How to Integrate a Thinkst Canary Token with Telegram

Click the icon to Follow me:- twitterTelegramRedditDiscord
Welcome to canarytools's documentation! — Canary Python API 1.0  documentation
Thinkst Canary Token

WTF is a canary token I hear some of you ask? Well, they are pretty nifty little things. If that isn’t good enough, how about this. Canarytokens are a simple way to tripwire things. You’ll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page’s image tag and monitoring incoming GET requests. These are normally 1×1 invisible images.

Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

Pretty cool, and even better you can do this for free!

Now, I have been using them here and there for a while, some get triggered often, some have never fired apart from a couple of times I was testing them but today lets get into how to use canary tokens with telegram. There are a number of ways you can do this, some ways use your own infastructure, some rely on other services. If you want to use your own, you’ll need to roll your own, this guide is for using Canary Tokens, Integromat and Telegram.

Things we are gunna need:

  • Telegram
  • Integromat
  • Canary Token
  • Curiosity, Time and maybe something to eat…

Telegram

We are going to need to make a bot. To do this we need to talk to the “BotFather”.

image 16

So open up Telegram, and send a message to @BotFather. Once that chat comes up, you will need to type some commands in.

/newbot

#Then a name for your bot like:
MyCoolCanaryThing

#Then you need to give the bot a username, I usually take the above and add _bot at the end like:
MyCoolCanaryThing_bot
image 17

Now we have the bot and and API token, we will need these later, also DO NOT SHARE THEM WITH ANYONE YOU DON’T TRUST!

To add your bot to your Telegram application, click the link in the message from BotFather or enter it manually to your browser. The link is t.me/yourBotName.

Now click on START

image 18
Starting the new bot

Your bot is now ready and waiting! This is all we need to do in Telegram for now.

Lets hope over to Integromat now. Login and go to “Scenarios” then “Create A New Scenario

image 20
Integromat Scenarios

Search for Telegram, select it and click on “Continue

image 21
Telegram

Choose “Telegram Bot

image 23
Telegram Bot

Scroll down and select “Watch Updates

image 24
Watch Updates Option

Add a new “Webhook” (A webhook [also called a web callback or HTTP push API] is a way for an app to provide other applications with real-time information.) Click on Add.

image 25
Add a webhook

Give it a name then click on “Add

image 27
Webhook name

Now you need that Telegram API bot token from earlier for the “connection

image 28
Add your Telegram API Token

Click on “Continue

image 29
New Webhook created

Now click on “Save

On the next screen you need to click “Show Address

image 30
Webhook address.


This will give you a URL similar to :

https://hook.integromat.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You are going to need this, so make a note of it somewhere.

So moving on, we want to “Add another module

image 31
Add a module

The module we are going to attach this to is “Send a Text Message or a Reply

image 32

On the next screen we need to put some information in that we don’t have just yet.

image 34
Missing information

Just click on OK to go back to the scenario. Now you must SAVE the scenario in the bottom left-hand corner. If you don’t save, the next part will fail.

You may get an alert like you can see below but you can just click on “Save Anyway

image 38
Save Anyway

So to get this next bit of information, we need to jump over to Thinkst Canary. You can get to it here https://canarytokens.org/generate

We need to generate a new canary token and you have a number you can choose, but we are going for the “Custom Image Web bug

image 36
Choose your token type

Do you remember that webhook from Integromat that I told you to keep safe? Now you need it… you did keep it safe, right??

image 37
Setup the Canary Token with the webhook.

Now click on “Create my Canarytoken

Hopefully, if you have been following along you will see a success screen like this one.

image 40
Success

DON’T CLOSE THIS PAGE YET!!

We need to copy that URL for the token again, we are going to need it later. And at the top right, it says “Manage this token“, we need the URL to this too. Keep these safe for now.

We need some more information for our Integromat scenario from earlier, so head over to Telegram bot channel and do the following.

Send a message in the bot channel

image 41
test message

Now Forward that “test” message to @getidsbot

image 42

You should see a screen similar to this one:

image 43
Bot ID

Copy that ID and paste it into the Integromat “send a message” box from earlier.

image 45
Add the Telegram Chat ID

Now we want to craft the message that we will get in Telegram when the token is triggered. This is where the “Manage this token” URL from earlier comes in handy. Click on it and get the URL for the link shown below.

image 58
History of the token

If you click on it now you should see something similar to this

image 47
History of the token.

Cool, so all is good, lets take this URL and use it in the scenario.

image 49
Message we will get when the Canary Token is triggered.

Click on “OK” then save the scenario.

Click on “Run Once” and then “Listen for New

image 51

Now lets go and trigger our token from the page below to see if we get a message in Telegram

image 52
Trigger the token by visiting the URL listed here.

This is what I see in the browser

image 54
So much nothing

So much nothing, or so you thought, because instantly in Telegram I got this

image 55
The token was triggered and a message received Instantly.

Visiting the links gives us a information on the offending sneaky token triggerer such as:

  • Geo-Location
  • Country
  • City
  • Region
  • IP Address
  • Date and Time
  • Useragent
  • Checks to see if it is a Tor known exit node
  • Checks to see if JavaScript version, installed and enabled
  • Checks for Browser information such as mimetypes, vendor, language, platform, version, os and browser name.

image 57
Information on the triggered token.

You can even export the results as a .csv or .json file.

Now go and hide that canary token somewhere secret that you would worry about it someone bad got in.

BLUE TEAM:

Remember, it gets triggered whenever someone requests the URL.

If the URL is requested as an image (e.g. <img src=””>) then a 1×1 image is served. If the URL is surfed in a browser than a blank page is served with fingerprinting Javascript.

Ideas for use:

  • In an email with a juicy subject line.
  • Embedded in documents.
  • Inserted into canary webpages that are only found through brute-force.
  • This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL.

RED TEAM / PURPLE TEAM:

Ideas for use:

  • In an email as part of a signature to track if your email was delivered to the target and get information.
  • Embedded in documents to check if they were opened by the target.
  • Inserted into canary webpages that are only triggered when your target opens the link you sent them.
  • This URL is just an example. Apart from the hostname and the actual token (the random string), you can change all other parts of the URL to match your scenario.