Detecting & Bypassing Defensive Measures (Canary Token)
In the last part, we talk about how to track the hacker’s activities on our network using a canary token.
If don’t know that part then check this LINK to first know about that.
Here. I’m going to cover techniques from the perspective of Red teamers on how they can easily bypass the canary token in different scenarios.
1. Canary Link Hidden
One of the most common & easy ways to hide a canary token link. As canary token links by default are very easy to identify
http://canarytokens.com[/]wm0kuzbggl5bir9q37bxw[/]submit.aspx
Any novice hacker can view the domain name & will identify that this is just a trap.
So what organizations (blue teamers) usually do is a mask/shorten the URL.
shorturl.at/aqsy
This link is now a little bit difficult as novice hackers will not identify the link with the canary token domain name.
But, Immediate Hackers will not click on any suspicious URL which is laying around in the target network. Instead, it’ll take his link to disclose the real URL hidden behind the short URL.
Check this tool to shorten or find the original URL behind shortened URL.
2. Word Document Detector
Word documents are a also common technique used by blue teamers as they know that documents (word) attract hackers.
But, It’s quite easy to make sure that the word document in the target system is free of any canary token trap. we can ensure this by using a tool.
This tool will extract the XML footer & headers of the word document (as canary tokens usually attach themselves here) & search for the string name “canary token”. if this string is found in any header & footer then it means the document is set as a trap.
3. PDF, Excel & all other formats
The tool I mentioned above will only work for word documents but it’s quite simple to find a canary token manually in any file/folder by using binwalk.
Note: This technique applies to all formats such as pdf, excel, window folder, custom exe & binary, svn, email address, VPN, kubeconfig token & credit card etc.
4. Use Proxy & VPN
if want to hide your real location & information then use a proxy server (available online on the internet) or VPN. By using these when you trigger the canary token trap your VPN or proxy location will be sent to the tracker.
That’s it here I covered almost all the scenarios where the canary tokens can be used to catch hackers & how hackers can bypass them using different tools & techniques.
If you want to support us then you can via the “buy me a Coffee” link given below.
