⚠️ Passive Recon Only: Maltego queries publicly available data sources. All information it collects is already public. However, using any intelligence gathered for unauthorised access to systems is illegal. Use it exclusively for authorised penetration tests, bug bounty reconnaissance within scope, or your own domains and infrastructure.
Maltego tutorial Kali Linux 2026 — this is the tool that transforms a single domain name into a complete map of an organisation’s internet footprint in under 30 minutes. While every other OSINT tool gives you flat lists of data, Maltego gives you a graph — a visual web of relationships between domains, IP addresses, email addresses, people, and organisations that makes non-obvious connections immediately visible. Intelligence analysts, corporate investigators, and professional penetration testers use it daily. Today you are going to learn exactly how it works, run your first transforms, and build your first entity relationship map from scratch.
🎯 What You’ll Master in Day 13
Install and configure Maltego Community Edition on Kali Linux
Understand entities, transforms, and the graph-based intelligence model
Run DNS, WHOIS, and email transforms to map target infrastructure
Build a complete domain-to-infrastructure entity graph from a single input
Use Maltego findings to inform penetration test scope and attack vectors
⏱️ 52 min read · 3 hands-on exercises
📊 What is your Maltego experience level?
✅ This guide builds from installation through a complete OSINT investigation workflow. If you already know the basics, the transform chaining and graph analysis sections in the second half will be the most valuable for you.
📋 What You’ll Master — Maltego Tutorial Kali Linux 2026
In Day 12 we used Burp Suite to intercept and analyse web application traffic — operating at the HTTP layer of a single target. Today we zoom out entirely and look at the organisation from the outside. Maltego operates before you ever send a packet to a target — it assembles intelligence from public sources to map the full landscape of what you are dealing with. This reconnaissance phase is what the Kali Linux 180-Day Mastery Course builds systematically — every tool in sequence for a reason.
What Is Maltego and Why It Changes OSINT Investigations
Maltego is a visual link-analysis and OSINT platform developed by Paterva. It represents intelligence as a graph — nodes are entities (domains, IPs, emails, people, organisations) and edges are the relationships between them. Every transform you run either adds new nodes to the graph or connects existing ones, building an ever-more-complete picture of your target’s digital footprint.
The power of graph-based intelligence is in non-obvious connections. When you run a text-based OSINT tool like theHarvester, you get a list. You can see individual data points but you cannot immediately see that three different email addresses from three different sources all resolve to the same server, or that a domain you had not considered is hosted on the same IP range as your primary target. Maltego makes these structural relationships visually immediate.
Professional threat intelligence analysts use Maltego to map criminal infrastructure, track phishing campaign origins, and connect disparate indicators of compromise. Corporate security teams use it to monitor their own attack surface. Penetration testers use it in the reconnaissance phase to identify every publicly accessible asset before testing begins. The tool works in all three contexts because the underlying intelligence model is universal.
Single domain entity → transforms → full infrastructure map
📸 Maltego entity graph architecture — a single domain entity expanded through DNS, email, and WHOIS transforms creates a complete organisation infrastructure map with visual relationship edges.
Maltego Kali Linux 2026 — Install, Register and First Launch
Maltego Community Edition is pre-installed on Kali Linux but requires a free registration to activate transforms. The registration takes two minutes and unlocks the full Community Edition transform set — approximately 30 transform categories covering DNS, WHOIS, email, social media, and certificate transparency.
# Enter credentials in the login dialog to activate transforms
After logging in, Maltego runs a transform seed download that installs the Community Edition transform set. This takes 2–3 minutes on a fast connection. Once complete, the Transform Hub appears showing available transform providers. The free built-in transforms are already active. Optionally install additional free hubs including Shodan, VirusTotal Community, and Have I Been Pwned from the Hub.
💡 API Keys for Premium Transforms: Several free transform hubs require their own API keys — Shodan, VirusTotal, and Have I Been Pwned all offer free API tiers. Register for each, add their API keys in Maltego’s Transform Hub settings, and you immediately unlock significantly more powerful transforms without paying for Maltego Pro.
Entities and Transforms — The Core Maltego Intelligence Model
Understanding entities and transforms is the conceptual foundation of all maltego tutorial usage. Every piece of intelligence in Maltego is represented as an entity — a typed object with a value and optional additional properties. Every transform is a function that takes one entity type as input and produces one or more entity types as output.
Entity types include: Domain, DNS Name, IP Address, Email Address, Person, Phone Number, Company/Organisation, Website URL, Netblock (CIDR range), AS Number, Social Media Profile, Document, Location, and more. Custom entities can be added through transform hubs. Each entity type has a distinct icon in the graph making entity types visually distinguishable at a glance.
Transform categories you will use most in reconnaissance: DNS transforms (domain → IPs, NS records, MX records, subdomains), WHOIS transforms (domain → registrant, registrar, creation date, nameservers), Email transforms (domain → associated email addresses), Person transforms (name → social profiles, email addresses), and IP transforms (IP → geolocation, ASN, reverse DNS, hosting provider).
securityelites.com
Key Transform Categories — Maltego CE
DNS TRANSFORMS
Domain → IPs, MX, NS records, subdomains, reverse DNS
Domain → associated emails · Email → person · Email → breach data
NETWORK TRANSFORMS
IP → ASN, netblock, hosting org, geolocation, shared hosting
CERTIFICATE TRANSFORMS
Domain → SSL certs → related domains on same cert · subdomain discovery
📸 Maltego CE transform categories — five primary transform groups used in reconnaissance, each expanding a different dimension of the target’s digital footprint.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Map a Target’s Attack Surface Before Opening Maltego
⏱️ Time: 10 minutes · Paper and pen or text editor
You are starting a reconnaissance engagement on a mid-sized
e-commerce company. You only know their primary domain: shopexample.com
Before opening any tool, think through these questions:
1. What TYPES of infrastructure would a typical e-commerce company have
that would appear in DNS records?
(Think: where do their emails go? How do they accept payments?
Where is their admin panel likely hosted? CDN? Subdomains?)
2. What employee roles would you expect to find email addresses for?
Which role’s email would be highest value if you found it?
3. The company uses Cloudflare. How does this affect your ability
to map their real origin IP addresses via DNS transforms?
4. You find five domains registered to the same registrant email
address via WHOIS. What does this tell you about their
infrastructure and what additional transforms would you run?
5. You find an SSL certificate covering *.shopexample.com and also
staging.shopexample.com, admin.shopexample.com, and
api.shopexample.com in the Subject Alternative Names.
Rank these three subdomains by attack surface priority and
explain your reasoning.
✅ What you just learned: Professional OSINT starts with a mental model of what you expect to find before you run a single query. E-commerce companies typically have payment processors (look for Stripe/PayPal references), admin subdomains, API endpoints, and staging environments all connected through shared infrastructure. Cloudflare masks origin IPs but certificate transparency logs expose subdomains. A single registrant email in WHOIS can link dozens of related domains. Staging and API endpoints are highest priority because they are less hardened than the public-facing site. This thinking is what makes Maltego investigations structured rather than random.
📸 Write your attack surface map and share in #day-13-maltego on Discord.
Mapping Domain Infrastructure With DNS and WHOIS Transforms
DNS transforms are the highest-yield starting point for any Maltego investigation. A single domain entity expanded through all DNS transforms typically yields IP addresses, nameservers, mail servers, and in many cases CDN providers and hosting information — all from a single right-click menu in under 60 seconds.
MALTEGO DNS TRANSFORMS — WORKFLOW REFERENCE
# In Maltego GUI — these are right-click transform selections
# Step 1: Drag Domain entity onto canvas, set value to target domain
# Step 2: Right-click domain → Run Transforms → DNS from Domain
DNS from Domain → To DNS Name # All DNS records
DNS from Domain → To IP Address [DNS] # A record IPs
DNS from Domain → To MX Record # Mail server records
DNS from Domain → To NS Record # Nameserver records
# Step 3: Right-click domain → Run Transforms → WHOIS
WHOIS → To Email Address [WHOIS] # Registrant email
WHOIS → To Company/Organisation # Registrant org
WHOIS → To DNS Name [Registrant] # Related domains
# Step 4: Run transforms on IP Address nodes discovered
IP → To AS Number # Hosting provider ASN
IP → To Location [city, country] # Geolocation
IP → To Domains on IP # Other domains sharing this IP
The “To Domains on IP” transform is particularly valuable for targets using shared hosting or poorly separated infrastructure. When multiple domains share a single IP address, it indicates they are likely owned by the same organisation — or that compromising one could expose the others. On dedicated hosting, a single IP domain map confirms the target’s server isolation.
Email Enumeration and Person Entity Mapping
Email address discovery through Maltego goes significantly further than theHarvester’s search engine scraping. The combination of WHOIS registrant emails, certificate transparency DNS names, and social profile transforms creates a multi-dimensional picture of the people behind an organisation’s infrastructure — information that feeds directly into social engineering scenario planning for authorised penetration tests.
