Mapping Digital Footprint with MALTEGO
An OSINT Self-Investigation on Linux
Contents
- Why though?
- Setting Up Maltego CE
- What is Maltego?
- Prerequisites
- Step 1: Download and Install
- Step 2: First Launch and Registration
- Step 3: Install Transform Hub Items
- Step 4: Getting Comfortable with the Interface
- Exercise 1: Email & Domain Footprinting
- Step 1: Seed the Graph with Your Email
- Step 2: Expand the Person Entity
- Step 3: Check Breach Exposure
- Step 4: Domain Pivot
- Exercise 2: Social Media & Username Enumeration
- Step 1: Seed with Your Username
- Step 2: Cross-Reference Email Accounts
- Step 3: Expand Social Profiles
- Step 4: Search Engine Enumeration
- Exercise 3: DNS & Infrastructure Reconnaissance
- Step 1: Full DNS Enumeration
- Step 2: Certificate Transparency
- Step 3: Technology Fingerprinting
- Step 4: Using additional CLI Tools
- Analysing the Graph
- Hub Nodes
- Unexpected Connections
- Breach Clusters
- Infrastructure Leakage
- Ghost Footprint
- Taking Action
I've always been curious about what someone could find out about me using nothing but publicly available information. Understanding what's exposed is just good practice. So I decided to point Maltego at myself and see what came back.
This post walks through the entire process, from installing Maltego Community Edition on a Linux workstation, configuring transforms, and then running a series of OSINT exercises against my own digital presence. We'll cover email and domain footprinting, social media and username enumeration, and DNS/infrastructure reconnaissance.
Note: I'm only investigating myself and infrastructure I own. If you follow along, do the same. Maltego makes it trivially easy to pivot into other people's data, and just because information is public doesn't mean investigating someone without consent is appropriate.

Why though?
There's a gap between what you think is public about you and what actually is. Most people assume their digital footprint is limited to their social media profiles and maybe a LinkedIn page. The reality is usually more interesting and more uncomfortable.
The goal here is to build an accurate picture of your digital exposure so you can make informed decisions about what to tighten up, what to accept, and what you didn't even know was out there.
Setting Up Maltego CE
What is Maltego?
Maltego is a data mining and link analysis tool used for open source intelligence investigations. It collects and connects information about people, domains, emails, companies, and infrastructure from public sources. It presents the results as graphs to show relationships between entities.
Prerequisites
You'll need a Linux workstation and free Maltego Community Edition account. Maltego is a Java-based desktop application that bundles its own JRE.
Step 1: Download and Install
Head to maltego.com/downloads and grab the Linux installer for your distro.
For Debian/Ubuntu:
cd ~/Downloads
sudo apt install ./Maltego.v4.*.deb
In case of dependency issues:
sudo apt-get install -f
For RPM-based distros (Fedora, RHEL, etc):
sudo dnf install ./Maltego.v4.*.rpm
Alternatively, if you're on Kali Linux, Maltego comes pre-installed.
Step 2: First Launch and Registration
Fire up Maltego from your application menu or terminal:
maltego
On first launch, if you don't already have Java installed:
sudo apt update
sudo apt install openjdk-17-jre
After this, you'll be prompted to choose your edition. Select Maltego CE (Free) and either register a new account or log in with existing credentials. The registration process takes you to a browser to create your Maltego ID. Use a real email, you'll need it for API key distribution.
Once authenticated, Maltego will sync and install the default transforms. This takes a minute or two depending on your connection.
Step 3: Install Transform Hub Items
The Transform Hub is where you expand Maltego's capabilities. Think of transforms as individual lookup functions. each one takes an entity (like a domain or email) and queries a data source to return related entities.
Open the Transform Hub (the puzzle piece icon in the top menu) and install these items:
- Have I Been Pwned: Checks if email addresses appear in known data breaches. Essential for self-assessment and the first thing you should run against every email you own.
