Track a Target Using Canary Token Tracking Links [Tutorial]

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

canary tokens are identifying links that can be used to track anybody who clicks on them or where they're shared today we'll take a look at how to use them on this episode of cyber weapons lab [Music] [Applause] [Music] when sharing a link in an online conversation like slack or Skype it's common for these services to reach out and attempt to generate a thumbnail to let the people in the conversation know what's on the other end of the URL now while this is convenient and helpful it's also a common way that hackers and penetration testers are able to determine that someone's found the phishing page or other URL that they've created now the reason for this is that because slack and Skype are trying to generate a preview they're actually requesting data from the server and you can monitor this to determine whether someone is clicking on a link or discussing a link in a private conversation now we can simulate this with a canary token which is basically a trackable link that lets us know anytime anybody requests it and we can demonstrate this by sharing it in a private slack or signal conversation and comparing the two to see what happens when we generate a preview versus when we don't one of them is definitely trackable and will allow you to track not only the participants in the conversation if they click on the link but also where it's shared and which services it's being shared on now in order to do this you'll just need to have a browser because we'll be able to generate and then click on these links all from the same browser window we can demonstrate how this looks on mobile and also look into a couple other creative applications of using canary tokens that allow you to do things like track when a user has logged into their computer as soon as you have a browser ready to log in then we can begin now to get started with canary tokens you can go to canary tokens comm slash generate here you can see there's a bunch of different types of tokens that we can use so in order to select the one we want we're going to go to the web bug URL token but I want to take a second and look at some of the other ones that are available so you can see exactly what choices you have there are also DNS tokens which means anytime a website look at a lookup is performed you'll be notified the unique email address so that you can track when somebody emails it a custom web image bug which means something you can input into a website or maybe an email that you want to monitor and then you can see there's also Microsoft Word documents Adobe PDF documents and a Windows folder so these are all really interesting ways of being able to track people over the Internet and we'll start out with the web bug which is using the Netscape Navigator icon I don't know why but that's fine and then I'm going to provide an email address and then a notification and I'm gonna create the notification now so here we go the web token inactive and we can also see some suggestions here we can do an email with the juicy subject line embedded in documents and to start I'm gonna go ahead and just go to it and see exactly what we see when we put this in so I'll start out just I'll do this window and [Music] that is not it I'm sorry let's grab this this is a great tool that will maybe cover some other time there we go so we get a blank page we don't see anything what happened so if we go back we can see the canary token can be managed at this link so here we'll click on history in order to see what's going on and boom it located us it knows exactly where we are so if I click on this I can see oh no it knows the city I'm in and then it also knows that we're not using a tor exit node it can get the user agent so it knows that I'm using Chrome which is accurate and it can also see the local IP address no ok so that all sucks we can see that oh we're even getting some information about the browser okay that's cool I actually didn't see this last time so we can see some information about the application here we can see this from Google and then I'm running this on a Mac so that is all fascinating because it allows us to identify uniquely different people clicking on this link so if you want to go through and know exactly how many people are clicking on it or exactly what the kind of traffic is we can sort it by device and kind of get in a more accurate picture of this by exporting it to JSON format or CSV so if we get a link with a whole bunch of traffic this can let us know that people are clicking on it and we can start to see what kind of people they are by looking at the devices and looking for small differences like maybe the version of the operating system they're using or something else identifiable so we can actually just use this to look it up I was gonna do a GOP lookup but I actually forgot that it provides this handy little map because if you just get the email alert then it doesn't actually go ahead and give you this interactive zoom in a bowl map so anyway what we're gonna look at next is what we can do to actually use this token to identify when people are talking about it but not clicking on it so there was a security researcher who noticed that when they were setting up their infrastructure there was a bunch of pings on it from slack and from Skype and that was pretty confusing because he had no idea why these companies would be visiting his link which was designed for phishing and client so what he realized was that in actual fact it was two people having a conversation about his particular infrastructure and because they were sharing the link on slack or actually I think I think it was a Skype since they were sharing a link on skype Skype was actually going out and fetching a preview and in doing so was leaving kind of a notification that somebody had reached out so two people having a conversation in a Skype chat which was private and you couldn't see he was alerted of by actually request from Skype to generate previews each time the people would post or look at the link so I did some experimenting and it turns out that this really does work so let's go into a couple different messengers and see if we can get this behavior and also look at different alternatives if we don't want that to happen so first let's go ahead and go to Skype so I'm going to go ahead and paste this link in here but I'm not going to click on it so after a second we see that it's generated a preview here and if we go back to our canary token then we should be able to refresh it and see hey we've got more contacts this one in the United States and when we look at it we can expand it and see that it is a Skype URI preview so we've identified that this is a Skype user agent that's going in and grabbing the preview which lets us know hey somebody has shared this link that we've created inside of a Skype conversation so does this work against other types well let's check it out we'll go ahead and put this into a slack window and we can see here that it actually hasn't expanded this into a preview but we might be able to get a hit anyway so let's take a look when we refresh hey we have even more hits this one from Frankfurt and we can see this is any Amazon server but it's working as a slack proxy so even though we didn't even get a preview for this in slack we still actually were able to detect that somebody had shared it now after some testing I shared this in our no white slack and I was able to determine that every single time someone opened slack that contained this link slack would go out and ping this canary token in order to get a preview even though the preview actually never came up so I got a ping every single time an individual user accessed the slack chat and it was an interesting way of being able to monitor how frequently people were accessing the chat so if you want to use this as a way of seeing how often people are logging into a chat you're having that was kind of an interesting side effect when using this tool with slack so finally I'm going to go to a more privacy focused messenger and drop this into a signal window and here you can see that I don't get any sort of preview and if I were to refresh this then I should not see any additional contacts so this is really cool but are there ways that we can get around this well you could probably guess that I might not actually be in Sweden because of my accent so what I'm going to do is I'm going to change my VPN and select a different location and see if we can actually trick the tracking script into thinking that I'm somewhere else so let's say that we're going to be in Hong Kong and we can take this a step further by actually trying to change our user agent so the user agent is basically what the browser reports itself as and in this case I'm going to switch our user agent with this Google Chrome add-on to something a little ridiculous let's say an i pod it's been a minute so now we're reporting ourselves as an iPod and our location is in Hong Kong so let's see if we can go ahead and visit this canary link and get it to think that we are someone other than who we really are so this is hopefully some proof that while it is pretty easy to track people we can still make it difficult to know exactly who we are and what our system is by doing a couple of things to protect our privacy now it looks like it might have resolved so let's see if we can get another detection and whoa all right here we go this looks like where is this that looks like maybe that's not let's see okay this looks like Malaysia which is sort of close and we can see that this is still reading as a Macintosh so let's see if we can do another refresh and maybe get this to think for someone else of course if it's able to actually still track us and that's great but I just feel like we might be able to get it to think we're at the very least in Hong Kong all right we've loaded it again let's give this a try [Music] and we appear to still be in Malaysia well that's okay at least we've still tricked the service into thinking that we're somewhere where we're not but it looks like our attempt to deceive the system with a browser add-on didn't work even though we're able to use as other things it wasn't able to convincingly change this but let's go ahead and try let's say Firefox on an Android tablet and see if this is able to deceive the tracker there we go now with one last refresh we can see that we are now on an Android tablet so we were actually able to defeat the user-agent recognition and hide the fact that we're on a Mac OS computer while we still appear to be in Malaysia that's probably just an issue with the VPN and I wouldn't think that we couldn't just use some other sort of VPN to change our location if we want to so here we prove that while this is a powerful tool we can still hide ourselves the via these different privacy focused tools now of course the best-known privacy focused tool is tor so I'm going to go ahead and throw this into the tor browser which is not updated all the way so please don't do what I'm doing and runs an old version of toward browser I tried to update it but it just failed posting this into the tor browser we should be able to access this from a completely different IP address however canary tokens will be able hopefully to detect it this is a known tor exit node here we go another detection and we can see that this is from Germany but in this case we can see that it tests positive as a known tor exit node meaning that a hundred percent this user is using tor and we can't rely on this being the actual identification of the system we can see that also it thinks it's Mozilla Firefox but it's not really totally sure so this is probably our best bet for staying anonymous however you might note that because it's fairly obvious to fingerprint a tor node it's very possible that somebody can block all tor nodes from their service if they don't want to deal with people making miss Jeff so keep in mind that a lot of people won't use tor nodes because it bans them from seeing certain sites that don't want to deal with people who are trying to do possibly sketchy stuff now another interesting side effect we'll take a look at before we go is using a URL shortener so we'll go ahead and shorten this with bitly and then once we copy this we're gonna go ahead and post it back into our slot conversation and there's an interesting thing that happens in some types of messengers now this Billy link doesn't directly say that it's a canary tokens link which would obviously make us look up canary tokens and figure out that this is a tracking sort of link this is just a shortened link which makes it harder for the person who's seeing it to know that it could be tracking their behavior now I haven't clicked on it but if we go back to canary tokens and refresh again [Music] then we should see another slack image proxy even this one coming from Japan even though this is a shortened link and we never clicked on it so simply by being in the same slack chat as this shortened link we can still tell that somebody is there looking at it which is really interesting because it's the equivalent of a read receipt that you can send in a group chat and know when certain people are looking at it because even though you won't be able to see the individuals you will be able to see each ping every single time someone new either opens a slack window or refreshes the chat well we've gone over a couple of different use cases for canary tokens there are a lot of different creative and interesting ways you can use them in one you can embed them in a startup script so that as soon as someone logs into the computer you request a canary token and alerts you to the login as well as giving you their IP address in another you can actually create a canary token that's an image and embed it into an email alerting me when someone actually opens and reads the email now commercial services use tools like this all the time to track you so she would be aware that any time you click on a link you might be exposing yourself into giving up this kind of information that's all we have for this episode of cyber weapons lab make sure to LIKE comment and subscribe and if you have any thoughts or feedback on the show send me a message on Twitter because I'd love to hear from you we'll see you next time you

Info

Channel: Null Byte

Views: 121,734

Rating: undefined out of 5

Keywords: wht, wonderhowto, nullbyte, null byte, hack, hacking, hacker, hacks, hackers, how to hack, howto, how to, tutorial, guide, cyber weapon, cyber weapons, cyber, Canary token links, tracking, tracking links, Target tracking, tor, Link tracking, geo location, bitly, bit.ly, goo.gl, googl

Id: FNiBNdM7srE

Channel Id: undefined

Length: 16min 2sec (962 seconds)

Published: Sat Mar 16 2019