Telegram OSINT VM Part 2

Telegram OSINT VM Part 2

Thank you for returning to read part two of my Telegram OSINT VM, in this second blog I am going to walk through the resources I use to research Telegram.

If you didn’t catch Part 1, you can find it here: –

https://www.cqcore.uk/telegram-osint-vm-part-1/

As with Part 1, you do not have to copy everything from this blog for your VM. I would always advise, assess what you need and what you are comfortable working with.

I will start by listing what I use as my base: –

Telegram Web

Telegram Desktop

Geogramint https://github.com/Alb-310/Geogramint

Telepathy https://github.com/jordanwildon/Telepathy

Telegram Tracker https://github.com/estebanpdl/telegram-tracker

I will talk through and illustrate the installation of the above. I will then move on to the other resources that I install and these in the whole will be bookmarks and useful links.

We will start with the installation of Telegram Web and desktop. Open your Telegram container, where we can save the Telegram Web bookmark. Once you have the below screen, Fig 2.1, right click and you will be presented with Fig 2.2, this is where you can save Telegram Web to your Telegram Container.

https://web.telegram.org/k/

Fig 2.1

Fig 2.2

You can now save Telegram Web as a bookmark in your bookmark menu. The first time you open the Telegram bookmark you will be asked to confirm that you want to use the Telegram container from now on to open Telegram Web.

Now it’s time to download Telegram Desktop, navigate your way to https://desktop.telegram.org/ where you can download the application. The default option will be for Linux x64. Once downloaded you can extract the files and run the program and you will then be presented with the below, Fig 2.3 .

Fig 2.3

You maybe asking yourself why do I need both Telegram Web and Desktop? Well, they both do things different, offer flexibility and resilience. You do not have to use both at the same time.

Now we are in a position to log into our Telegram sock account as we will need an API key for the other resources I mentioned earlier.

Once logged in, lets look at some settings that will be beneficial to our OPSEC and security,

In Data & Storage, disable Auto-Download Media, Fig 2.4: –

Fig 2.4

Then we can look at the Privacy settings, Fig 2.5. You will see that I have set the profile picture to everybody. This is due to Geogramint requiring you to have your profile pictures on view. You can disable this when you are not using Geogramint. Only premium users can disable voice or video messages.

Fig 2.5.

Annoyingly the settings from Telegram Web do not carry over to Telegram Desktop, in relation to the automatic media downloads.

In Advanced settings, I enable, ‘Ask download path for each file’

In each of the Private Chats, Groups, Channel, I disable. ‘Automatically download, videos & file,’ Fig 2.6.

Fig 2.6

If you are using a mobile, I would also disable the People Nearby option. You will find it by navigating to Contacts – Find People Nearby. I would like see to Find People Nearby come to the Web and Desktop app, so I could use a location spoofing extension, however this is why we have Geogramint.

The above settings will really depend on the nature of your deployment. Experience has shown me that files can be automatically downloaded in the background to your device, without you knowing,  just take the added precaution of choosing what I want to view. I like to have a look at the channel or group first.

I will walk you through how to obtain your API-id and API-hash. You need to log-in to your Telegram account on Telegram Web, you then need to navigate to the API development tools at the following URL:

https://my.telegram.org/auth?to=apps

Then you will need to enter the number that you used to sign up to Telegram, Fig 2.7. You will  then be sent a confirmation code to your Telegram account. You need this code to access the, ‘Your Telegram Core,’ where you will select the API development tools option.

Fig 2.7

You will be taken to the following screen, Fig 2.8.

Fig 2.8

 

In the default fields, typing, ‘Anything” should enable you to obtain your API. You will be taken to the next page where you will obtain your API-id & API-Hash.

This short video is a good tutorial on how to obtain your API-id & API-Hash.

https://www.youtube.com/watch?v=8naENmP3rg4

Once you have your API-id & API-Hash, keep it safe in your password manager.
You may have gathered that there is an OPSEC issue in how we have obfuscated our Ubuntu setup earlier. We have to use a mobile number that is not necessarily from the same country as we set our VM to, not only that the next step requires you to use an IP address for the country of the number too, otherwise Telegram will not provide you with your API key and Hash.

