/ maltego

Converting Maltego Domains and IPs To CSV

What I'm about to show you is pretty nice if you do a lot of work in Maltego. I created it for improving my own workflow when working with domains and IP addresses, so that I didn't have to do as much manual conversion to use the data in other tools.

You may have noticed, that if you right-click a node and copy it - and then you paste it in a text-editor, you will have it pasted as graphml. Now remember our previous Python Gist in From Maltego To A Distributed Graph Environment. Instead of outputting the data to Titan, we can create a CSV file (or what format you would prefer) by adding a new method:

def printCsv(vertices):
    print "entity_type, value"
    for vertice in vertices:
        if options.entity_filter:
            if options.entity_filter==vertice['entity_type']:
                if      vertice['entity_type']=="maltego.IPv4Address": 
                    type = "ipv4"
                    val  = vertice['value']['ipv4-address']
                elif    vertice['entity_type']=="maltego.Domain": 
                    type="fqdn"
                    val  = vertice['value']['fqdn']

                print u"%s,%s"%(type,val)
        else:
            if      vertice['entity_type']=="maltego.IPv4Address": 
                type = "ipv4"
                val  = vertice['value']['ipv4-address']
            elif    vertice['entity_type']=="maltego.Domain": 
                type="fqdn"
                val  = vertice['value']['fqdn']
            print u"%s,%s"%(type,val)

The above is a little limited, since it ugly-implements support for outputting only Maltego's IPv4 and domain entities. I guess you get the concept, right?

Running the new mtgx2csv Gist withpython mtgx2csv.py -f from_ctrl_c.graphml and just taking a couple of IP and domain entities and copying them to the given file will result in a list written to stdout:

entity_type, value
fqdn,vg.no
ipv4,195.88.55.16

You can grab a copy from this Gist to get started.

Edit 21/02: As Paterva points out, you may also right-click-copy-as-list to get the data in a key/value fashion.

That will bring you a similar list:

maltego.Domain#vg.no
maltego.IPv4Address#195.88.55.16

If you are doing manual analysis, as in the case of this post - that will take you as far as the output of the script I showed you above (and a beyond since you only get domains and IPs from mtgx2csv). If automating extraction from your graphs, you could use the mtgx2csv for that though.