MALTEGO EMAIL AND PERSON TRANSFORMS
# Email transforms from domain entity
Domain → To Email Addresses [From Harvesting]
Domain → To Email Address [Pattern] # Infer format from found emails
# Person transforms from email entity
Email → To Person
Email → To Social Profile [Twitter]
Email → To Social Profile [LinkedIn]
# If Have I Been Pwned hub installed:
Email → To Breach [HIBP] # Was this email in a data breach?
# Person transforms
Person → To Email Addresses [from social]
Person → To Organisation [employer]
Person → To Aliases [username variations]
⚡ EXERCISE 2 — KALI TERMINAL (25 MIN)
Build a Complete Domain Infrastructure Graph on Kali Using Maltego CE
⏱️ Time: 25 minutes · Maltego CE registered and running · Use scanme.nmap.org or your own domain only
# Step 4: Right-click domain → Run Transforms → All Transforms
# Or run individually:
Run: DNS from Domain → To IP Address [DNS]
Run: DNS from Domain → To DNS Name
Run: DNS from Domain → To MX Record
# Step 5: On each IP found, run:
Run: IP → To AS Number
Run: IP → To Location
Run: IP → To Domains on IP
# Step 6: Use View > Layouts > Organic to organise the graph
# Step 7: Count total entities discovered from one starting domain
# Step 8: Export graph: Graph > Export > As Image
✅ What you just learned: From a single domain entity, Maltego’s transform chain discovers IPs, nameservers, mail servers, geolocation, ASN, and related domains — all visualised as a connected graph. scanme.nmap.org is an authorised Nmap test target safe to investigate. The workflow you just completed — add entity, run DNS transforms, expand IPs, organise layout, export — is identical for any authorised target in a real engagement. The graph export becomes part of your penetration test report’s reconnaissance appendix.
📸 Screenshot your completed entity graph and share in #day-13-maltego on Discord. Tag #maltego2026
Building a Complete OSINT Graph — From Domain to Full Infrastructure Map
A complete Maltego investigation follows a structured expansion pattern. You start narrow — one entity — and systematically expand outward through transforms at each layer. The key discipline is knowing when to stop expanding. Every new entity can generate dozens more through transforms. Without boundaries, a graph becomes incomprehensibly large and loses analytical value.
Layer 1 — Seed: Your single starting entity. For a domain-based investigation, this is the primary domain. For a person-based investigation, it might be a known email address or full name.
Layer 2 — Direct expansion: Run all applicable transforms on the seed. This gives you first-order relationships — IPs, nameservers, registrant info, certificate SANs, associated email addresses.
Layer 3 — Targeted deepening: Select the highest-value entities from Layer 2 and run specific transforms on those. Do not run all transforms on all entities — select based on investigation objectives. For infrastructure mapping, deepen IP entities. For personnel mapping, deepen email and person entities.
Layer 4 — Cross-referencing: Look for nodes with multiple incoming edges — these are entities connected to multiple other entities in your graph. They indicate shared infrastructure, key personnel, or pivot points that deserve deeper investigation.
⚡ EXERCISE 3 — KALI TERMINAL (20 MIN)
Run Certificate Transparency Transforms to Discover Hidden Subdomains
⏱️ Time: 20 minutes · Maltego CE · Use your own domain or authorised target
MALTEGO CERTIFICATE TRANSPARENCY WORKFLOW
# Certificate transparency logs record every SSL cert ever issued
# Maltego can query crt.sh via transform to reveal subdomains
# Step 1: Start with Domain entity for your target
# Step 2: Right-click → Run Transforms → look for SSL/TLS or cert transforms
Domain → To SSL Certificate [Subject]
Domain → To DNS Name [SSL Cert SANs]
# Step 3: Each SSL cert entity reveals Subject Alternative Names
# SANs contain every subdomain covered by that certificate
# Step 4: Run DNS transforms on each discovered subdomain
DNS Name → To IP Address [DNS]
# Step 5: Compare SSL-discovered subdomains vs DNS-discovered ones
# SSL certs often reveal staging, admin, dev subdomains that DNS doesnt
# Step 6: Manual verification of all cert-found subdomains
curl -I https://discovered-subdomain.target.com
# 200 OK = live and running
# 404 = not live at that subdomain
# redirect to main domain = vhost configured
✅ What you just learned: Certificate transparency is one of the most powerful passive recon techniques available in 2026 because every TLS certificate issued by a public CA is publicly logged forever. When a developer creates an SSL certificate covering staging.company.com, api.company.com, or admin.company.com, that information is recorded in the CT log and retrievable by anyone — including you and Maltego. This technique consistently reveals infrastructure that DNS enumeration and search engines miss entirely, making it a mandatory step in every professional recon workflow.