If you have no intention of using the cmd line tools then you do not need to concern yourself with obtaining the API key and Hash. Alternatively like I have done in the past, obtain a SIM from your obfuscation country. It all depends on what our deployment entails and the risks involved.

With OSINT, there is always a balance to be had between, OPSEC, Privacy and usability versus reward. We can lock ourselves down but this will affect our ability to carry out OSINT.

Before moving on to installing the cmd line tools I am going to create two more bookmarks.

I am going to create a custom bookmarklet that has been created by @Webbreacher based on a blog by @hatless1der. I have included a link to the blog below so that you can read up on how this bookmarklet works.

Copy the text below, go into your browser bookmarks, create a new bookmark, and paste the text where you would normally put the URL for a bookmark and save. Give it a name you will remember, i’ll call mine Bookmarklet: –

javascript:(function()%7Bvar a %3D document.getElementsByClassName(‘tgme_page_description’)%5B0%5D%3B alert(a.innerText)%7D)()

The link to @hatless1der blog is here: –

https://hatless1der.com/telegram-osint-basics-5-tips-anyone-can-do-right-now/

I am now going to add my own GitHub repo bookmark where I have collected my Telegram OSINT toolkit. You now have access to my GitHub repo where you can access the numerous, blogs, bots, CSE, extensions, resources and videos, to help you with your research of Telegram. Feel free to add your resources toolkit of choice, @Cyb_Detective has a good GitHub repo too. I will allocate my GitHub repo to a container.

https://github.com/cqcore/Telegram-OSINT

It is a good idea to add a Yandex bookmark too. I add the following in a bookmark folder, called Yandex: –

https://yandex.com/

https://translate.yandex.com/ocr

https://translate.yandex.com/

At the same time I am going to allocate them a container named Yandex, Fig 2.9

 

Fig 2.9

*I said earlier, I add extensions as I go, you have the option here to add a ‘Translate’ extension. In Firefox’s Add-Ons there are couple of recommended ‘Google Translate’ extensions. Firefox has its own Translate extension, however it is limited in the languages available to translate.

*Next I am going to a create a bookmark folder for the following website resources: –

https://tgdev.io/tme/

https://lyzem.com/

https://telegramchannels.me/

https://telegcrack.com/

https://telemetr.io/en/channels

https://tgstat.com/

https://tlgrm.eu/channels

*As with everything related to the internet ensure that you are happy with the resources you use. Ensure that you are using the appropriate OPSEC for your deployment.

Now is the time to download from GitHub our cmd line tools. We have created the cqcore GitHub container and we can use the same container to install the cmd line tools we are going use. You will find tutorials on my GitHub Telegram Repository on how to use the below tools. As I go, I create text documents on my VM for each tool, which contains the installation instructions and also the commands for its deployment.

Geogramint https://github.com/Alb-310/Geogramint

Telepathy https://github.com/jordanwildon/Telepathy

Telegram Tracker https://github.com/estebanpdl/telegram-tracker

First we will start with Geogrmint: –

git clone https://github.com/Alb-310/Geogramint.git

(If you don’t have git – sudo apt install git)

cd Geogramint

pip3 install -r requirements.txt

(If you don’t have pip3 – sudo apt install python3-pip)

python3 geogramint.py

This will then launch the GUI. In the bottom left corner is the settings cog, click this and the below image will be launched, where you can input your Telegram API-id, API-Hash and telephone number, Fig 3.0.

Ensure you have the + and your country code, minus the first 0, +44(number here) format.

Fig 3.0

Next is Telepathy: –

pip3 install telepathy

cd telepathy

When you first run Telepathy you will be asked to enter your, API-id, API-Hash & phone number.

We will use a default cmd, the target is one of the inventors of Telegram, Fig 3.1.

