Get best of the week

Hacker traps. Detect hacking early with Canarytokens

Honey Tokens (English - “honey signs / signs / identifiers”) is one of the varieties of the Honeypot idea, a bait for intruders to detect the fact of a hack or to identify its source. When the attacker has already entered the system, he is likely to perform actions unusual for the ordinary user. This can be used as a way to detect hacking. In this article, we will look at how easy it is to make your own triggers to detect hacking at an early stage. Such traps are useful for system administrators and even ordinary users who are worried about the privacy of their data.


Before the invention of gas analyzers, miners took a canary with them to the mine. Due to the small body and rapid metabolism, birds reacted to dangerous gases in the air much earlier and warned miners.

Why is this needed?



The hacker, once in the new system, begins to look around, as a thief, having penetrated the apartment, begins to open all the boxes in search of jewelry. The attacker does not know in advance which particular data is of value, but with a high probability he will check all possible options. Therefore, it is important that the traps look like real data and are as attractive to the attacker as possible. The sooner the owner notices that the trap is triggered, the sooner he will realize that he was hacked and will be able to respond.

Canarytokens Service


canarytokens.org is an online service for conveniently creating your own markers (hanitokens) for hacking. It supports several trigger options and allows you to generate a ready-made trigger with attached mail, where a notification will be sent if the trigger worked.

The service is completely free, and a trigger can be generated instantly without registration. There is also a self hosted version for those who prefer to keep secrets on their infrastructure. Next, we will look at how each of the triggers works and at the end we will deploy our own canarytokens server in the Docker container.

Trigger when opening a .doc and pdf file



It will work if the document was opened by the program for viewing. I use this trick very often. On each computer and flash drive, I have documents with attractive names like Passwords.pdf or Bitcoins.doc. I love to watch how accountants with curiosity examine all the files on the flash drive transferred to them.
 
I consider this trigger to be the most effective and useful for all categories of users, from information security professionals to beginners. Almost no one knows that a PDF viewer can convey the fact of opening a file to the document owner. Everyone comes across this.
 
There are several ways to catch the fact of opening a document. Canarytokens uses a document-specific URL embedded in the document to verify the revoked SSL certificates (Certificate Revocation List). As a result, the program goes to this address and the trigger fires.

Trigger via DNS resolve



This is a very interesting trigger, the benefits of which are not immediately obvious. It will work if someone asks for the IP address of the generated subdomain, which is specially generated so that it cannot be guessed by chance or twisted. Thus, accidental operations are excluded. This trigger is used for many of the techniques described below, including to detect the fact of opening a folder and as a trigger in the MS SQL database. In fact, there are many options for using this trigger.

URL trigger



In this case, it is enough that a GET, POST or HEAD request is executed by reference. This will trigger the trigger. In addition to its usual use, it can also be used in scripts to check parsers that follow links to display previews of content. So do, for example, instant messengers: just write a link in the input field that you clicked on from the messenger servers.

Picture


The classic 1x1 pixel image is known to everyone who tracks online advertising. The trigger will work if a picture file has been uploaded. Such a pixel can be inserted into any html page or in a letter. It is convenient to call it from JS scripts on the page if the necessary condition has worked. You can also replace the standard pixel with your own image.

Email Trigger



If any letter arrives at the generated mailbox, the trigger will work. It is convenient to use email addresses, contact lists, etc. to monitor the leakage of databases.

For example, you can add this address to your contact list and find out when your notebook on your phone will be merged by some application requesting access to your contact list . It is also possible for all employees to add different trigger addresses to notebooks on a computer, phone, email client and keep track of where the contacts are coming from.

An e-mail address is specially generated that is not predictable, therefore, the probability of selection and accidental triggering of a trigger is excluded.

Windows folder open trigger



Surely many saw a hidden desktop.ini file that is in every Windows folder. It turns out he is not so simple. In it, you can specify the address of the icon on the remote server, using UNC paths (these are the ones used for network drives and start with \\), while Windows will perform DNS resolve on the domain specified in the link to the icon and activate the trigger. The desktop.ini file can be packed with other files into the archive, and it will work if the archive is unpacked.

