-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
1/14
PATERVA (PTY) LTD
Maltego Tungsten with
Teeth / KingPhisherCreating a collaborative attack platform
withMaltego Tungsten
RT
20130712
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
2/14
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
3/14
3
BackgroundOneofthekeyfeaturesofMaltegoTungsten(tobereleasedatBlackHat2013)iscollaboration.Itallows
analyststosharegraphs
inrealtimeoverXMPP.Thisallowsagroupofanalysts(orattackers)towork
togetheronthesamegoal.
Combinedwiththealreadystateoftheartfootprintingandpersonalprofiling
capabilitieswehaveinMaltego(thinkmachinesinRadium),thisprovidesaverycapableattackplatform.
Itcombineshumanintelligence,patternrecognitionandpowerfulautomatedattacktoolswithgraphical
informationsharingsoftware.
Whenwedesignedandbuiltthissystemourmotivationwastocreatethe
ultimateattackplatformthatcanbeusedbymultipleanalysts.
DesigncriteriaThefollowinglimitationswhereconsidered:
ExternalattackmeaningthattheattackteamwillbeconductingtheirattacksovertheInternet.Inotherwords,notinternaltothenetwork,notoverwifiorfromhostscompromisedpriorto
theattack.
No0dayweassumethattheattackersdonothaveaccessto0day.Thesuccessoftheattackshouldnothingeontheavailabilityof0day.
Zeroknowledge(blackbox)weassumethatatthestartoftheattacktheattackershavenopriorknowledgeofthetargetsystemsinuseorthepeopleinvolved.
Attackingalargeorganization.Wewillassumethatthenetworkororganizationunderattackisnationalormultinational.Inotherwords,thetypeofattackismostusefulforawideselectionof
targetsnotasinglespecifichostorperson.
Otherdesigncriteriawerethatalltransformswouldrunaslocaltransforms(fortheteethsegment),that
thecode
be
open
and
in
written
in
Python/PHP
and
that
it
would
be
very
easy
to
modify
and
extend.
The
platformchosentodevelopanddeploythisisKaliLinux.
MaltegoTeethSincethefirstreleaseofMaltegowevemadesurethatnoneofthebundledtransformswereoffensive.
Whiletheresultsofthetransformswereveryvaluableforsecurityanalyststhetransformsthemselves
didnotdoalottoraiseeyebrows.WithourBlackHat2013talkweregoingbacktoourrootssecurity.
Wevecreatedasetoftransformsthatdonotpretendtobefriendly,thatdonotbegforforgivenessor
askforexcuses.Whenusingthesetransformsyoullbeclearlyattackingatarget.
Therearethreesectionsofinterest.
Infrastructure.TheseareconventionalattacksagainstmachinesconnectedtotheInternetasopposedtopeopleorpersonaldevices.
People.Theseareessentiallyattackswherepeopleareinvolvedinthesuccessoftheattack.Thinksocialengineering&spearphishing.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
4/14
4
Thesewillbediscussedindetailbelow.
Infrastructure
TeethKeepingthelimitationsinmindtherearebasicallythreestepswefollowhere:
1. Whatdotheyhaveoutthere?2.
Whatcanwegetfromwhatsalreadyoutthere?3.
Canwegetmorebybreakingcontrols?
Step1:Whatsoutthere?
ThefirststepisdiscoveryofeverythingthatthetargetexposestotheInternet.Thisisbasicfootprinting
somethingthatsalwaysbeenakeyfeatureofMaltego.Usingtheprepackagedfootprintingmachines
introducedwithMaltegoRadiumyoucanliterallydoaoneclickfootprintofalargeorganization.
Themethodologyofthisfootprinthasbeendiscussedindepthinthepastandisnotrepeatedhere.
Below is a graph generated by the L3 foot printing machine of
Maltego on the Johannesburg stock
exchange(JSE):
ItsnotamassivegraphastheJSEdoesnothavealargeexternalfootprint.
ThefootprintofIrans AEOI:
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
5/14
5
OrtheCIA:
Incomparison,areallylargenetworkmapofYahoo(justDNSnamesanddomains):
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
6/14
6
Theresultofafootprintprovidesuswith:
DomainsandDNSnames(Websites,MXrecords,NSrecords,reverseDNSnamesamongstothers)
IPaddresses,netblocksandASnumbers
Step2:Whatcanwegetto?
Fileanddirectorymining
Intermsofexposedservicesyouaremost likelytoseeHTTPandHTTPs.
Themostbasicformof info
gatheringwouldbetolookforunlinkedfilesanddirectoriesonthesewebserversinotherwordsfile
anddirectorymining.
Therearemanyscriptsandscannersouttherethatperformthisfunctionhoweverwevefoundthatfew
very of them do this properly (e.g. not looking at HTTP status
codes but rather comparing server
responses).Therightwaytodothisisasfollows:
RequestadirectorythatyouknowdoesnotexistandstoretheresponseinX
RequestanotherdirectorythatyouknowdoesnotexistandstoretheresponseinY
IfXandYaresimilar(wereusingLevenshteindistance)thenweknowwecantestproperly.If
theyarenotsimilaritsnotpossibletotestotherdirectories
Now request the directory youre interested in and compare the
response to Y (or X). If
itssignificantlydifferentthenthedirectoryislikelytobethere.
Inthesamewaywecantestforfilenamewithtwoexceptions:
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
7/14
7
Baseline testing (X/Y) needs to be performed per file extension
type. The response for
anunknownASPXfilemightbedifferenttothatofaPHPfile.
Baselinetesting (X/Y)needstobeperformedperdirectory.Theresponse
fromthesystem
for/scripts/login.phpmightbedifferenttotheresponsefor/backup/login.php
Thereare
afew
other
things
to
keep
in
mind.
To
get
the
real
response
its
best
to
test
the
actual
output
ofthe file/directoryrequestmeaningafter
followingHTTPredirects.Forthisreasonwereusingthe
Mechanize library.OtherthanSelenium (which
istooheavyweightforthisandnotasportableaswe
wouldlike)thisistheclosestyouaregoingtogettoarealbrowser.ThedisadvantageofusingMechanize
isthatitdoesnotinterpretJavascript.
Testingforalistofdirectoriesorfilesintherootofawebserverisonlysoexciting.Inordertodothisjob
properlywealsoneed tocheck for filesanddirectories
inotherpathsoftheserver. Imagine thatthe
entirewebstructureislocatedunder/corp/
thentestingfor/backup.zip(whilemandatory)isalotless
interestingthantestingfor/corp/backup.ziporlookingfor/corp/mediafile/archive/.
Weuse
two
methods
for
getting
valid
web
directories:
performingacrawl/mirrorofthesite
requestingandparsingfor/sitemap.xml.
Notallsitescontain sitemap.xml,but for those thatdo itsan
instantwinwellget theentiresites
structure.Ifthatfailswecanalwaysrevertbacktocrawlingthesite.
Withthesitesstructureknown(orpartiallyknown)wecannowhappilyscanforfilesanddirectoriesin
theseknownpathsandwelldothisforallthewebsiteswefoundinthefootprint.
Checkingfor
indexability
Atthisstageweshouldhaveanicelistofdirectoriesthatwevefoundeitherbycrawling,bruteforcingor
inspectingsitemap.xmlanditwouldmakessensetoseeifanyofthemareindexable.Enoughsaid.
FindingCMSbackend
CMS(ContentManagementSystem(s))havebecomeverypopular.TwopopularCMSesareWordpress
andJoomla.Bothoftheseprovidetheuserwithanadministrativebackendwheretheycanlogintoupload
newcontentormodules.WithJoomlaandWordpressitispossibletouploadamaliciousmodule/addon
thatwillprovideawebbasedcommandshell(likeC99shell).Inmostcasestheseinterfacesareexposed
totheInternetthismeansaccesstothewebcontentoruploadamaliciouspayloaditismerelyprotected
byasingle
password.
They
are
mostly
located
in
aset
location
and
its
trivial
to
test
if
they
exist.
In
MaltegoTeethwerelookingat3differentCMSes:
Joomlaat/administrator/index.php WordPressat/wpadmin/
cPanelat:2082/login/(althoughnotarealCMSstillverypopular)
InthenextsectionwellseehowwebruteforcetheseCMSes.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
8/14
8
FindingOWA(andotherinteresting)interfaces
OWA(OutlookWebAccess)hasalmostbecomethedefactostandardwaytoprovideremoteemailfor
largecorporateorganizations.WhenlookingattheFortune1000companieswevefoundthatabout60%
ofthemhaveexposedOWAinterfaces.Inmostcasesyoucansimplybrowsetothisinterfaceandentera
validusernameandpasswordinordertogainaccesstothemailinterface.Theinterfacenotonlysupplies
theactual
email
but
the
organizations
calendar
and
address
book
(names,
phone
numbers,
departments)
aswellthisisagoldmineforotherattacks(thinksocialengineeringseenextsection).
ThereareafewOWAtypesused:
OWA2003 OWA2007 OWA2010 OWAOffice OWALive(cloud)
TheseareprotectedeitherwithaformsbasedloginorwithNTLM.
ThewayTeethfindstheseareasfollows:
1.
UsingAsyncDNSsearchforthefollowingDNSnamesmail,webmail,owa,outlook,exchange,secure,gateway,vpn,activesync,connect
2. Checkthatitdoesnotresolvetoawildcardentry3.
Seeifitsopenonport443(weassumenobodywillruntheirwebmailoverHTTP)4.
IfyoufindHTTPcode401assumeitsNTLMandmarkassuch5.
IfyougetHTTPcode200followredirectsandstoretheresponse6.
Comparetheresponsewithalistofsignaturesandseewhichonesmatches7.
Ifitdoesnotcomparetoaresponsemarkitasgeneric.
Itbecomesclearfromsteps5and6thatthismethodalsoworksforothertypesofinterfacessuchasVPNs,
gateways,webmailetc.providers.
InTeethwevestored22differentresponsesfromCITRIXgateways,
SecureIDinterfacestoCiscoWebVPNresponsesandaddingadditionaltypesistrivial.
InthenextsectionwellshowhowwebruteforceOWA.Buildingabruteforceattackscriptforother
typesisleftasanexercisetothereader.
FindingPossible
Injection
Points
(PIPs)
UsingautomatedSQLinjectiontoolssuchasSQLMaponecantestforSQLinjectionwithminimaleffort.
TobeabletodosoyouneedtopointittoaURL,specifyifitsaPOSToraGETandwhichparametersto
testfor.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
9/14
9
Asideeffectofacrawl/mirroristhatwealsohaveagoodideaofwhatforms(orGETswithparameters)
aresurfacevisibleonawebsite.Notethatwesaysurfacevisiblee.g.notformsorGETsthatarelocated
behindwebformsthatrequireauthenticationorelaborateJavascript.
Armedwiththisinfowecanmakeacalculatedguesswhichformswouldbe
interestingtotestforSQL
injection.A
form
with
asingle
submit
button
might
not
be
interesting.
A
form
with
one
parameter
called
printmightnotbeinteresting.Wemightenduptestingjustasingleparameter.
Asanexampleconsiderthefollowingform:
POST/search.php Parameters:
o s=o print=trueo
redirect_url=http://www.site.com/search_done.phpo
sessionID=12345
Inthiscasetheonlyparameterthatislikelytoyieldinterestingresultswhentestedwouldbes.Thisdoes
notmeanthatwecandiscardtheotherparameterswhensendingtherequestasitmightcausethescript
tobreak.Wethusgettoasituationwherewecanfilterwhichparameterstotestforbasedonthenames,
actionsorvaluesoftheparameter.
InthenextsectionwelllookathowwecanattackthesePIPs.
Step3:Breakingcontrols
While themethodsused in theprevious sectioncouldperhaps stillbe
seenas informationgathering
techniquesthemethodsdiscussedhereisalloutattack.
BruteforcingCMS
AMetasploitpluginforbruteforcingWordpressexistsandwellusethattobruteforceWordpress.The
passwordlistisextendedwiththreederivatesofthedomainname.Letsassumethatthewebsiteiscalled
www.cookiesrus.co.za.Thepasswordlistwillbeextendedtoincludecookiesrus123,cookiesrusadminand
cookiesruspassword.Thiscaneasilybeextendedtoincludeothermutations.
