Sploitego

Nadeem Douba

Thu, 21st February 2013


Speaker Bio 1:
Nadeem Douba, GWAPT, GPEN currently situated in the Ottawa (Ontario, Canada) valley, Nadeem provides technical security consulting services primarily to clients in the health, education, and public sectors. Nadeem has been involved within the security community for over ten years and has frequently presented talks in his local ISSA chapter, and most recently at DEF CON 20 on the topics of Open Source Intelligence and mobile security. He is also an active member of the open source software community and has contributed to projects such as libnet, Backtrack, and Maltego.

Questions and answers

Max, Concise Courses:
Does Spolitego have a cell phone pentesting ability?

Nadeem Douba:
It doesn’t yet. There’s a whole suite of pentesting tools that haven’t been integrated yet, like SET (Social Engineering Toolkit).There’s a whole bunch of work being done right now on the framework to make it really easy for people to develop, so if you have the info for Cell Phone Hacking, I’d be extremely interested to integrate it so give me a shout!


Max, Concise Courses:
Do governments and their respective cyber security departments use OSINT to help solve crime and identify hacking patterns?

Nadeem Douba:
I wouldn’t be able to answer that officially, but there is indication that they do use things like this [Open-source intelligence (OSINT) intelligence collected from publicly available sources]. Bloomberg just recently showcased Maltego on the news [see video below].

Video in reference to the above question and answer: Bloomberg reporting on Chinese Hackers and USA Forensics Experts using Maltego:

[answer continued]….
I believe it was someone in the States working for a government department used it to unviel some sort of Chinese malware ring. I’m not entirely clear on the details, but it was showcased on the news. I know that the guys that I am in touch with are using Maltego to do OSINT research along with their own security research. It’s a pretty interesting field.


Max, Concise Courses:
Are there any particular verticals that use see use Maltego more than others? You mentioned hospitality in the presentation, are there any other industries that use Maltego and Sploitego more than others?

Nadeem Douba:
To be honest, I am not really sure on the metrics. We use it here on all of our assessments because it gives us great insight into what is wrong right away especially with the visual analytics that comes as part of Maltego. There are a lot of cool things that you can do visually with graphs to make the data clearer. We do use it across all the pentests, nmap, nessus etc. through that. In terms of other organizations using it, I have had people drop me a line from mysterious places, but I don’t hear back from them anymore! I think it has been adopted [Maltego] in the underground and in a professional sense.


Max, Concise Courses:
Another question just came in! [from comments below during the show] – I see that you are running Maltego on a mac, is there a tutorial for this? I.e. to use Maltego on a mac?

Nadeem Douba:
No but I will put it up. I have a YouTube Channel for your viewers to watch [that will have the tutorial when it is made].