Skip to content

Home

Jump to bottom Edit New page
Christian Heinrich edited this page Mar 6, 2022 · 91 revisions

Maltego Integration

"Have I Been Pwned?"

Supported API Endpoints

"Have I Been Pwned?"

API v3

All haveibeenpwned API v3 endpoints are supported that integrate with [Maltego] entities and includes the following:

  1. All breaches for an account i.e. e-mail address and alias, with and without the truncateResponse parameter.

  2. Getting all breached sites in the system, with and without the domain parameter.

  3. Getting a single breached site

  4. Getting all pastes for an e-mail address.

  5. Getting all data classes

Rate Limit

The rate limit of the following of haveibeenpwned API v3 endpoints are supported:

  1. All breaches for an account i.e. e-mail address and alias.

  2. All pastes for an e-mail address

Pwned Passwords

API v2

The Searching by Range API endpoint is supported.

Further information from @troyhunt is published on his Blog [Post] and prior Tweet by @troyhunt.

Rate Limit

There is no rate limit for the API v3 endpoint.

Pwned Passwords List

The latest Version 8 of Pwned Passwords List is supported.

HTTP Status Codes

The following HTTP Status Codes of API v3 are supported:

Acceptable Use

It is possible to violate the "Querying the data for purposes that are intended to cause harm to the victims of data breaches" of the Acceptable Use policy.

@troyhunt can be reached for clarification at https://www.troyhunt.com/contact/

License

The Creative Commons Attribution 4.0 International License of haveibeenpwned is supported.

Maltego

Installation

The Maltego Transform Hub is the preferred installation method for end users with Maltego clients from v3.6 "Chlorine" release and onwards, including the "CE" (Community Edition), "Classic" and "XL" of "m4".

The Maltego Transform Hub does not install Maltego-Configuration-HIBP.mtz and consequently this has to be manually imported into Maltego.

End users with Maltego clients prior to the v3.6 "Chlorine" release, i.e. v3.3 "Radium", v3.4 "Tungsten" and v.3.5 "Carbon" are no longer supported due to the rotation of the X.509 Certificate in these versions [of the Maltego clients].

Maltego Transform Hub

The haveibeenpwned Maltego integration can be installed with the Maltego Transform Hub by dragging the mouse over and then clicking the "Install" button as per the following screenshot of the Maltego Client User Interface (UI):

m4 Transform Hub

Maltego Configuration Files

The Maltego Configuration Files are available on GitHub as Maltego-Configuration-haveibeenpwned.mtz and Maltego-Configuration-HIBP.mtz

Maltego Configuration

Entities

Custom Entities

The "Link Analysis" cmlh.linkAnalysis hidden entity is added to support the Not Found, Verified Breach, DataClasses et al flags.

The "Error" cmlh.error hidden entity is added to support error messages from @haveibeenpwned API.

The "Breach" haveibeenpwned.breach entity is added to support "Getting a single breached site".

Transform Seed

The Maltego Transform Seed is hosted at https://cetas.paterva.com/TDS/runner/showseed/haveibeenpwned and https://cetas.paterva.com/TDS/runner/showseed/HIBP

Transforms

All haveibeenpwned API v3 endpoints are supported that are applicable to Maltego Entities and include the following:

  1. From "Breach" haveibeenpwned.breach To "Domain" maltego.Domain
  2. From "Alias" maltego.Alias To Breaches for Account v3
  3. From "E-mail Address" maltego.EmailAddress To Breaches for Account v3
  4. From "E-mail Address" maltego.EmailAddress To Pastes v3
  5. From "Breach" breach.Name Getting a single breached site v3
  6. From "Domain" maltego.Domain To Getting all breached sites in the system v3

Transform Set

~The Maltego Transforms for haveibeenpwned belong to the Breached Transform Set which features concurrent execution of the Maltego Transforms Pastes @haveibeenpwned API v3 endpoint and Breached [E-mail] Account of the @haveibeenpwned API v3 endpoints.

Machines

There are two Maltego Machines labelled haveibeenpwned v3 and the difference is their Maltego Input Entity i.e. "Alias" maltego.Alias and "E-mail Address" maltego.EmailAddress.

Start a Maltego Machine

Maltego Machines Menu

User Interface (UI) Messages

All Maltego Transforms

"@haveibeenpwned is licensed under Creative Commons Attribution 4.0 International"

"All breaches for an account" Maltego Transform

"[Int] breached accounts added to haveibeenpwned for [String]"

"All pastes for an e-mail address" Maltego Transform

"[Int] e-mail addresses extracted by @haveibeenpwned for [String]"

Display Information

haveibeenpwned Deep Links are inserted into each "E-mail Address" and "Alias" entity.

haveibeenpwned Pwned Websites are inserted into each "Domain" entity.

haveibeenpwned Creative Commons Attribution 4.0 International License is inserted to each returned Maltego Entity.

Bookmarks

Errors

  • Orange Purple - E-mail address not RFC 822 conformant
  • Orange Purple - Exceeded Rate Limit of API
  • Orange Purple - No User-Agent Request Header specified
  • Orange Purple - Unicode Encoding Error

"Have I been pwned?"

  • Red - Retired breach
  • Red - Sensitive breach
  • Red - Verified breach
  • Orange Purple - No Domain for Breach [Name]
  • Yellow - Fabricated breach
  • Yellow - Spam list
  • Yellow - Unverified breach
  • Green - E-mail address not found in pastes
  • Green - No breach recorded

Links

"Have I been pwned?"

  • Red - Retired breach
  • Red - Sensitive breach
  • Red - Verified breach
  • Yellow - Fabricated breach
  • Yellow - Spam list
  • Yellow - Unverified breach
  • Green - E-mail address not found in pastes
  • Green - No breach recorded

Recommended Workflow

"Have I Been Pwned?"

The haveibeenpwned Maltego Machines follow these approaches.

API v3

  1. Select all "Alias" maltego.Alias Maltego Entities and execute the Breached Alias v3 Maltego Transform.
  2. Select all "E-mail Address" maltego.EmailAddress Maltego Entities and execute the Breached E-mail v3 Maltego Transform.
  3. Select all "E-mail Address" maltego.EmailAddress Maltego Entities and execute the Pastes v3 Maltego Transform.
  4. Select all "Domain" maltego.Domain Maltego Entities and execute the Getting all breached sites in the system v3 Maltego Transform.
  5. Select all "Breach" haveibeenpwned.breach Maltego Entities and execute the Getting a single breached site v3 Maltego Transform.
  6. Select The Red, Green and Yellow Bookmarks.

The Convert Breach to Domain v3 Maltego Transform is not executed above as the Domain is already returned by the Getting all breached sites in the system v3 Maltego Transform.

"Pwned Passwords"

API v2

  1. Select all "Hash" maltego.Hash Maltego Entities and execute the v3 What is the k-anonymity of SHA-1 Hash? Maltego Transform.
  2. Click the "Ball size by Weight" Ball size by Weight

Example Graphs

The Maltego-Graphs directory contains the following:

Both the newer m4 mtgx and older 3 mtgl file formats are supported.

Uptime Status

The uptime status web page has been published at https://stats.uptimerobot.com/GMwJ3hYMY

Add a custom footer
Add a custom sidebar
Clone this wiki locally