Site Cloning Trigger


A simple script for web pages that works if the page is not open from your domain. May be useful for detecting phishing.

if (document.domain != "mydomain.com") {
    var l = location.href;
    var r = document.referrer;
    var m = new Image();
    m.src = "http://canarytokens.com/"+
            "blablabla.jpg?l="+
            encodeURI(l) + "&r=" + encodeURI(r);
}

Trigger to run an EXE file or DLL



Allow to glue the trigger with an existing executable .exe file or library. It is not detected by antiviruses. It should be borne in mind that such a gluing can break some programs, so it's better to use something simple. In fact, this is a long-known method used to spread trojans and viruses, only in our case the hidden functionality is completely harmless. However, it should be borne in mind that the executable file can cause a greater alertness for the attacker, and also not run on his operating system.

Trigger for MS SQL


MS SQL allows you to add a trigger to perform INSERT, SELECT, DELETE, etc. To trigger a trigger, use the same method as for a desktop.ini file, namely resolve a DNS name through UNC paths.
Trigger example for MS SQL
--create a stored proc that'll ping canarytokens
CREATE proc ping_canarytoken
AS
BEGIN
declareusername varchar (max), base64 varchar (max), @tokendomain varchar (128), @unc varchar (128), size int done int random varchar(3);

--setup the variables
set @tokendomain = 'qo2dd6tftntl1pej9j68v31k6.canarytokens.com';
set size = 128;
set done = 0;
set random = cast(round(rand()*100,0) as varchar(2));
set random = concat(random, '.');
set username = SUSER_SNAME();

--loop runs until the UNC path is 128 chars or less
while done <= 0
begin
--convert username into base64
select base64 = (SELECT
CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column(«bin»)))'
, 'VARCHAR(MAX)'
) Base64Encoding
FROM (
SELECT CAST(username AS VARBINARY(MAX)) AS bin
) AS bin_sql_server_temp);

--replace base64 padding as dns will choke on =
select base64 = replace(base64,'=','-')

--construct the UNC path
select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a')

— if too big, trim the username and try again
if len(@unc) <= size
set done = 1
else
--trim from the front, to keep the username and lose domain details
select username = substring(username, 2, len(username)-1)
end
exec master.dbo.xp_fileexist @unc;
END

--add a trigger if data is altered
CREATE TRIGGER TRIGGER1
ON TABLE1
AFTER INSERT
AS
BEGIN
exec ping_canarytoken
end

Amazon Web Services Login Trigger


The Amazon services API key should entice an attacker to check what’s in there. If this API key is used for login, the trigger will fire. In this case, of course, there is no data there.

Other triggers


The canarytokens.org service also supports other triggers, such as an SVN hook, web redirect, reading a QR code, Slack API key, and others. They all use a similar principle, and if you wish, you can independently create your own trigger, having in your arsenal a DNS name, a link with a picture, a mailing address and API keys for popular services. In addition to email notifications, Canarytokens can pull a web hook if a trigger fires. The mechanisms of operation are described in the documentation.

Canarytokens Native Server


An experienced cracker, seeing in the source code the address canarytokens.org immediately guess about everything. Therefore, for use in the company, it is better to deploy your own canarytokens instance so that all trigger addresses go to the company's internal domains and are indistinguishable from real internal services.

Developers provide a ready-to-use Docker image . The installation process is quite typical for any image, so we will not touch on this topic. Let us dwell only on non-obvious points. Before installing, you will have to edit the file frontend.env and switchboard.env .

# ()       
#     IP-    Docker.        SSL-.
CANARY_DOMAINS=example1.com,example2.com

#            PDF-
#    NS-          .
#   example3.com     example1.com  example2.com
CANARY_NXDOMAINS=example3.com

To send mail, I recommend using the Mailgun service, because Sendgrid is unstable.

Conclusion


Such traps are really effective. In my case, triggers with PDF files are especially helpful. The service will be useful for both ordinary users and experienced pentesters. Even a sophisticated attacker who knows about the existence of Hanipots and Hanitokens will not be able to resist the temptation to at least sober up the subdomain found in the documentation. If you carefully and wisely use traps, you can detect an cracker at an early stage.

These techniques can be used on servers, desktop computers, file storages, and even on phones.

If you want to deploy canarytokens in your own Docker instance, on our virtual machines Docker is installed in one click from the marketplace . Additionally, we give a 15% discount on all servers using the DONTPANIC promo code.

More articles:


All Articles