thinkst / canarytokens Goto Github PK

Currently we are using only specific template for word. Is there any mechanism if we can insert URL in any Word File ?

Hi,
I am in China and now working on docker-based canarytokens. I can't receive any alert emails when I opened the pdf file downloaded. But it worked when I ran a test on canarytokens.org.
I tried to make sure everything is set as instructed in the readme of this repo, such as two domain names 111.abc and 222.abc, both pointing to a public IP, which is the IP of docker host. However, it turned out pdf tokens can't work.

Hi,

Attempting to use the AWS keys

I have canarytokens running in Docker on Ubuntu 16.04, sitting behind an ELB, 443/HTTPS pointing to 80/HTTP/nginx.

All of the other tokens I've tried are working fine.

[default]
aws_access_key_id = $GENERATEDACCESSKEYID
aws_secret_access_key = $GENERATEDACCESSKEY
region = us-east-2
output = json

I put the above in ~/.aws/credentials

Ran aws configure, picked it up no problem

Ran the following:

aws iam create-user --user-name TestMePlease
aws s3 ls
aws ec2 describe-instances

And probably a few others, have waited about an hour, no alert and nothing in the logs on my end.

I know this piece is hosted on your lambda. I tried the version on canarytokens.org and got an alert about 20 minutes later (which you mentioned on your blog).

Wondering where the disconnect is. Thank you.

If you generate an imgur token, then click on the "Acrobat PDF" link, it throws an exception.

As it appears in browser:

web.Server Traceback (most recent call last):
exceptions.TypeError: string indices must be integers, not str
/usr/local/lib/python2.7/site-packages/twisted/web/server.py:189 in process
188                    self._encoder = encoder
189            self.render(resrc)
190        except:
/usr/local/lib/python2.7/site-packages/twisted/web/server.py:238 in render
237        try:
238            body = resrc.render(self)
239        except UnsupportedMethod as e:
/usr/local/lib/python2.7/site-packages/twisted/web/resource.py:250 in render
249            raise UnsupportedMethod(allowedMethods)
250        return m(request)
251
/srv/httpd_site.py:173 in render_GET
172
173        canarydrop = Canarydrop(**get_canarydrop(canarytoken=token))
174        if not canarydrop:
/srv/canarydrop.py:41 in __init__
40
41        if 'imgur_token' in self._drop and not self._drop['imgur_token']['id']:
42            raise Exception('Missing imgur_token from Canarydrop')
exceptions.TypeError: string indices must be integers, not str

As it appears in docker container:

frontend       | 2016-05-13 03:31:52+0000 [HTTPChannel,18,172.17.0.5] Unhandled Error
frontend       |        Traceback (most recent call last):
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/protocols/basic.py, line 571, in dataReceived
frontend       |            why = self.lineReceived(line)
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/http.py, line 1676, in lineReceived
frontend       |            self.allContentReceived()
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/http.py, line 1755, in allContentReceived
frontend       |            req.requestReceived(command, path, version)
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/http.py, line 823, in requestReceived
frontend       |            self.process()
frontend       |        --- <exception caught here> ---
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/server.py, line 189, in process
frontend       |            self.render(resrc)
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/server.py, line 238, in render
frontend       |            body = resrc.render(self)
frontend       |          File /usr/local/lib/python2.7/site-packages/twisted/web/resource.py, line 250, in render
frontend       |            return m(request)
frontend       |          File /srv/httpd_site.py, line 173, in render_GET
frontend       |            canarydrop = Canarydrop(**get_canarydrop(canarytoken=token))
frontend       |          File /srv/canarydrop.py, line 41, in __init__
frontend       |            if 'imgur_token' in self._drop and not self._drop['imgur_token']['id']:
frontend       |        exceptions.TypeError: string indices must be integers, not str
frontend       |

Presumably the not-generating of PDF from an imgur-watching token is expected behaviour. However, the link to then generate a PDF should not be present in a subsequent page (or, a clean error should be presented).

