Skip to content

vognik/maltego-telegram

Repository files navigation

Maltego Telegram

preview.png

Telegram Maltego — a free set of Transforms for Maltego that enables OSINT investigations in the Telegram messenger.

Initially designed solely to simplify de-anonymization through stickers/emojis, it has since expanded far beyond its original functionality, allowing for more advanced investigations.

Features:

  • Getting Telegram profile by phone number
  • Getting a linked Telegram channel group
  • Getting a list of Telegram group administrators
  • Getting a list of authors of a Telegram channel
  • Collect all forwarded & similar channels by Channel
  • Search for deleted posts and generate links to view them
  • Indexing of all stickers/emoji in Telegram channel
  • Identification of the creator of a set of stickers/emoji

How it works

Currently, there are over 10 available Transforms. A full list can be found in the directory of the same name, as well as in the Maltego program when you import them.

Here’s how some of these Transforms work.

Stickers and their creators

stickers.png

Each Telegram user has their own UID.

Each sticker set that a user creates has its ID hidden in it.

To reveal it, my Transform executes the following algorithm:

  1. Make an API request to get information about the sticker set
  2. Take the value of the "ID" key from the response
  3. Perform a binary shift by 32 to the right.

The resulting UID can be exchanged for a familiar login using the @tgdb_bot bot, and thus reveal the user's profile.

The author of a channel who did not leave contacts can be de-anonymized. To do this, you need to scan his channel and find the sticker packs that he has ever created. My Transform for Maltego does this automatically.

Find out more: What's wrong with stickers in Telegram? Deanonymize anonymous channels in two clicks

Similar channels

similar.png

Telegram has a built-in function to search for channels whose audience overlaps with the current one.

Maltego makes the search more convenient by visualizing the results.

Profiles that may be associated with the channel

forwarded.png

Administrators can forward their own messages and other users to their channel.

If a user has changed their privacy settings and removed the link to their account (Forwarded Messages = Nobody), this will only apply to forwarding their new messages.

Old forwarded messages will still link to their real profile.

Deleted posts and their content

deleted.png

In Telegram, each post has a unique numeric ID, which increases with each new post. The first post in a channel has ID 1, the second post has ID 2, and so on. If there are gaps between post numbers, it means that some posts have been deleted.

There are services that index Telegram content. Even if a post has been deleted from Telegram, it may still be stored in these services.

This Transform helps you find deleted posts and creates links to view them in the archives.

Installation

  1. Clone the repository
git clone https://github.com/vognik/maltego-telegram
  1. Install dependencies
pip install -r requirements.txt
  1. Specify secrets in config.ini:
  1. Log in to Telegram
python login.py
  1. Generate Transforms Import File
python project.py
  1. Import entities.mtz and telegram.mtz files using Import Config in Maltego
  2. Check if they work: new Entities and Transforms should appear in Maltego

imports.png

Usage

Drag and drop an entity from the Entity Pallete, right-click and select the desired Transform.

1118.1.1.mp4