Canary tokens are customizable tracking links that let you know who clicks a link and where it is shared. Because of the way many apps retrieve URL previews for links shared in private chats, Canary tokens can even make calls home when someone checks a private chat without clicking the link. Canary tokens come in several useful types and can also be used via URL shortenings.
What is a Canary token?
A canary token is a unique link designed to detect when someone clicks, shares, or interacts with it in some way. You can think of yourself as a tripwire left by defenders to let them know if someone pokes around somewhere they should not be on your network. Disguised as information that attackers are interested in, the idea is to keep tokens on your network so that intruders send tons of notifications when they start doing things they should not.
Honeypots, honeytokens and other types of trap attackers are not a new idea. Honeytokens uses incorrect credentials stored in an insecure file on the network, prompting attackers to use them. A blue team watching out for these fake credentials can then detect each time someone tries to log in to a service on the network, indicating that an attacker has gained access.
A honeypot is a more complicated method of capturing attackers, creating fake systems to attack while learning as much as possible about the attacker. Honeypots attempt to persuade an attacker to use the malware or tactics they use to exploit a system in a fake environment that poses no risk. By giving their best against a fake network, defenders can learn more about who is behind an attack and what tools criminal hackers use.
Canary tokens are so easy that anyone can use them. Depending on how you deploy them, they can detect when someone clicks on a link, opens an email, shares a file, or otherwise interacts with the tracking link.
Skype and Slack User Tracking with Canary Tokens
A unique feature of Canary Tokens, your target does not need to click the link to trigger the token. In an incident reported by Bellingcat a penetration tester discovered that its phishing server had been discovered after discovering a Skype server connected to it. He learned that every time a link appears in certain private messengers, a link preview is created to display a thumbnail image of the web page. This means that a Skype server is actually connecting to the canary token URL, so we get a result like the following.
During testing, I found that the Slack Messenger actually triggered one each time a member of the chat connects to the channel the Canarian token is released. When you share a link in a group chat with many different messenger classes, you can monitor whether new people are being added to the chat, even if no one clicks on the link. While quite exciting, the Canary token generated link still looks suspicious.
While Slack and Skype were among the worst offenders, this trick also works in several other types of instant messaging applications.
To avoid Canary tokens being very obviously referring to a website with information about their content, you should hide the link as much as possible. URLs that are popular with hackers include the use of URL shorteners such as Goo.gl (which will be shut down on March 30, 2019) or Bit.ly. These services tunnel from a shortened URL to a much longer one, so users can more easily share long URLs.
We can abuse them by using a URL shortener to create a less suspect link that is included in Slack or Skype chatting. If you have your own web domain, you can also have your web domain redirected to the canary token URL, but for those who just want to give it a try, Bit.ly works just fine. In testing, I've been able to show that the canary tokens concealed behind shortened URLs work almost as well as posting the unformatted links.
Canary tokens can be used from any platform with a web browser. including Windows, macOS and Linux. You need a web browser that is able to navigate to the Canary token web site to generate a link, and then a device that you want to track.
If you want to test the ability to monitor when your canary token is shared In a messenger that is prone to creating URL previews, you can use Slack, Skype, WhatsApp, Facebook Messenger, Wire, or Apple iMessages connect to another device.
Finally, you will need an e-mail address to receive warning messages from Canary Token. If you do not want to do this, you can continue to use the web interface, but you can not lose the link or you can not access the results.
Step 1: Create a Canary Token
On the Canary token Web site, you can generate a canary token by clicking Choose Your Token and selecting the type you want to create.
The simplest generation link type is a "Web Error / URL token" that triggers a notification when someone clicks or releases the link. This feature serves as a website link, but there are several options to choose from.
A "DNS token" creates a warning when a URL is requested, regardless of whether the web page is actually loaded or not. A "Custom Image Web Bug" behaves like an image that can be loaded as part of a web page or e-mail. By adding a webbug to a public website or email, you can see when someone opens the email or website by noticing when the image is requested.
The other available Canarian tokens are files that report back when opened or browsed as Word documents, PDF files, or as a Windows Folder form factor. Click on "Web Error / URL Token" for our first demonstration.
Then enter the e-mail address from which you would like to receive notifications. You can also skip this and easily configure it through the web interface, but if you lose the link, it's very difficult to interact with canary tokens that you create.
While this obscured the browser type I used, the Canarian token still can see my IP address and about where I am. To take things to the next level, we can try to hide from the Canarian token using a VPN. In this example, I've used a VPN and Chrome extension to more effectively hide the system I'm using and my location. The Canary token says I'm a Yahoo spider from Hälsingborg, Sweden.
While other information can still be leaked, there are tools that hide to be unidentifiable by a Canarian token.
Step 4: Use URL shortening
Another way to use a Canarian token is to shorten it with a URL shortener. You can use services like Bit.ly or Goo.gl to hide the actual URL. In most cases, the behavior of the link does not change when you use it online in a chat. To do this, you can use the Google URL Shortner or Bitly on to shorten the link. As mentioned earlier, the Google URL shortener service will be shut down on March 30, 2019.
After adding your canary token link to Bit.ly, you can use the truncated link in the same way as you did Original would use. This shortened link is often less suspicious than the super-long Canarian token URL.
An interesting feature of Canarian tokens is that they alert you when someone is checking a private chat. Every time someone joins a service like Slack logs in, a Slack URL preview is helpful. That is, if you put a Canarian token in a Slack channel, you can receive real-time updates when someone opens the chat even if they do not click the link.
This behavior also often works through URL shortening.
The Canary Token Administration Portal should display Slack or Skype hits attempting to preview the URL if you posted it as raw data or expand Link if you posted a shortened version.
You may find that this behavior works on Slack, Skype, Whatsapp, Facebook Messenger, Wire, or iMessage. Clicking on a link gives you much more information about a destination. However, if you put a link in a private chat, you can still see when someone has seen or discussed the link.
While we researched the Web Bug Canary token, there are a number of other useful tokens that we can try. To see how they work, let's try the token for PDF files.
Navigate to the Canary token website and create an "Adobe Reader PDF document". Enter your e-mail address and a note to remind you what the token is and download the PDF.
There are some good recommendations for using this token on the website, but in this case we will take a look at how the Canary token handles the Selection of a user can bypass for making calls home.
On a Mac OS system, opening the Adobe PDF file causes the following warning. To play the part of the affected target, I clicked "Block" to prevent the Canarian token from recognizing that I opened the PDF file.
Sorry, it does not work I do not care if I asked Adobe to "block" the site because it was already connected! Adobe pinged the canary token server before sending the alert, which means that it really does not matter that we clicked "Lock". The attacker can still recognize that I have opened the document despite my efforts to prevent it.
There are a number of creative ways to use these tokens to recognize user actions, this is just the beginning!
If you want to get creative with Canarian tokens, there are no limits to the ways in which you can embed suspicious elements. A common suggestion is to cause a startup script to request the URL when a user logs in and to notify you each time a computer is accessed with the IP address of the network to which it is connected.
It is possible to hide these tracking techniques, this can be difficult. This makes Canary tokens flexible and easy to provide links tracking solutions. If this type of tracking is a fan of yours, you should know that advertisers and other online businesses routinely use these and more sophisticated tactics to track down customers. If you have questions about this Canary Token tutorial or have a comment, feel free to query it below or follow Twitter @KodyKinzie .
Don & # 39; t Miss: Find a Tinder Profile with Location Spoofing in Google Chrome