I wanted to do my own canary documents and tinkered around a bit with the template.docx provided in this repository. This are the steps I came up with:

1. Somewhere in the document, insert an image, for example a one-pixel
   GIF file called 1x1.gif, and set its size to 0x0, save the file.
2. In the ZIP structure, open word/document.xml find
   name="1x1.gif" the reference ID, for example <a:blip r:embed="rId5"/>.
3. Edit word/_rels/document.xml.rels, find the matching Relationship
   tag, for example:

   <Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.gif"/>
   

   Replace the Target value media/image1.gif with the
   string HONEYDROP_TOKEN_URL, add TargetMode="External".
4. Remove media/image1.gif.

The result is different from your template.docx. Apart from the fact that there are not header*.xml or footer*.xml files since I added the image into the main document, the image constuct looks entirely different. Instead of the <w:instrText> tag including the INCLUDEIMAGE instruction, I simply get a <w:drawing> tag in which the GIF is referenced. Cursory testing shows that (at least) Word 2010 will also try to load the file, so the needed functionality seems to be there. However, since I am by no means an Office expert, I wonder what I am missing.

Could you please document how you generated the templates and why specific steps were taken?

I believe I've narrowed down the trigger but am not understanding the cause. I downloaded an pdf token to test and it successfully triggers when opened. However, I moved the tokenized pdf to another computer and placed it to be found by a colleague and resumed work on the original computer. When I open a link within an unrelated pdf, it is triggering the canarytoken again. Any clue how can I resolve this?

I am using Mac OS Mojave Version 10.14.6.

I downloaded and opened the following MS Word and PDF several times. I have not received any email on my Gmail (I have checked my spam folder). Perhaps I am missing something in the set-up.

mine: https://github.com/shortstack/canarytokens/blob/ca3dca393173cee79c6fa040ae48eca12d0d7a25/channel.py

master, line 68:
https://github.com/thinkst/canarytokens/blob/master/channel.py

Originally posted by @shortstack in #25

Can you update this repo with installation and usage instructions

You already have username and domain, why not add COMPUTERNAME to the information collected when someone visits a WIndows Folder Token?

You can obfuscate your IP address/DNS while opening a potential "infected" file by first submitting it to a site like virustotal.com

PoC with EXE CanaryToken, also is the case with document based tokens

PoC:

http://canarytokens.org/history?token=xjyowcz9v4a1iymq5x8f8xyu0&auth=1f61872751a0430be27cf61214e5d6ed

Reported by Gionathan Armando Reale

You should consider changing header link on this repository to use HTTPS instead of HTTP.

Also, consider changing canarytokens.org so that it automatically redirects to HTTPS.

Hello ,
When i'm generating my Canaray token then for example for a pdf or word , if i open this pdf or word i don't get any notification on my Email.
-> used canarytokens.org service
-> operating system windows10

I am trying running CanaryTokens from my own server.
The email function works fine, but in the History on the main website, the "Incident Map" and "Incident List" do not show up as they are shown on canarytokens.org. There is nothing under the line "Heads Up! Click the incident items for more info."
Do you have any idea about this issue?

Hey @thinkst :

Would you accept a Pull Request that implements SMTP (over TLS) as an output channel?

I would like to have that for my installation so that I must not depend on third party mailproviders (but use my own SMTP server).

On mobile (safari/iPhone) its near impossible to grab the web-bug URL

@thinkst
Hi, I have done setup of canarytoken and canarytoken-docker projects in my machine. I have created a DNS entry in my Hosts file and did changes in frontend.env and switchboard.env accordingly so that they point to my local DNS URL. I have added my own email configurations.

Then for when I generate canary token from /generate page. For web bugs, it is working properly and I am receiving email alert notification. But for DNS canary token, when I open <token>.localdomain, I am redirected to /generate page, but not getting email notification.

Can you suggest something where is the gap in configurations?

Hello,

I would like to use my own AWS account to generate AWS tokens but I cannot find any documentation on how to setup required lambda functions AWS.

