How to Integrate a Thinkst Canary Token with Telegram
WTF is a canary token I hear some of you ask? Well, they are pretty nifty little things. If that isn’t good enough, how about this. Canarytokens are a simple way to tripwire things. You’ll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page’s image tag and monitoring incoming GET requests. These are normally 1×1 invisible images.
Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.
Pretty cool, and even better you can do this for free!
Now, I have been using them here and there for a while, some get triggered often, some have never fired apart from a couple of times I was testing them but today lets get into how to use canary tokens with telegram. There are a number of ways you can do this, some ways use your own infastructure, some rely on other services. If you want to use your own, you’ll need to roll your own, this guide is for using Canary Tokens, Integromat and Telegram.
Things we are gunna need:
- Telegram
- Integromat
- Canary Token
- Curiosity, Time and maybe something to eat…
Telegram
We are going to need to make a bot. To do this we need to talk to the “BotFather”.
So open up Telegram, and send a message to @BotFather. Once that chat comes up, you will need to type some commands in.
/newbot
#Then a name for your bot like:
MyCoolCanaryThing
#Then you need to give the bot a username, I usually take the above and add _bot at the end like:
MyCoolCanaryThing_bot
Now we have the bot and and API token, we will need these later, also DO NOT SHARE THEM WITH ANYONE YOU DON’T TRUST!
To add your bot to your Telegram application, click the link in the message from BotFather or enter it manually to your browser. The link is t.me/yourBotName.
Now click on START
Your bot is now ready and waiting! This is all we need to do in Telegram for now.
Lets hope over to Integromat now. Login and go to “Scenarios” then “Create A New Scenario“
Search for Telegram, select it and click on “Continue“
Choose “Telegram Bot“
Scroll down and select “Watch Updates“
Add a new “Webhook” (A webhook [also called a web callback or HTTP push API] is a way for an app to provide other applications with real-time information.) Click on Add.
Give it a name then click on “Add“
Now you need that Telegram API bot token from earlier for the “connection“
Click on “Continue“
Now click on “Save“
On the next screen you need to click “Show Address“
This will give you a URL similar to :
https://hook.integromat.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxYou are going to need this, so make a note of it somewhere.
So moving on, we want to “Add another module“
The module we are going to attach this to is “Send a Text Message or a Reply“
On the next screen we need to put some information in that we don’t have just yet.
Just click on OK to go back to the scenario. Now you must SAVE the scenario in the bottom left-hand corner. If you don’t save, the next part will fail.
You may get an alert like you can see below but you can just click on “Save Anyway“
So to get this next bit of information, we need to jump over to Thinkst Canary. You can get to it here https://canarytokens.org/generate
We need to generate a new canary token and you have a number you can choose, but we are going for the “Custom Image Web bug“
Do you remember that webhook from Integromat that I told you to keep safe? Now you need it… you did keep it safe, right??
Now click on “Create my Canarytoken“
Hopefully, if you have been following along you will see a success screen like this one.
DON’T CLOSE THIS PAGE YET!!
We need to copy that URL for the token again, we are going to need it later. And at the top right, it says “Manage this token“, we need the URL to this too. Keep these safe for now.
We need some more information for our Integromat scenario from earlier, so head over to Telegram bot channel and do the following.
Send a message in the bot channel
Now Forward that “test” message to @getidsbot
You should see a screen similar to this one:
Copy that ID and paste it into the Integromat “send a message” box from earlier.
Now we want to craft the message that we will get in Telegram when the token is triggered. This is where the “Manage this token” URL from earlier comes in handy. Click on it and get the URL for the link shown below.
If you click on it now you should see something similar to this
Cool, so all is good, lets take this URL and use it in the scenario.
Click on “OK” then save the scenario.
Click on “Run Once” and then “Listen for New“
Now lets go and trigger our token from the page below to see if we get a message in Telegram
This is what I see in the browser
So much nothing, or so you thought, because instantly in Telegram I got this
Visiting the links gives us a information on the offending sneaky token triggerer such as:
You may be interested in...
- Geo-Location
- Country
- City
- Region
- IP Address
- Date and Time
- Useragent
- Checks to see if it is a Tor known exit node
- Checks to see if JavaScript version, installed and enabled
- Checks for Browser information such as mimetypes, vendor, language, platform, version, os and browser name.
You can even export the results as a .csv or .json file.
Now go and hide that canary token somewhere secret that you would worry about it someone bad got in.
BLUE TEAM:
Remember, it gets triggered whenever someone requests the URL.
If the URL is requested as an image (e.g. <img src=””>) then a 1×1 image is served. If the URL is surfed in a browser than a blank page is served with fingerprinting Javascript.
Ideas for use:
- In an email with a juicy subject line.
- Embedded in documents.
- Inserted into canary webpages that are only found through brute-force.
- This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.
RED TEAM / PURPLE TEAM:
Ideas for use:
- In an email as part of a signature to track if your email was delivered to the target and get information.
- Embedded in documents to check if they were opened by the target.
- Inserted into canary webpages that are only triggered when your target opens the link you sent them.
- This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL to match your scenario.