- AbuseIPDB: Looks up IP addresses against a community-driven blacklist of malicious activity. Returns abuse confidence scores, ISP details, usage type, hostname, and country — perfect for checking whether your own IPs have been flagged or reported by anyone.
- Censys: Maps IP addresses and domains, identifies server configurations and exposed services. Great for discovering what is listening on your infrastructure.
- Person of Interest: Part of Maltego's Data Pass system, this module aggregates personal identifiers, social media data, breach records, and company affiliations from multiple data vendors through a single credit-based interface. CE users get a limited credit allowance out of the box.
- Social Links CE: The free community edition of Social Links' OSINT/SOCMINT plugin. Provides transforms for searching across platforms like Skype, ZoomEye, Shodan, SecurityTrails, Censys, DocumentCloud, CompaniesHouse, and Social Links' own database. Limited compared to the Pro version but still pulls useful data for social media and company investigations.
Step 4: Getting Comfortable with the Interface
Maltego's UI is dense at first glance, but it makes a lot more sense if you look at them as different modules:
Graph Canvas (centre): Your investigation workspace. Entities appear as nodes, relationships as connecting lines. This is where the magic happens.
Entity Palette (left panel): A library of entity types you can drag onto the canvas: domains, emails, persons, IP addresses, phone numbers, social media handles, and more.
Detail View (bottom): Properties and metadata for whichever entity you've selected. Always check this — there's often more information here than what's visible on the node itself.
Transform Output (bottom tab): Shows the results of your last transform, including any errors or rate-limit warnings.
Overview (top right): A minimap of your full graph. Absolutely essential once your investigation grows beyond a single screen.
Exercise 1: Email & Domain Footprinting
This is the starting point for most self-investigations. Your email address is the key that connects your accounts, your registrations, your breach exposure, and often your real identity to your online handles.
Step 1: Seed the Graph with Your Email
From the entity palette, drag an Email Address entity onto your blank graph canvas. Double-click it and enter your primary email address (the one you use for most online accounts).
Right-click the email entity and select Run All Transforms (the double arrow on the right side). Maltego will fire off every applicable transform against your email address. You'll see queries going out to DNS lookups, breach databases, social media checkers, and search engines.
After a few seconds, your single email node will form into a constellation of connected entities. You will likely see:
- Person entities: Names associated with the email, pulled from the Person of Interest module, WHOIS records, or public directories.
- Domain entities: The email domain itself, and potentially other domains where this email appears in registration records.
- Breach entries: Have I Been Pwned will surface any data breaches your email has appeared in.
- Website entities: Pages where your email has been indexed or mentioned.
- Social media profiles: Social Links CE will check platforms like Skype, DocumentCloud, and its own database for accounts linked to that address.
Step 2: Expand the Person Entity
If Maltego identified a person entity from your email, right-click it and run transforms to discover:
- Other email addresses associated with that name
- Phone numbers from public directories or WHOIS data
- Social media profiles via Social Links CE and username enumeration
- Locations from geolocation data or profile information
- Work history and affiliations via the Person of Interest module
The Person of Interest module aggregates data from multiple vendors behind the scenes, so a single transform run can pull back social media handles, company affiliations, breach records, and personal identifiers all at once.
Step 3: Check Breach Exposure
Select any email entities on your graph and run the Have I Been Pwned transform. The results will show you which breaches your email appeared in, when they occurred, and what data was exposed (email, password hash, IP, etc.).
Step 4: Domain Pivot
Now drag a new Domain entity onto the canvas and enter a domain you own. Run transforms against it to discover:
- WHOIS registration details: Registrant name, email, organisation, registration dates
- MX records: Where the domain's email is handled
- NS records: Name servers, which reveal your hosting provider
- A/AAAA records: The IP addresses the domain resolves to
- Subdomains: Any publicly discoverable subdomains
Connect the domain entity to your email entity manually if Maltego hasn't already linked them, this helps build the relationship graph between your identity and your infrastructure.
Exercise 2: Social Media & Username Enumeration
Username reuse is one of the most common OSINT goldmines. If you use the same handle across multiple platforms, Maltego can map that out and reveal the full extent of your social presence.
Step 1: Seed with Your Username
Drag an Alias entity onto the canvas and enter your most commonly used username or online handle. Run transforms to check for that alias across social media platforms, forums, and other services.
Social Links CE is also useful here as it can check for that handle across platforms including Skype (RIP), GitHub, and various social networks, and cross-reference it against its own database of indexed profiles. The Person of Interest module can also pivot from an alias to associated identities if there's enough data to correlate.
Step 2: Cross-Reference Email Accounts
For each of your email addresses on the graph, run the Social Links CE transforms and the Person of Interest transforms. This reveals which platforms each email is registered on. The results differ between your personal and professional addresses.
The overlap (or lack thereof) may tell a story.
Step 3: Expand Social Profiles
For any social media profiles Maltego discovers, right-click and run further transforms:
- Profile details: Bio, location, follower count, posting history
- Connected accounts: Other profiles linked from the discovered one
- Shared content: URLs, images, or documents shared publicly
- Mutual connections: Other people connected to the profile
Step 4: Search Engine Enumeration
Drag a Phrase entity onto the canvas with your full name (or the name associated with your accounts). Run the search engine transforms to discover:
- Public mentions of your name across the web
- Cached pages and documents mentioning you
- Forum posts, comments, or articles you've contributed to
- PDF/document metadata where your name appears as author
Exercise 3: DNS & Infrastructure Reconnaissance
This is where things get more technical, and where Maltego really shines as a visual tool. Infrastructure reconnaissance maps out the technical footprint of your domains, including the servers, IPs, hosting relationships, SSL certificates, and network topology that make up your online presence.
Step 1: Full DNS Enumeration
Start with a domain you own on the canvas (or use the one from Exercise 1). Right-click and run the DNS-specific transforms:
- DNS to MX: Reveals your mail servers
- DNS to NS: Shows your name servers
- DNS to IP: Resolves to hosting IP addresses
- DNS to SOA: Start of Authority records
- Subdomain discovery: Finds publicly known subdomains
Each result becomes a new entity on the graph. Run further transforms on the IP addresses to discover:
- Reverse DNS: Other domains hosted on the same IP
- Netblock: The network block the IP belongs to
- AS Number: The autonomous system (reveals the hosting provider)
- Geolocation: Physical location of the server
- Abuse reputation: AbuseIPDB will return a confidence score indicating whether the IP has been reported for malicious activity, along with ISP details, usage type, and country. If your own IP has been flagged (even falsely) that's worth knowing.
- Exposed services: Censys will identify what services and ports are publicly visible on your IPs, including TLS certificate details and server banners
Step 2: Certificate Transparency
SSL/TLS certificates are logged in public Certificate Transparency logs. This means every certificate ever issued for your domain is publicly discoverable, including certificates for subdomains you might have thought were private.
Run the certificate-related transforms on your domain entity. You may find that:
- Subdomains that weren't found through DNS enumeration
- Historical certificates showing previous hosting configurations
- Wildcard certificate patterns
- Alternative names (SANs) that link your domain to other services
Step 3: Technology Fingerprinting
Using the Censys transforms and the standard infrastructure transforms, you can identify:
- Web server software: Apache, Nginx, Caddy, etc.
- CMS/framework: WordPress, Ghost, Hugo, custom stack
- Analytics and tracking: Google Analytics IDs, tracking pixels
- CDN/proxy: Cloudflare, Fastly, etc.
- SSL providers: Let's Encrypt, Comodo, DigiCert
And just a quick note on Google Analytics: if you use the same Analytics tracking ID across multiple sites, that's a public link between all of those properties. Same goes for AdSense IDs, Facebook pixels, and other tracking codes.
Step 4: Using additional CLI Tools
Maltego is brilliant for visualisation and pivoting, but for deeper infrastructure reconnaissance, complement it with dedicated CLI tools. Here are the ones I use alongside Maltego:
theHarvester: Enumerates emails, subdomains, and IPs from multiple public sources:
uv run theHarvester -d yourdomain.com -b all -l 200
This pulls from search engines, DNS servers, Shodan, and other sources. Great for catching subdomains and email addresses that Maltego's CE limits might have truncated. You will need API keys for most services to work though.
dig: Quick DNS lookups to verify Maltego's findings:
# MX records
dig yourdomain.com MX +short
# All DNS records
dig yourdomain.com ANY +noall +answer
# Check specific nameservers
dig @8.8.8.8 yourdomain.com A +short
# Reverse DNS
dig -x <IP_ADDRESS> +short
whois: Full WHOIS data for your domains:
whois yourdomain.com
nmap: Port scanning your own infrastructure to check what's exposed:
# Quick scan of common ports
nmap -sV yourdomain.com
# Full TCP scan (takes longer)
nmap -sS -p- yourdomain.com
Again: Only scan infrastructure you own. Port scanning someone else's server without permission is potentially illegal in many jurisdictions.
subfinder: Passive subdomain enumeration:
subfinder -d yourdomain.com -silent
amass: Comprehensive subdomain discovery and DNS enumeration:
amass enum -passive -d yourdomain.com
You can then feed the results from these tools back into your Maltego graph manually by draging new entities onto the canvas and connecting them to the relevant parent nodes.
Analysing the Graph

Once you've run through all example exercises, you should have a fairly dense graph on your canvas. Switch between layouts (Block, Organic, Circular) and look for these patterns:
Hub Nodes
Entities with many connections are hubs, they're the central points of your digital identity. Your primary email address will almost certainly be one. If a username or a domain is a hub, that's a concentration of exposure worth paying attention to.
Unexpected Connections
Look for links between entities that you didn't expect, like an old username linked to a current social profile or a forgotten subdomain still resolving to an active IP.
Breach Clusters
If multiple email addresses appear in the same breaches, that's a password-reuse red flag. If an email appears in breaches you didn't know about, that's also immediate action item.
Infrastructure Leakage
Check whether your personal infrastructure (homelab, personal projects) is linked to your professional identity. Shared IPs, overlapping DNS records, or cross-referenced WHOIS data can connect things you'd prefer to keep separate.
Ghost Footprint
Old accounts, legacy domains, abandoned projects, cached pages, etc. are the entities at the edges of your graph. They're usually the hardest to clean up, but they're also the most likely to be overlooked in a manual review.
Taking Action
At this point you should have a pretty comprehensive view of your digital footprint and can start putting together a checklist based on common findings:
- WHOIS privacy: If your domain registrations show your personal name, address, or phone number, enable WHOIS privacy through your registrar.
- Breach response: For every breach that HIBP surfaces, change the password for that service. If you've reused that password anywhere else, change it there too. Use a password manager!
- Old accounts: Deactivate or delete accounts you no longer use.
- Username separation: Consider using different handles for personal and professional contexts. If your work username is easily linked to your gaming handle, an attacker can build a social engineering profile that crosses both contexts.
- DNS hygiene: Review your DNS records for stale entries.
- IP reputation: If AbuseIPDB flagged any of your IPs with abuse reports, investigate why. It could be a false positive, like a rotated public IP from your ISP that was already flagged or it may be an actually compromised service.
- Certificate review: Check CT logs for certificates you didn't issue. Unexpected certificates for your domain could indicate compromise or misconfiguration.
- Metadata cleanup: If you publish documents, images, or files online, strip the metadata before uploading. EXIF data in photos can contain GPS coordinates. Document metadata often includes author names, software versions, and internal file paths.