I noticed that documentation mentions following information:

.... we have added the ability to specify your own AWSID lambda so that you may host your own. The setting is placed in frontend.env under CANARY_AWSID_URL. If this value is not specified, it will use our default hosted lambda.

But I cannot see how I can generate CANARY_AWSID_URL and do required setup on my AWS account.

Please advise

Created tokens overflow their div's

or

Hi

I've been tinkering a little with Canary Tokens and I like it a lot - loads of value for very little effort. I'm working on a project which will be deployed on AWS and Google Cloud (GCP) so i'd be really interested to know if you are planning on providing a GCP equivalent to the AWS user auth tokens facility which is already in CT? I haven't thought it through much but i assume/hope it's feasible.

Cheers

CanaryTokens - Fingerprinting Vulnerability (MS WORD)

MS Word documents are always the same size (15.590-15.670) and after unzipping the docx file, I noticed that the file [word/_rels/footer2.xml.rels] has only a select amount of "random words" in the token URL.

After testing with over 50 samples, I found that using this information could accurately fingerprint which files were infected.

Fix: If you randomize the file size by inserting random string characters into the docx file and add more words to “pages” and “path_elements” ()like a dictionary dump) and you could fix the problem

Reported by Benjamin Zink Loft

I noticed that the timestamp is late for around 5 min. how we can check whether canary tokens were fired on time?

Initially when I filled the config files, I made a mistake in the domain. After changing it to the correct domain it however still points to the old one most of the time, with the occasional token being generated with the correct one specified in the config file. Is there some sort of cache somewhere that can be cleared?

Please confirm and fix this issue, also I'd really like a version number.

Reported by Gionathan Armando Reale

#####################################################################

Detection Bypass:

Opening a PDF document containing a CanaryToken using Foxit Reader 9.4.1.16xxx will allow you to view the file (and the CanaryToken hidden url) without triggering the CanaryToken. Other PDF document viewers may also bypass detection

Simple question / sorry I didn't find an answer in the documentation - Is there a way to list all of the active / created tokens?

Your tool/software has been inventoried on Rawsec's CyberSecurity Inventory.

What is Rawsec's CyberSecurity Inventory?

An inventory of tools and resources about CyberSecurity. This inventory aims to help people to find everything related to CyberSecurity.

• Open source: Every information is available and up to date. If an information is missing or deprecated, you are invited to (help us).
• Practical: Content is categorized and table formatted, allowing to search, browse, sort and filter.
• Fast: Using static and client side technologies resulting in fast browsing.
• Rich tables: search, sort, browse, filter, clear
• Fancy informational popups
• Badges / Shields
• Static API
• Twitter bot

More details about features here.

Note: the inventory is a FLOSS (Free, Libre and Open-Source Software) project.

Why?

• Specialized websites: Some websites are referencing tools but additional information is not available or browsable. Make additional searches take time.
• Curated lists: Curated lists are not very exhaustive, up to date or browsable and are very topic related.
• Search engines: Search engines sometimes does find nothing, some tools or resources are too unknown or non-referenced. These is where crowdsourcing is better than robots.

Why should you care about being inventoried?

Mainly because this is giving visibility to your tool, more and more people are using the Rawsec's CyberSecurity Inventory, this helps them find what they need.

Badges

The badge shows to your community that your are inventoried. This also shows you care about your project and want it growing, that your tool is not an abandonware.

Feel free to claim your badge here: http://inventory.rawsec.ml/features.html#badges, it looks like that , but there are several styles available.

So what?

That's all, this message is just to notify you if you care.