📸 Screenshot your Maltego graph showing SSL certificate entity connecting to subdomain DNS name nodes and share in #day-13-maltego on Discord.
🧠 QUICK CHECK — Day 13
You run a WHOIS transform on a target domain and find the registrant email is admin@hostingprovider.com rather than an address at the target company. What does this tell you, and what transform do you run next?
📋 Commands Used Today — Day 13 Reference Card
maltego &Launch Maltego from terminal in background
sudo apt install maltego -yInstall or update Maltego on Kali Linux
DNS from Domain → To IP AddressMaltego transform — resolve domain to A record IPs
DNS from Domain → To MX RecordMaltego transform — find mail servers for domain
WHOIS → To Email AddressMaltego transform — find registrant email from WHOIS data
IP → To Domains on IPMaltego transform — find all domains sharing this IP
Domain → To DNS Name [SSL Cert SANs]Maltego transform — find subdomains from certificate SANs
You have built your first entity relationship graph and understand how Maltego transforms passive OSINT from a list of facts into a map of relationships. Every professional recon phase from here forward starts with this tool.
❓ Frequently Asked Questions
Is Maltego free on Kali Linux?
Maltego Community Edition is completely free and pre-installed on Kali Linux. It gives you access to the core transform set covering DNS, WHOIS, email discovery, and basic infrastructure mapping. Limitations are 12 results per transform and no commercial data providers. The Community Edition covers everything you need to learn OSINT link analysis.
What are Maltego transforms?
Transforms are Maltego’s actions — each takes one entity as input, queries a data source, and returns related entities as output. For example, Domain to IP Address queries DNS and returns A records as IP Address nodes on the graph. Transforms can query public APIs, WHOIS databases, social media platforms, certificate transparency logs, Shodan, VirusTotal, and dozens of other sources.
What types of entities does Maltego support?
Built-in entity types include: Domain, DNS Name, IP Address, Email Address, Person, Company, Phone Number, Website, AS Number, Netblock, Social Media Profile, Document, File, and Location. Each has specific transforms designed for it. Additional hubs add custom entity types for Shodan, VirusTotal, and Have I Been Pwned.
How is Maltego different from theHarvester?
theHarvester collects a flat list of emails, domains, and IPs from a single query. Maltego is a visual link-analysis platform showing relationships between entities as a graph — making structural connections immediately visible. theHarvester is faster for bulk collection. Maltego is more powerful for understanding infrastructure structure and discovering non-obvious connections.
Maltego is primarily a reconnaissance and OSINT tool querying publicly available data. It is used during the information gathering phase of penetration tests to map target infrastructure, identify email patterns for phishing simulations, discover related IP ranges, and find employee names. All data comes from public sources, making it legal to use for passive reconnaissance.
What comes after Maltego in the Kali Linux course?
Day 14 covers Netdiscover — the ARP-based network host discovery tool for internal network reconnaissance. After Maltego’s external OSINT focus, Netdiscover shifts perspective inside the network — finding live hosts on LAN segments without Nmap, ideal for post-compromise internal discovery.
← Previous
Day 12: Burp Suite Kali Linux 2026
Next →
Day 14: Netdiscover Tutorial 2026
📚 Further Reading
theHarvester Tutorial 2026— Day 9 covers theHarvester for bulk email, domain, and IP collection from search engines — the command-line complement to Maltego’s visual graph analysis.
180-Day Kali Linux Mastery Course— The complete course hub with every day indexed from Nmap through advanced exploitation tools in a structured day-by-day sequence.
OSINT Tools Guide— The complete OSINT tools category covering Maltego, Recon-ng, SpiderFoot, Sherlock, and every major open-source intelligence gathering tool.
Maltego Transform Hub— The official Maltego Transform Hub listing every available free and commercial transform provider, API integration guide, and Community Edition activation instructions.
crt.sh Certificate Transparency Search— The free certificate transparency log search engine used by Maltego’s SSL transforms — queryable directly for subdomain discovery without any tool installation.
ME
Mr Elite
Owner, SecurityElites.com
The engagement that made me truly understand Maltego’s power was a red team assessment where I had been given the company’s primary domain and nothing else. I opened Maltego, added the domain, and ran every available transform over the next 20 minutes. The graph that emerged showed not just their main website infrastructure but a development subdomain on a completely different IP range that was not behind Cloudflare, a mail server still running an outdated version of Postfix, and three related domains registered to the same WHOIS email that the client had never mentioned to me. Two of those related domains had live admin panels accessible without authentication. The entire attack path came from a graph that started with one entity. I have never opened a recon engagement without Maltego since.
Leave a Reply