JoomlabruteforcingisperformedusingacustomPythonscriptthisisbecauseJoomlainsertsaCSRF
tokenineveryloginpagewhich
ischeckedwhenaPOSTissentandmostgenericbruceforcingscripts
doesnotsupportthis.ThesamepasswordextensionhappensforJoomlabruteforcing.
Successfulloginsaregraphicallyindicated.
BruteforcingOWA
InordertobruteforceOWAtheattackerneedstoselectwhichemailaddressesshewantstousefirst.
ThesearewrittenviatheMaltegoGUItoalocalfile.WhentheuserrunsthebruteforceOWAtransform
anexternaldialogwindow
ispoppeduptoasktheuserfromwhichdomainshewantstoselectemail
addresses.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
10/14
10
Theattackercansendemailaddresseswithorwithoutthedomain(usedintheemailaddress,nottobe
confused with Microsoftworld domain). The thinking here is that
OWA really uses a username and
(Microsoftworld)domain.Ifthe(MS)domain
isnotspecifieditwillusethedefaultdomainwhich in
mostcasesisthebestbet.Theusername*might*bethepartoftheemailaddressinfrontofthe@sign
andmanylargecorporateorganizationsarenowadoptingthisnamingconvention.Theotheroptioncould
bethat
the
MS
domain
and
the
email
address
domain
is
really
the
same
thing,
in
which
case
it
would
make
sensetosendboth.
TheOWAtypeisstoredwithintheentityandbasedonthetypeeitherNTLMorwebformsisused.NTLM
bruteforcingusesHydrawhileformbasedloginisdonewithMechanize.
AnotherinterestingsideeffectofOWAbruteforcingisdenialofservice.MostOWAimplementationslock
theaccountafter3incorrectpasswordattempts.AssuchthepasswordfileforOWAonlycontainstwo
passwords.Ifthefilecontainsmorethan2passwords(andtheyareindeedincorrect)theaccountwillbe
locked out. Since many OWA servers are directly connected to the
main domain controller of the
organizationthismightmeanasystemwidelockoutatleasttemporarily.Suchadenialofserviceagainst
multipleaccountswouldseemtobeverycostlyforthetargetorganization.
SQLinjectionattackingPIPs
Intheprevioussectionwesawhowwecan identifypossible
injectionpoints(PIPs).UsingSQLMapwe
nowtestiftheseformsorGETsareindeedinjectable.ThetransformsimplyrunsSQLMapontheURLwith
thecorrectparameters.Whenaninjectionstringisfoundtobesuccessfulitisshowngraphicallyonthe
MaltegointerfacethedefaultbehaviorofSQLMapistoshowthedatabaseandcurrenttablestructures.
Therearesomelimitationsandconsiderationswhenusingthisattack:
1.
ThePIPscannerwillonlyidentifysurfacevisibleformsthiswasdiscussedinmoredetailintheprevioussection.
2.
Sincewerenotsurewhatdatabasetypeisinusewecaneitherscanusingalltypes(SLOW)orspecificthedatabasetype.Insubsequentversionoftheframeworkthisshouldbeaddressed
e.g.findingthemostlikelydatabasetypeautomatically.
3.
SQLMaptakesalongtimetorun.Assuchyouneedtocarefullyselectwhichformstoattack.ItwouldbepossibletoextendthissothatthelistofdatabaseareshownasentitiesfromthePIP,with
transforms toenumerate tables from thesedatabases.This
functionality is leftas anexercise to the
reader.
Portscans
/Service
scans
/Nmap
with
NSE
scripts
Aftercarefulconsideration(welookedatNessus,Metasploitetc.)itwasdecidedtogowithNmapwith
NSEscriptsasmakeshiftvulnerabilityscanner.Weusethisisquotesbecauseitsnotafullblownvuln
scannerbutratheracompilationofscriptsandagoodportscanner.Wevefoundthatinmanycasesthe
NSEscriptsbundledwithKaliLinuxservedourpurposeverywell.Otherconsiderationswerestability,
speedofexecution,extensibilityandeaseofintegrationwithMaltego.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
11/14
11
There are 8 different families of NSE scripts. There are auth,
default, discovery, external, intrusive,
malware,safeandvuln.Twoadditionalonesareallandnoneafamilynameweveaddedwhenused
withMaltegoTeeth.Theattackercanselectwhichofthesefamiliesshouldbeused,whichportsshouldbe
scannedandwhichadditionalNMapparametersshouldbeused.
Theattacker
can
initiate
scans
against
DNS
names
(includes
web
sites,
MX/NS
records)
or
IP
addresses.
NetblockscanbeextendedtoseveralIPaddressesinordertoscanthese.
Attacksagainstpeople KingPhisher
Introduction
Whileinfrastructureattacksareprettywellknowntoeveryonetheyarenotalwaysveryeffective.Askany
pentesterwhatsthemostcertainwaythattheyllcompromiseasystemandtheyarelikelytotellyou
thatitwouldinvolvepeopleworkingatthetargetorganization.
Peopleare
not
machines.
People
make
mistakes
and
are
driven
to
act
in
certain
ways
either
through
fear,
curiosityorgreed.Additionallypeopleintentionallyopennonconventionalattackvectorstothemselves.
Thisincludesemail,IM,socialnetworksorevenreallifedevicessuchasphonesorothermobilecomputing
platforms.
Inthissectionwelllooktoseeifitwouldbepossibletodeliverawellcraftedemailtoatargetanddoing
sowithlittleornointeractionfromtheattacker.Inotherwordsisitpossibletospearphishsomeone
andletMaltegodotheheavylifting.Insubsequentupdatestotheplatformwellalsolookatothervectors
suchasIMandsocialnetworks.
The
goal
Thegoalofthisphishingattack(inorderofimpact)isasfollows:
1.
IdentifyusercharacteristicsfromclickedlinkssuchasuseragentandIPaddress.2.
Get the target to simplyclickona link.Wemightchoose todeliver some
formofpayload in
resultingpage.
3.
Redirecttheusertoafakesocialnetwork/publicwebmail(Gmailetc)loginpage.Hopethetargetwillentercredentials.
4.
Redirecttheusertoafakecorporatewebmail/VPNportalandhopetogetcredentials.
In3and
4were
hoping
that
the
user
will
re
use
credentials
and
the
attacker
can
use
these
on
more
sensitiveinfrastructure(thinkcorporateVPNetc.)Thekeywordinscenario2isofcoursebrowser0day
butgettingtheexternalIPaddressoftheuserisalsovaluable.
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
12/14
12
AlreadyinMaltego
Themoreinformationweknowaboutapersonthemoreenticingtheemailwecansendtoourtarget.
Maltego already offers many transforms to profile a person. This
includes getting the targets email
address,socialnetworksandfriendsfromthesesocialnetworks.
Thestarting
point
would
likely
be
the
domain
of
the
organization
were
attacking.
From
there
we
can
enumerateemailaddressesandfromthatwecanresolvesocialnetworkmemberships.Insomeinstances
wemightbeabletomakeeducatedguessesastowhatthepersonsnameandsurnameisoraddmore
informationaboutourtargetmanually.
Templates
Maltegocreatesagraphoftheserelationships.Bysendingthegraphtoanexternalprocessweareable
to extract these relationships and based on what information we
find we can create a list of email
templates. In a practical example from a target domain of
target.com we find an email address
john.doe@target.com.ThepersonsnameislikelyJohnDoe.Weresolvesocialnetworkmembershipand
findaFlickr
profile
and
aFacebook
profile.
From
the
Flickr
and
Facebook
profiles
we
get
interest
and
friendsandconnections.Ourtemplatesthatwecanchoosefromcouldnowbe:
1. SpoofedemailfromFacebookwithanewfriendrequest2.
SpoofedemailfromFacebookwithphototaggedfrompersonwhoisaFBfriendoftarget3.
SpoofedemailfromFlickrwithnewphotosfromafriend4.
SpoofedemailfromacompanyspecializingininterestX5.
