpose |
|---|
| Hash to Malware | Correlate file hashes with threat databases |
| IP to Threats | Check IP reputation and threat history |
| Domain to Threats | Verify domain against threat intelligence |
| Email to Breaches | Check involvement in known data breaches |
| URL to Threats | Analyze URL for malicious content |
Basic OSINT Investigation Workflow
Email-Based Investigation
Email Address
↓
[Email to Social Media]
↓
├→ Facebook profiles
├→ LinkedIn accounts
├→ Twitter handles
└→ Instagram accounts
↓
[Profile to Relations]
↓
Friends, connections, followers
Domain Analysis Workflow
Domain Name
↓
[Domain to IP]
↓
IP Address(es)
↓
[IP to Domain]
↓
├→ Related domains
├→ Hosting provider info
└→ Threat reputation
↓
[Domain to Subdomains]
↓
Subdomain discovery and enumeration
Email Investigation
Starting entity: email@example.com
Transform: Email to Facebook
Result: Identified linked Facebook profile
Result details: Profile URL, friend count, location
Transform: Email to LinkedIn
Result: Professional profile discovered
Additional data: Company, job title, connections
Transform: Email to Twitter
Result: Twitter handle found
Intelligence: Tweet history analysis available
Phone Number Investigation
Starting entity: +1-555-0123
Transform: Phone to Instagram
Result: Instagram account linked
Data: Profile picture, follower count, posts
Transform: Phone to WhatsApp
Result: WhatsApp status visibility
Intelligence: Last seen, profile information
Transform: Phone to Telegram
Result: Telegram username discovered
Connections: Group memberships identified
Username Enumeration
Starting entity: john.doe.456
Transform: Username to Social
Results (simultaneous across platforms):
- Facebook: john.doe.456 (active)
- Twitter: @johndoe456 (active)
- Instagram: john.doe.456 (inactive)
- LinkedIn: john-doe-456 (active)
- GitHub: johndoe456 (active)
- Reddit: johndoe456 (active)
Transform: Social to Connections
Results: Identify common associates across platforms
Advanced Investigation Techniques
Business Entity Investigation
Company name input
↓
Transform: Company to Employees
↓
Employee list with roles
↓
Transform: Person to Social
↓
Employee social profiles
↓
Transform: Social to Relations
↓
Extended network mapping
Threat Correlation
File Hash (SHA-256)
↓
Transform: Hash to Malware
Results:
- Detection count across antivirus engines
- First/last seen dates
- Threat classification
- Related samples
↓
Transform: Malware to C2
↓
Command & Control infrastructure mapping
Multi-Source Verification
Target Email Address
├→ Email to Social Profiles
├→ Email to Breach Databases
├→ Email to Whois
└→ Email to Dark Web Mentions
↓
Aggregated intelligence profile
↓
Cross-reference with other entities
Reconnaissance Scenarios
Pre-Engagement Assessment
Organization name
↓
[Company to Domain]
↓
Primary domain discovered
↓
[Domain to Subdomains]
├→ Mail server: mail.company.com
├→ VPN: vpn.company.com
├→ Development: dev.company.com
└→ Support: support.company.com
↓
[Domain to Email Addresses]
↓
Employee email patterns discovered
↓
[Email to Social Profiles]
↓
Employee social presence mapped
Targeted Individual Investigation
Target Name
↓
[Name to Username]
↓
Unique usernames identified
↓
[Username to Social]
├→ Find across 15+ platforms
└→ Profile consolidation
↓
[Profile to Relations]
↓
Identify associates
├→ Family members
├→ Colleagues
├→ Friends
└→ Online contacts
↓
[Relation to Background Data]
↓
Location history, timeline, patterns
Threat Intelligence Gathering
Suspicious URL
↓
[URL Analysis]
├→ Check against threat databases
├→ Extract domain
└→ Analyze hosting infrastructure
↓
[Domain Intelligence]
├→ Whois information
├→ IP geolocation
└→ Historical DNS records
↓
[Threat Correlation]
├→ Known malware associations
├→ Phishing campaign links
└→ C2 infrastructure ties
↓
Intelligence summary generated
Data Export and Analysis
Graph Export:
- Graphical representation of entities and relationships
- Export as PNG, PDF, SVG
CSV Export:
- Tabular data for spreadsheet analysis
- Compatible with Excel, Google Sheets
JSON Export:
- Machine-readable format
- API integration capability
Creating Investigation Reports
After completing transforms:
1. Select all entities in graph
2. Right-click → Export
3. Choose format (PNG for visual report, CSV for data)
4. Annotate findings with notes
5. Create timeline of discovered information
6. Document all sources and dates
From Maltego Teeth:
├→ Export entity list → CSV
├→ → Import to Shodan for infrastructure analysis
├→ Export domains → WHOIS lookup in BulkWhois
├→ Export IPs → VirusTotal for reputation check
└→ Export emails → Have I Been Pwned check
Maltego Teeth output
↓
├→ Email addresses → Investigate with Hunter.io
├→ Domains → Scan with Nessus or OpenVAS
├→ IPs → Map with MaxMind geolocation
├→ Usernames → Check with Sherlock
└→ Social profiles → Analyze with SocialBlade
Managing Large Investigations
Best practices for scale:
1. Start with narrow scope (single email or domain)
2. Apply transforms selectively, not all at once
3. Use filters to focus on relevant results
4. Periodically export and review data
5. Break large investigations into phases
6. Monitor system resources during processing
System Requirements
Minimum:
- 8GB RAM
- Dual-core processor
- 2Mbps internet connection
- 500MB free disk space
Recommended for large investigations:
- 16GB+ RAM
- Quad-core processor
- 10Mbps+ internet connection
- SSD with 5GB+ free space
Configuration and API Keys
Adding Data Sources
Maltego → Settings → Servers and Services
↓
Add API credentials for:
- VirusTotal (threat intelligence)
- Hunter.io (email discovery)
- Shodan (internet scanning)
- ReverseWhois (domain ownership)
- Censys (certificate analysis)
Privacy and API Limits
Free tier limitations:
- 500 API calls per day per service
- Rate limiting: 5 requests per minute
- Limited to public data sources
Premium tier:
- Unlimited API calls
- Priority processing queue
- Access to premium data sources
- Custom transform development
Security Considerations
Operational Security (OPSEC)
When conducting investigations:
1. Use VPN or proxy for queries
2. Don't query personal information from personal devices
3. Use dedicated investigation accounts
4. Consider rate limiting to avoid detection
5. Document only necessary information
6. Secure all investigation data
7. Comply with local regulations
Legal and Ethical Guidelines
Investigation scope limits:
✓ Public social media analysis
✓ WHOIS and DNS lookups
✓ Threat intelligence correlation
✓ Authorized penetration testing
✗ Unauthorized access to private accounts
✗ Circumventing authentication systems
✗ Violating terms of service
✗ Unlawful interception of communications
Common Investigation Challenges
Solution approaches:
1. Search alternative username variations
2. Check associated email addresses
3. Look for usernames on different platforms
4. Search phone numbers if available
5. Check professional networks (LinkedIn)
6. Look for business associations
Solution approaches:
1. Use alternative data sources
2. Cross-reference multiple sources
3. Look for pattern indicators
4. Check historical data (Wayback Machine)
5. Investigate related entities
6. Use threat intelligence feeds
Solution approaches:
1. Filter results by relevance
2. Use entity deduplication
3. Focus on high-confidence results
4. Create investigative timelines
5. Group related entities
6. Use relationship highlighting
Advanced Workflows
Competitor Intelligence
Target company name
↓
[Company to Employees] → Social profiles
↓
[Social to Company]
↓
Uncover business relationships
↓
[Company to Domain]
↓
Infrastructure mapping
↓
[Domain to DNS]
↓
Technical infrastructure analysis
Fraud Investigation
Suspicious email address
↓
[Email to All Platforms]
↓
Identify fraudulent profiles
↓
[Profile to Relations]
↓
Discover fraud network
↓
[Entity to Historical Data]
↓
Timeline of fraudulent activity
Supply Chain Analysis
Target organization
↓
[Company to Suppliers]
↓
Identify supply chain partners
↓
[Partner to Domain]
↓
Analyze infrastructure dependencies
↓
[Domain to Threats]
↓
Evaluate supply chain risk
Troubleshooting
Common Issues and Solutions
| Issue | Solution |
|---|
| ”API limit exceeded” | Wait for rate limit reset; upgrade to premium; use multiple API keys |
| ”No results found” | Verify entity spelling; try alternative identifiers; check data source status |
| ”Connection timeout” | Verify internet connectivity; check firewall rules; try again later |
| ”Missing transforms” | Reinstall from Transform Hub; verify license; update Maltego |
| ”Performance degradation” | Close other applications; reduce entity count; export and reload graph |
Verifying Installation
# Check Maltego version
# Via menu: Help → About Maltego
# Should be 4.1 or higher
# Verify Transform Hub access
# Via menu: Tools → Hub
# Should connect successfully
# Test transforms
# Create simple email entity
# Run Email to Social Transform
# Should return results
Best Practices
Investigation Standards
1. Define clear investigation objectives
2. Establish baseline data before transforms
3. Document all sources and timestamps
4. Verify findings through multiple methods
5. Maintain chronological investigation log
6. Preserve evidence and screenshots
7. Create comprehensive final report
Data Management
# Regular backups
# Export investigation graphs periodically
# Maintain organized folder structure
# Document methodologies used
# Archive completed investigations
# Follow retention policies
See Also
- Shodan: Internet search engine for connected devices
- Hunter.io: Email discovery and verification
- VirusTotal: Multi-engine malware scanning
- Censys: Public internet certificate analysis
- TheHarvester: Email and subdomain enumeration
- SpiderFoot: Open-source OSINT automation
- Recon-ng: Web reconnaissance framework