Fig 3.1

You will enter your API-Id then,

Next is your API-Hash,

Then you will enter your telephone number. Ensure you have the + and your country code, minus the first 0, +44(number here) format.

You will receive a code to your Telegram account, once that is input into the terminal you will then enter your password, and you are away.

A basic cmd as a test would be – telepathy -t CHANNEL NAME

Next we can install Telegram Tracker: –

*To use this tool, you need to be aware that Telegram Tracker will not work if you have 2FA enabled. the first time you run it.*

git clone https://github.com/estebanpdl/telegram-api.git

Then download the ZIP file from GitHub, Fig 3.2, and unpack the file telegram-tracker.zip to your preferred location.

 

Fig 3.2

cd telegram-tracker-main

*pip3 install -r requirements.txt

Go to the telegram-tracker-main and complete the config file with the below

[Telegram API credentials]

api_id = (Your api_id here)

api_hash = (Your api_hash here)

phone = (Your phone number here)

Note: Your phone must be included to authenticate for the first time. Ensure you have the + and your country code, minus the first 0, +44(number here) format, for example. Telegram API will send you a code via Telegram app that you will need to include.

A basic cmd: –

*python3 main.py –telegram-channel channelname

*If you used pip and not pip3 the cmd would be python main.py –telegram-channel CHANNELNAME

When I have finished the above I add the GitHub tools to a bookmark folder for easy access. I also create txt notes with how to use each tool, Fig 3.3.

Fig 3.3

A quick point on Telegram Bots, you can use Bots not just for searching Telegram but also for your other OSINT deployments too. Telegram has lots of available data to search, such as usernames, email addresses, phone numbers etc, so it is quite a useful tool as an OSINT resource.

I use the Bot URL’s from my GitHub page to create a Bots, bookmark folder.

My bookmark bar now looks like this, Fig 3.4.

Fig 3.4

That brings me to the end of Part 2. There will be a part 3, this was not intended however I felt I need to expalin in more detail how I manage my VMs and also the risks involved in using a Windows host. Anyway, any self-respecting Hollywood blockbuster comes as a trilogy, so why not.

 

Investigative Mindset

(First Published June 2020)

Now, for those of you who follow me on Twitter, you may have gathered that I am not the most technical skilled OSINTer. Maybe the result of a misspent youth (and some more years after too). The truth is though, do I have to be? probably not. There is an abundance of non-technical ways we can conduct our OSINT research. It is something however that I find interesting and a challenge though.

Certainly, just as important and maybe more so is having an investigative mindset when conducting our research. We sometimes, I think underestimate the importance of what a Researcher is able to achieve.

The Cambridge dictionary definition of a Researcher: – “Someone who studies a subject, especially in order to discover new information or reach a new understanding:”

The definition of an Investigator: – “A person whose job is to examine a crime, problem, statement, etc. in order to discover the truth:”

Now let’s put the crime aspect of the second definition to one side and incorporate the rest of the wording into the definition of a Researcher and we are now getting close to what an OSINT researcher is.

If you have had the pleasure of reading the excellent blogs by @nixintel, @Sector035 & @MwOsint you will see the above in action.

I regularly hear Researchers being asked, “Can you just do some quick research on….” So, the opening gambit here is setting the tone of how this research will maybe conducted. Is there any such thing as quick research, yes there is, in certain circumstance. What strikes me though is that we are already hardcoding into the Researcher’s mindset the word, “Quick.” At this stage I would be asking more questions of the person tasking me then they would probably be comfortable with. Once you start asking, “What are your aims and objectives?” You can see people become visibly confused at the question. Their aims and objectives are going to influence your methodology on how you conduct your research. Then there are time parameters too to consider, certainly, “Quick”, is not necessarily going to achieve complicated or exhaustive aims and objectives.

At this stage I would like to take the opportunity to share with you my experience as an investigator prior to taking up OSINT about 18 months ago. If I am being honest, I would say that there is far more to learn about OSINT than there is as an investigator. As an investigator you have a large support network of specialists. As a researcher you are that support specialist. In the investigation world we talk of strategies, in OSINT it’s methodology.