Spoofedemailfromtarget.comwithinstructions
Theattackerwillbeabletochoosewhichtemplateshewantstouse,tweakafewconfigurationoptions,
andtheframeworkwillfigureouttherest.
Typesofredirects/bounces
Therearethreetypes:
Justbounce.Uponclickingonthelinktheuserwilljustberedirectedtoanothersite.
Get info, thenbounce.The frameworkwillcollect theusers
IPaddress,useragentand then
redirect.
Get info,phish, thenbounce.The frameworkwill collect the IP
address anduseragent
thenpresenttheuserwithacopyofapopularsocialnetworksloginpage,collectthecredentialsand
thenredirecttheusertotherealsite.
Thisgivetheattackertheflexibilitytochooseexactlywhatthetargetwillseeonceheclicksonalink.
Challenges
Thefollowingmechanismsareusedtoautomaticallyprotectusersagainstthistypeofemail:
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
13/14
13
SenderPolicyFramework(SPF)
ThisisimplementedonthereceivingSMTPserver.TheserverwillcheckiftheremotehostmatchesSPF
recordsforthesendersdomain.Whatthismeansisthatyoucannotsendemailaspete@companyX.com
ifyourconnectionisnotoriginatingfromtheIPrange(s)ofcompany
DomainKeysIdentified
Mail
(DKIM)
SendersofemailcandecidetoimplementDKIM,therebycryptographicallysigningpartsofthemessage
typically the sender and receivers email addresses. The means
you cannot send email as
[email protected].
Filtering,triggerwords
Emailproviders (likeGmail)oremail clients
(likeMicrosoftOutlook)havebuiltin spamandphishing
detectionandwillmarkemailfromourplatformasso.Theymightchoosetotriggeronemailsthatare
closetothetemplatesofknownproviders.
Thesetechniquesareusuallyusedincombination.Thefirsttwoprotectionmechanismsmeansthatyou
cannoteffectively
spoof
email
from
major
email
sources
(like
Facebook,
Twitter,
LinkedIn
etc).
This
is
not
amajorproblemasyoucaneasilysendtheemailfromaccountsthat*looks*liketheseproviders.Inother
[email protected]@twitte.r.com.
Howeverwhenthetechniquesareusedintandemitbecomesalittletougher.Ifyouaresendingemail
thatlooksalotlikethatofamajoremailsourcebutyouarenotthatsourceitmightbemarkedasspam.
ThegoodnewsisthattherearemanywaystocreateHTMLthatlooksthatsame.TheHTMLsourcemight
not lookthesamebuttherenderedoutputwill.Thismakes
itpossibleforustosendemailthat looks
exactlyliketherealdeal,butonthewirelooksalotdifferent.Itsmoreworkbutitsworthitattheend.
Managing
the
campaign
Whensendingemailtomanydifferenttargetstheattackerwouldwanttohaveawayofmanagingthe
campaignas it iseasy to lose trackofwhichemailswhere sent
towhich targets.With three simple
transformsandperpetualmachinesthiscanbedonegraphicallywithinMaltego.Thetransformsareas
follows:
Fromcontrolcentergettheemailaddressesoftargets
FromeachtargetgettheIPaddressanduseragent(ifitexists)
Fromeachtargetgetthecredentialsmined(ifany)
Theentiresystemsflowdiagramthuslooksasfollows:
-
7/22/2019 Creating a collaborative attack platform with Maltego
Tungsten
14/14
14
Maltego
client
1. POST graph
KP controller
At t ackerconf i gur es mai l
SMTP
sender
2. After setup, ready send
Target
3. Email sent
Collector
4. User visits site
5. Monitor campaign
2. Collector setup
ConclusionThereareseveralaspectsofITsecuritythathavenotbeentouchedoninthispaper.Thegoalofthispaper
isnot
show
new
attack
vectors
or
methods.
It
is
to
show
that
almost
all
methods
of
attack
can
be
incorporated intoasingleplatform.Aplatformwhereattackerscanshare
information,visualize itand
launchnewattackscollaboratively.
Wearepainfullyawarethat forthemanwithhammer,everything looks
likeanail. Inourcaseevery
securitytoolorattacktechniquelookslikeanailandourhammerisMaltegoTungsten.
