You'll be familiar with web bugs which track when someone opens an email. Imagine doing that, but for file reads, database queries or process executions. A more comprehensive explanation can be found here.
Generate your Canarytoken here
Your Canarytoken is live!
Thanks for submitting, the token has been generated. You'll get notified at whenever the token is triggered.
Triggering your Canarytoken
Your Canarytoken can be triggered in a variety of ways, including web bugs, DNS requests, on cloned websites, email addresses, Imgur links, LinkedIn profiles, file reads, process executions, database queries and changes.
Use this Javascript to detect when someone has cloned a webpage. Simply copy this Javascript into the page.
For extra sneakiness, Use an obfuscator to scramble the Javascript before placing in your page.
We'll poll this URL and tell you when its viewcount increases:
https://imgur.com/Current view count is .
Ideas for use:
- Leave link in email between two admins, to identify when the mail is snooped.
We'll poll this LinkedIn account and tell you when its profile views increase:
Current view count is .
Ideas for use:
- Create a fake profile for an sensitive position in your company, monitor for profile views.
We'll poll this Bitcoin Address and tell you when its balance changes:
Current balance is .
Ideas for use:
- Load a small amount of BTC on a passwordless wallet and leave on a sensitive machine.
Here's a unique URL:
Use this where ever you like, it gets triggered whenever someone requests the URL. Ideas for use:
- In an email with a juicy subject line.
- Embedded in documents.
- Inserted into canary webpages that are only found through brute-force.
This URL is just an example, you can make up your own URL on the site so long as you include your unique token . For example, here's a URL with a different extension:
/config.php
You can also serve up your own image (PNG, GIF, JPG) instead of the default 1x1 GIF:
Here's a unique hostname:
Use this where ever you like, it gets triggered whenever someone performs a lookup on this domain. Ideas for use:
- Include in a PTR entry for dark IP space of your internal network. Quick way to determine if someone is walking your internal DNS without configuring DNS logging and monitoring.
- Leave in a .bash_history, or .ssh/config, or ~/servers.txt
- Use as a extremely simple bridge between a detection and notification action. Many possibilities, here's one that tails a logfile and triggers the token when someone logs in:
tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host ") }'
- Use as the domain part of an email address.
- DNS is used in the specific canary modules below.
Here's a unique email address:
Use this where ever you like, it gets triggered whenever someone sends an email to this address. Ideas for use:
- If you have a database of users with a field for email addresses, drop a fake record in there with this email address. If it gets triggered you know someone has accessed your data.
You can serve up your own image (PNG, GIF, JPG) instead of the default 1x1 GIF for a web bug:
Here's a unique QR code:
Use this as a physical token:
- On containers left in secure locations.
- Underneath your phone battery when crossing international borders.
- On your desk.
Pick the kind of alert you want:
Don't forget to change the table name and the trigger name.
Don't forget to change the table name and the trigger name.
Don't forget to change the table name and the trigger name.
Don't forget to change the view name and the function name.
Get notified whenever someone opens your canary Word document. It works cross-platform and doesn't require macros.
Click here to download your document.
Get notified whenever someone opens your canary PDF in Acrobat Reader. It works cross-platform and (get this!) happens even if they decline the popup.
Click here to download your document.
Get notified whenever someone runs an EXE or imports a DLL.
Here's an SVN command you can run to create a tokened externals definition:
After creating the externals link, remember to commit the changes.
Use this in unused SVN repos:
- It may be a fake SVN repo created to lure intruders in.
- It may be a repo of a completed project that no one should be using.
Get notified whenever someone opens browses a Windows directory in Explorer. It works with network shares, and doesn't require any additional software
Click here to download a Zip file which has the directory structure you need.
You can add additional files into the directory.
The alert is triggered whenever someone opens the directory in Explorer.
About Canarytokens
Canarytoken is brought to you by Thinkst Applied Research.
If you like Canarytokens and want to find out more about our insanely easy-to-use honeypot solution, browse on over to:
Terms and Conditions
License
This software is provided by the copyright holders and contributors "As is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright holder or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Terms and Conditions
We respect your privacy and take protecting it seriously. Your Information will never be shared with 3rd parties. You agree to Station X Ltd UK providing you email alerts and news. This service provided by Station X Ltd UK is "As is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Station X or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this service, even if advised of the possibility of such damage.