After downloading CanaryTokens from Github, and run docker-compose up, there are some warnings shown bellow. Especialy, the one for "the service_identity module", I already installed it, but these warnings still appear.

canarytokens-docker$ sudo docker-compose up
Starting redis ... 
Starting redis ... done
Starting frontend ... 
Starting frontend ... done
Recreating switchboard ... 
Recreating switchboard ... done
Recreating nginx ... 
Recreating nginx ... done
Attaching to redis, frontend, switchboard, nginx
redis          | 1:C 17 Jul 23:31:59.200 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
redis          | 1:C 17 Jul 23:31:59.200 # Redis version=4.0.0, bits=64, commit=00000000, modified=0, pid=1, just started
redis          | 1:C 17 Jul 23:31:59.200 # Configuration loaded
redis          | 1:M 17 Jul 23:31:59.203 * Running mode=standalone, port=6379.
redis          | 1:M 17 Jul 23:31:59.203 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
redis          | 1:M 17 Jul 23:31:59.203 # Server initialized
redis          | 1:M 17 Jul 23:31:59.203 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
redis          | 1:M 17 Jul 23:31:59.203 # WARNING you have Transparent Huge Pages (THP) support enabled in your kernel. This will create latency and memory usage issues with Redis. To fix this issue run the command 'echo never > /sys/kernel/mm/transparent_hugepage/enabled' as root, and add it to your /etc/rc.local in order to retain the setting after a reboot. Redis must be restarted after THP is disabled.
redis          | 1:M 17 Jul 23:31:59.204 * DB loaded from append only file: 0.001 seconds
redis          | 1:M 17 Jul 23:31:59.204 * Ready to accept connections
frontend       | :0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module and a recent enough pyOpenSSL to support it, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.
frontend       | No handlers could be found for logger "generator_httpd"
switchboard    | rm: cannot remove 'switchboard.pid': No such file or directory
switchboard    | :0: UserWarning: You do not have a working installation of the service_identity module: 'No module named service_identity'.  Please install it from <https://pypi.python.org/pypi/service_identity> and make sure all of its dependencies are satisfied.  Without the service_identity module and a recent enough pyOpenSSL to support it, Twisted can perform only rudimentary TLS client hostname verification.  Many valid certificate/hostname mappings may be rejected.
redis          | 1:M 17 Jul 23:33:00.096 * 1 changes in 60 seconds. Saving...
redis          | 1:M 17 Jul 23:33:00.097 * Background saving started by pid 13
redis          | 13:C 17 Jul 23:33:00.101 * DB saved on disk
redis          | 13:C 17 Jul 23:33:00.102 * RDB: 6 MB of memory used by copy-on-write
redis          | 1:M 17 Jul 23:33:00.197 * Background saving terminated with success

This was reported to [email protected] 5 days ago. Please confirm and fix these issues, also I'd really like a version number.

Reported by Gionathan Armando Reale
CVE-2019-9768

#####################################################################

Identification:

Due to size/metadata/timestamp being very limited in variation it is easily possible to detect which Word documents are likely to contain CanaryTokens.

Detection Bypass:

Opening a Word document containing a CanaryToken using Protected View will allow you to view the file without triggering the CanaryToken. Opening the Word document with Libreoffice Writer 6.x.x.x will allow you to view the file without triggering the CanaryToken. Other document viewers may also bypass detection.

I have tried Chrome, firefox and Safari and non of them can expand the Incident list nor the Export menu. Tried both docker version and the public web site.

When a token is created, you need to click on the text to unfold the token..

The entire div should be clickable.

When AWS tokens are triggered, getting the following in switchboard.log

TLD nameservers are pointing to our public IP, and that's it. Everything else so far is working, but this one is new.

2018-12-14 02:45:19+0000 [-] query=Query('gu2c4mrtgyxdcmbxfyytaoa8.mf3xglldnrus6mjoge3c4nztebihs5din5xc6mrog4xdcmrajruw45lyf42c4nb.ogawtcmbwgewwc53tebrg65dpmnxxezjpgexdcmrogyzq8888.a647.yg52b6n5nq17cssbfjfuo59rj.rdp.domain.com', 1, 1),src_ip='3.16.75.122'
2018-12-14 02:45:19+0000 [DNSDatagramProtocol (UDP)] Unhandled Error
	Traceback (most recent call last):
	Failure: exception.UnknownAttribute:

Hi,
I set up an URL canary token and saved it somewhere on my machine. I got two notifications last night that seem to be coming from Google.
Is this possible that Google would crawl the canary token page? Or maybe something else?

Regards,
seranu

The site isn't working...