Researcher, Investigator, Strategy and Investigative Mindset are easily interchangeable.

The first thing I do when I am tasked to do OSINT, is once I know what the aims and objectives are is to have a brain storm and write down everything that I initially think will assist me in carrying out my research, my strategy, my methodology. Now you may not need to utilise all these ideas but I have found that when I am mentally engaged with my work I don’t always have that freshness of thought to think of new ideas. Plus, the reason I write it down is because experience has taught me I will forget some of them. Also consider including it on any report that you produce too. In my opinion it looks more professional to have had a plan than just to have churned out the results of your research. Think of the long game, will you ever have to present your work, will you remember what your methodology was, when asked.

Once I have my initial thoughts wrote down, I then start to prioritise them. The way you prioritise will differ from project to project. It’s difficult to give an exhaustive list in a short blog but I tend to look at what I am likely to lose if I do not act on something. Or I may decide, what are easy wins that are likely to harvest me the most material to pivot off.

I am definitely someone who performs better with experience, other people are far more dynamic and free flowing (Damn them). So its important to also work how your mind works and set out your methodology accordingly. Don’t be scared to be different. The most important thing is getting the result, how we get there is sometimes personal preference.

If the only information you have to start your investigation is say an email address, this is when you need to plan how you are going to investigate it.

The way my mind works is I have to have order and structure. As I have been learning OSINT I have set out different investigative methodologies, a plan, investigating emails is one. If you haven’t seen @sinwndie flow charts check them out. Also take a look at @jnordine osintframework.com to see how his OSINT resources flow. It maybe that neither of these work for you but they can both be adapted, so you have your own methodology flowcharts. Shooting from the hip in my experience is not the way forward especially when you have time to plan and prepare your research.

I see Researcher’s flying off to create sock accounts for Facebook and Twitter once they are tasked. Do you even need a sock account in the early stages of the research process to interrogate Facebook or Twitter? Can you even find or know how to find an email address on either platform? No thought has gone into an investigative strategy or methodology. I personal do not create any sock accounts until I have exhausted other avenues of leveraging a site. Yes, there are times when will you be presented with information that the subject of your research is on a particular platform or there is no other way to leverage the site but that is all part of your methodology. Creating sock accounts is no easy feat and can be time consuming, time you may not have.

One important factor of research is knowing when you have exhausted a line of inquiry. To much time can be spent down the rabbit hole before you realise that actually you are not achieving the results you want. Time constraints may dictate this to you but you should always stop and assess. This is where the list of priorities you wrote down at the beginning also comes in to play. You may decide that actually it is time to move onto a new line of research.

You need to constantly evaluate, understand what it is you have found, test the reliability of the material, parallel source it. Don’t just accept that what you have found is correct and accurate.

Confirmation bias is another area of the investigative mindset that may have adverse affects on your research. Only seeing what you want to see and ignoring everything else that points away from what you believe. So the above example of knowing when a line of enquiry has ended. Your confirmation bias may blind you to the fact that what you are doing is fruitless, you are ignoring information / material that tells you this is the case. Have an open mind.

I hear the word, “Tenacity,” a lot in OSINT, it is something I have heard far more in the world of OSINT than before.

One definition of Tenacity: – “Extremely persistent in adhering to or doing something; stubborn or relentless”

What more can I say! When you have that gut feeling something is there or that you are missing something then tenacity is what you need. Successful Investigators and researchers have tenacity in abundance. Strongly associated with tenacity, is personal pride and enthusiasm in your work which will also be a major contributor to your success.

Sometimes you have to stop and take stock especially on complex research. Evaluate your research, do you need to look back and alter your methodology accordingly. Have you achieved your aims and objectives? Recharge your batteries, step back, take a break and refresh.

In fairness I could write a book on this subject, this is only a brief insight into my experience of the investigative mindset. The important message is finding out how your mind works, how you work and then build your methodology accordingly. Have a plan, understand what it is you are doing!