Converting Maltego Domains and IPs To CSV

What I'm about to show you is pretty nice if you do a lot of work in Maltego. I created it for improving my own workflow when working with domains and IP addresses, so that I didn't have to do as much manual conversion to use the data in other tools.

You may have noticed, that if you right-click a node and copy it - and then you paste it in a text-editor, you will have it pasted as graphml. Now remember our previous Python Gist in From Maltego To A Distributed Graph Environment. Instead of outputting the data to Titan, we can create a CSV file (or what format you would prefer) by adding a new method:

def printCsv(vertices):
    print "entity_type, value"
    for vertice in vertices:
        if options.entity_filter:
            if options.entity_filter==vertice['entity_type']:
                if      vertice['entity_type']=="maltego.IPv4Address": 
                    type = "ipv4"
                    val  = vertice['value']['ipv4-address']
                elif    vertice['entity_type']=="maltego.Domain": 
                    type="fqdn"
                    val  = vertice['value']['fqdn']

                print u"%s,%s"%(type,val)
        else:
            if      vertice['entity_type']=="maltego.IPv4Address": 
                type = "ipv4"
                val  = vertice['value']['ipv4-address']
            elif    vertice['entity_type']=="maltego.Domain": 
                type="fqdn"
                val  = vertice['value']['fqdn']
            print u"%s,%s"%(type,val)

The above is a little limited, since it ugly-implements support for outputting only Maltego's IPv4 and domain entities. I guess you get the concept, right?

Running the new mtgx2csv Gist withpython mtgx2csv.py -f from_ctrl_c.graphml and just taking a couple of IP and domain entities and copying them to the given file will result in a list written to stdout:

entity_type, value
fqdn,vg.no
ipv4,195.88.55.16

You can grab a copy from this Gist to get started.

Edit 21/02: As Paterva points out, you may also right-click-copy-as-list to get the data in a key/value fashion.

That will bring you a similar list:

maltego.Domain#vg.no
maltego.IPv4Address#195.88.55.16

If you are doing manual analysis, as in the case of this post - that will take you as far as the output of the script I showed you above (and a beyond since you only get domains and IPs from mtgx2csv). If automating extraction from your graphs, you could use the mtgx2csv for that though.

Tommy

Tommy is an analyst and incident handler with more than seven years of experience from the government and private industry. He holds an M.Sc. in Digital Forensics and a B.Tech. in information security