For HTTP triggers, I can edit the URI so long as it includes the complete Canarytoken. When I get a trigger report email, it includes only the Canarytoken itself.

It would be lovely if the URL which triggered the report was included in the email. This could allow some additional information to be included, e.g. the name of the machine embedded in a custom URI.

Not clear if there is any need to sanitize the URI before including it in notification email, but likely not

I have canary tokens docker container running on a server mapped to 'domain1.com' and on switchboard.env I have added one more domain name as public domain 'domain2.com'. When i run all the containers initially all works perfectly .Both domain url hits works fine .But one of them stop working after some time.

Just as an Idea:
https://insert-script.blogspot.com/2019/01/adobe-reader-pdf-callback-via-xslt.html

@thinkst
I am having an issue when trying to use a Slack webhook. I receive the error message "Invalid web hook supplied". BTW, nice upgrade with the error reporting... the web page used to just hang and not tell me what was going on, lol.

That being said, what is the required syntax for webhooks?

Hi. I am wondering re Windows Folder token. desktop.ini is triggering FQDN which consists of %USERNAME%.%COMPUTERNAME%.%USERDOMAIN%.INI."tokencode"."domainname".
Alerts are working, however I don't see in any reports the username, computer name and domain name which are being passed to CanaryTokens - why those details are passed to canarytokens (for example, why it cannot be used only as "tokencode"."domainname" format?) and can those details be visible in any alerts or history view in canary token?

I am trying to deploy a canarytokens service on my computer but I need to do it without using
any dockers because I cannot use any dockers on the environment on which I'm planning to install it.
I am struggling deploying it using only python. I have installed redis server, finally ran the httpd_site.py after installing all modules and it ran nicely without any errors but the website is not on.

I'll be very happy if you could make a tutorial for those of us who do not use dockers :)

The User class throttles alerts to 1 alert per 60 second window, which drops to 1 alert per 5 second window when running in "DEBUG".

This may not be the desired behaviour, particularly with webhook alerts configured. Can this be made configurable via ENV vars like other settings. I was thinking a tuneable window length and alert cap per window or to fully disable the feature.

Happy to submit a merge request if needed.

Hi! I want to use the docker-compose-letsencrypt.yml for https but I'm not sure how to do so - can anyone help and give some instructions on how to get that set up?

The map isn't working

http://canarytokens.org/history?token=xjyowcz9v4a1iymq5x8f8xyu0&auth=1f61872751a0430be27cf61214e5d6ed

For sender env we use: CANARY_ALERT_EMAIL_FROM_ADDRESS

is there any env to declare reply-to email ?

Hi, I wanted to contribute to the project but don't understand how the code is structured...if you get a chance, can you document that? Thanks!

droplet:~# nslookup canarytokens.com
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find canarytokens.com: SERVFAIL

This appears to be due to Digital Ocean resolvers expecting the 'Authority' flag to be set on responses from a SOA for a domain.

I deployed the canarytoken docker by following the step in the README.md. But when I generate the Windows folder token, the desktop.ini is using the main domain instead of the NXDOMAIN.

My configuration is:

CANARY_DOMAINS=canarytoken.mydomain.com
CANARY_NXDOMAINS=nx.canarytoken.mydomain.com 

and the desktop.ini is:

IconResource=\\%USERNAME%.%COMPUTERNAME%.%USERDOMAIN%.INI.5slbf8njoj1gh68ucbih9jm5f.canarytoken.mydomain.com\resource.dll

The token is never triggered but if I replace canarytoken.mydomain.com by nx.canarytoken.mydomain.com it's working.

Hi, I have already setup docker. But instead, I want to run this canarytokens application individually. Can you please tell how to start this application separately once the code is downloaded in the machine?

I have a use case where multiple operating companies with individual Canary installs will be using a consolidated instance of Splunk. Each has an API Token so looking for support for or methodology that would allow registration of multiple APIs to the Add-On.

Hello ,
When i'm generating my Canaray token then for example for a pdf , if i open this pdf i don't get any notification on my Email.
Regards