Overview:
Step 1: Log in to your Console
Step 3: Select Web Bug from token list
You can create a Canarytoken that has a unique URL.
Why does this matter? Once you can get an alert for a web-based token or a DNS-based token, you have the building blocks for squillions of possible tripwires.
Step 1: Log in to your Console
Log in to your Console.
Step 2: Open Canarytokens
On the Canarytokens tile, click Add a new Canarytoken.
Step 3: Select Web Bug from token list
Select the Web Bug token from the list.
Step 4: Add a token reminder
Over time, if you are using tokens correctly, you will deploy thousands of them all over the place.
- Make sure that your Reminder is as descriptive as possible, and we will remind future-you of where the token was dropped.
- Nothing sucks more than having a token fire an alert that reads “test" - and not knowing where you placed it.
Note: We chose Link Placed In Account Reset Wiki as the reminder.
Step 5: Copy token
Copy the token and place it in its intended location.
Web Bug Alerts
An alert is triggered when the link is browsed.
Changing the URL's formatting
The generated Token URL can be tweaked slightly to better fit in with your deception requirement.
Let's look at an example generated Token.
http://example.o3n.io/files/ickug6v4czhu7wv9mw6hux308/logo.gif
The anatomy of a web bug Token URL is as follows:
- http://: The protocol, this can be changed between http:// and https://
- example.o3n.io: Your unique Token domain. This can be changed using a custom Token domain.
- files: A random subpage; this portion can be changed to anything else.
- ickug6v4czhu7wv9mw6hux308: Your Tokens unique hash / Node ID. This CANNOT be changed.
- logo.gif: A random resource. This can be changed to anything else.
For better readability, we've highlighted the portions you CANNOT change in red below.
Knowing all this, we can tweak our Tokens URL to match the below, and it will still alert!
http://example.o3n.io/my/custom/path/ickug6v4czhu7wv9mw6hux308/admin/secret.php
You're done!