Description: You have the ability to create a Canarytoken that has a unique URL.
Why does this matter? Once you are able to get an alert for a web based token, or a DNS based token, you have the building blocks for squillions of possible tripwires.
Tip: You can change the format of a Token URL by following the section here.
Follow the steps below to create a Web Bug Canarytoken:
Step 1:
Log in to your Console.
Step 2:
Select the Canarytokens tile.
Step 3:
Select the Web Bug token from the list.
Step 4:
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place. Make sure that your Reminder is as descriptive as possible, and we will remind the future you of where the token was dropped. Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
Note: we chose "Link Placed In Account Reset Wiki" as the reminder
Step 5:
Copy the token and place it in its intended location.
Alert:
An alert is triggered when the link is browsed.
That's it, you're done ;-)
Tip: Changing the URL's formatting.
The generated Token URL can be tweaked slightly to better fit in with your deception requirement.
Lets look at an example generated Token.
http://example.o3n.io/files/ickug6v4czhu7wv9mw6hux308/logo.gif
The anatomy of a web bug Token URL is as follows:
http:// - The protocol, this can be changed between http:// and https://
example.o3n.io - Your unique Token domain. This can be changed using a custom Token domain.
files - a random subpage, this portion can be changed to anything else.
ickug6v4czhu7wv9mw6hux308 - Your Tokens unique hash / Node ID. This cannot be changed.
logo.gif - A random resource. This can be changed to anything else.
For better readability, we've highlighted the portions you CANNOT change in red below.
Knowing all this, we can tweak our Tokens URL to match the below, and it will still alert!
http://example.o3n.io/my/custom/path/ickug6v4czhu7wv9mw6hux308/admin/secret.php