Telegram Maltego — a free set of Transforms for Maltego that enables OSINT investigations in the Telegram messenger.
Initially designed solely to simplify de-anonymization through stickers/emojis, it has since expanded far beyond its original functionality, allowing for more advanced investigations.
Features:
- Getting Telegram profile by phone number
- Getting a linked Telegram channel group
- Getting a list of Telegram group administrators
- Getting a list of authors of a Telegram channel
- Collect all forwarded & similar channels by Channel
- Search for deleted posts and generate links to view them
- Indexing of all stickers/emoji in Telegram channel
- Identification of the creator of a set of stickers/emoji
Currently, there are over 10 available Transforms. A full list can be found in the directory of the same name, as well as in the Maltego program when you import them.
Here’s how some of these Transforms work.
Each Telegram user has their own UID.
Each sticker set that a user creates has its ID hidden in it.
To reveal it, my Transform executes the following algorithm:
- Make an API request to get information about the sticker set
- Take the value of the "ID" key from the response
- Perform a binary shift by 32 to the right.
The resulting UID can be exchanged for a familiar login using the @tgdb_bot
bot, and thus reveal the user's profile.
The author of a channel who did not leave contacts can be de-anonymized. To do this, you need to scan his channel and find the sticker packs that he has ever created. My Transform for Maltego does this automatically.
Find out more: What's wrong with stickers in Telegram? Deanonymize anonymous channels in two clicks
Telegram has a built-in function to search for channels whose audience overlaps with the current one.
Maltego makes the search more convenient by visualizing the results.
Administrators can forward their own messages and other users to their channel.
If a user has changed their privacy settings and removed the link to their account (Forwarded Messages = Nobody), this will only apply to forwarding their new messages.
Old forwarded messages will still link to their real profile.
In Telegram, each post has a unique numeric ID, which increases with each new post. The first post in a channel has ID 1, the second post has ID 2, and so on. If there are gaps between post numbers, it means that some posts have been deleted.
There are services that index Telegram content. Even if a post has been deleted from Telegram, it may still be stored in these services.
This Transform helps you find deleted posts and creates links to view them in the archives.
- Clone the repository
git clone https://github.com/vognik/maltego-telegram
- Install dependencies
pip install -r requirements.txt
- Specify secrets in
config.ini
:
api_id
andapi_hash
: guide https://core.telegram.org/api/obtaining_api_idbot_token
: guide https://core.telegram.org/bots/tutorial#obtain-your-bot-token
- Log in to Telegram
python login.py
- Generate Transforms Import File
python project.py
- Import
entities.mtz
andtelegram.mtz
files using Import Config in Maltego - Check if they work: new Entities and Transforms should appear in Maltego
Drag and drop an entity from the Entity Pallete, right-click and select the desired Transform.