Course 12 - Maltego Advanced Course | Episode 2: Maltego Infrastructure Entities, Transforms, and Footprinting Techniques

In this lesson, you’ll learn about:The core entities used in Maltego infrastructure investigationsHow transforms connect Domains, DNS names, IPs, Netblocks, and ASNsThe methodology of Level 1, L2, L3, and XL infrastructure footprintingKey transforms for pivoting forwards and backwards in infrastructure graphsThe difference between live DNS, passive DNS, and specialized DNS transformsSummary of the Episode: This episode provides a structured introduction to infrastructure investigations in Maltego, covering the foundational entities, essential transforms, and the systematic methods used for infrastructure footprinting. It explains how domains, DNS names, IP addresses, Netblocks, and Autonomous Systems interrelate, and how transforms allow analysts to map and attribute online infrastructure. 1. Foundational Entities & Core Concepts Infrastructure investigations rely on a small set of critical entities: Key EntitiesDomainPublic-facing resourceCommon starting point for discovering related DNS namesDNS Name (and variants like Website, NS, MX)Represents a system that can resolve to an IP addressOften a gateway to other infrastructureIPv4 AddressA central pivot point in investigationsEven on shared hosting, IPs remain strong identifiersNetblockA range of IP addressesUseful for clustering infrastructure and linking disparate nodesAutonomous System (AS / ASN)Represents routing ownership over NetblocksUseful for identifying ISPs or large organizationsOther Useful EntitiesEmail Address — often the strongest pivot in broader investigationsPort & Service — show server capabilities (SSH, RDP, HTTP, etc.)Tracking Code — connects different websites to the same operator2. Core Infrastructure Transforms The episode divides standard Maltego infrastructure transforms into functional groups. 1. Domain → DNS Name Methods used:To Website (Quick Lookup) — checks common “www” A/AAAA recordsTo Website Using Domain (Bing) — broader search engine discoveryPassive DNS (Robtex/Robex) — historic DNS relationshipsSPF Transform — extracts DNS names and IPs from email policies2. DNS Name → IP AddressTo IP AddressResolves any DNS name to its current IP3. IP Address → Netblock / ASN Transforms use:Historic Passive DNSGlobal routing dataWHOIS sources (ARIN, RIPE, APNIC, etc.)Important transforms:Using Natural Boundaries — creates typical /24 IP rangesTo AS Number — gets ASN from the Robex databaseTo Company Owner — retrieves organization ownership & location3. Footprinting Methodology Infrastructure footprinting is a repeatable process across industries. Level 1 Footprinting (L1) Example shown using CIA.gov Steps:Find all DNS names / Websites for the domainResolve all DNS names → IP addressesCluster IPs → Netblocks (often with natural boundaries)Run To AS Number on the NetblocksExtract ownership using To Company OwnerThis reveals which Netblocks actually belong to the organization and allows deeper exploration (e.g., Wikipedia edits from those IPs). Higher-Level Footprinting L2 & L3 MachinesAdd more depthUse Reverse DNS (PTR lookups)Provide prompts to filter MX/NS resultsReveal additional infrastructure through recursive pivotsXL FootprintUses a completely different strategyHeavy focus on reverse DNS on name servers and SPF-derived IPsRequires significant system resourcesMost thorough automated footprint4. Pivoting Techniques Pivoting is how analysts move through an investigation graph. Forward Pivot Domain → DNS Name → IP Address → Netblock → ASN Backward Pivot IP Address → Historic DNS Names → Domains → Tracking CodesUsed to uncover:Hidden assetsLegacy systemsConnected infrastructures5. DNS Transform Distinctions Two commonly confused transforms: To Website Mentioning DomainBroad search for any website that references the domainGood for OSINT, not for footprintingTo Website Using DomainReturns websites that end with your domainIdeal for discovering all related organizational websitesLive vs Passive DNSReverse DNS (PTR) = current dataPassive DNS (Robex/Robtex) = historic and may show old mappingsMaltego displays these as dotted linksYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy