Skip to content

XposedOrNot/XposedOrNot-Maltego

Repository files navigation

XposedOrNot Transforms for Maltego

Investigate the data-breach exposure of email addresses directly on a Maltego graph, powered by the free, keyless XposedOrNot API (760+ breaches).

No API key. No registration. An optional commercial key raises rate limits.

Transforms

Transform Input Output What it does
Email to Breaches maltego.EmailAddress xon.Breach One entity per breach, fully styled (see legend) with records, dates, exposed data classes, password-storage risk
Email to Exposure Summary maltego.EmailAddress xon.ExposureSummary Overall risk score, totals, first/latest exposure, password-strength breakdown and a year-by-year timeline in the notes
Breach to Exposed Data xon.Breach xon.DataClass Pivot a breach into the data classes it leaked — zero API calls (reads the entity's properties)

Reading the graph (visual legend)

  • Link color = password-storage risk: 🔴 plaintext · 🟠 easy-to-crack · 🟢 strong hash · ⚪ unknown
  • Link thickness = breach scale (≥1M records thicker, ≥100M thickest); link label = breach year
  • Entity weight = log-scaled records exposed, so mega-breaches rank first in list views
  • Bookmark color mirrors the risk; a "plaintext passwords" text overlay flags the worst offenders
  • Detail view (double-click) carries the full dossier table; notes carry the breach description
  • Breach entities use the breached site's logo as icon where available

Install — Option A: local transforms (5 minutes, keyless)

Runs on your machine; API calls originate from your IP, so the free keyless limits (2 req/s, 25/hour) are yours alone.

git clone https://github.com/XposedOrNot/XposedOrNot-Maltego.git
cd XposedOrNot-Maltego
python3 -m pip install -r requirements.txt

Then in Maltego: Import | Export → Import Config, and import — in this order:

  1. dist/xon-entities.mtz — the XposedOrNot entity types and icons
  2. dist/xon-local-transforms.mtz — the three transforms (they invoke python3 project.py in this folder; re-generate with python3 tools/build_mtz.py if you cloned to a non-default path and the transform working directory needs fixing)

Right-click any Email Address entity → Run Transform → Email to Breaches [XposedOrNot].

Optional API key in local mode: export XON_API_KEY=... in the environment Maltego is launched from.

Install — Option B: hosted TRX server (for teams / iTDS)

docker compose up -d    # serves the TRX API on :8080

Point your Maltego iTDS at https://<your-host>/run/<transform-name> for the three transform names (python3 project.py list prints them), or import via your TDS management console using the generated transforms.csv / settings.csv. The optional API key is exposed as a transform setting (api_key) for TDS deployments, or the XON_API_KEY environment variable server-side.

Note: on a shared server, all users egress from one IP — configure a server-side API key rather than relying on keyless per-IP limits.

Rate limits

Keyless community API: 2 requests/second, 25/hour, 100/day per IP — comfortable for casework, tight for bulk runs. On a 429 the transform retries once when the API's Retry-After fits Maltego's time budget, otherwise it returns a clear slow-down message. A commercial key from console.xposedornot.com raises the limits.

Privacy & data handling

The queried email address is sent over TLS to xposedornot.com — nothing else. Email addresses are never written to logs (masked forms only, e.g. t***@example.com). Breach exposure tied to an email address is personal information: use it only within lawful, authorised investigations. Privacy policy: https://xposedornot.com/privacy.

Development

python3 -m pytest tests/            # unit + XML-injection fuzz tests
python3 project.py local xonemailtobreaches test@example.com   # live run
python3 project.py runserver        # dev TRX server
python3 tools/build_mtz.py          # rebuild dist/*.mtz

Troubleshooting

  • "No exposed-data information on this entity" — run Email to Breaches first; it attaches the data classes each xon.Breach entity carries.
  • Rate-limit message — wait a minute (keyless: 25/hour/IP) or configure the key.
  • Transforms missing after import — import xon-entities.mtz before xon-local-transforms.mtz, and check the transform's working directory points at your clone.

Links

About

Official Maltego transforms for the XposedOrNot API - Investigate email breach exposure on the graph, no API key required

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors