How to Integrate a Thinkst Canary Token with Telegram

January 6, 2021January 6, 2021 admin canary token, Defensive, Integromat, offensive, Purple Team, red team, telegram, Thinkst, tutorial

Click the icon to Follow me:-

WTF is a canary token I hear some of you ask? Well, they are pretty nifty little things. If that isn’t good enough, how about this. Canarytokens are a simple way to tripwire things. You’ll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page’s image tag and monitoring incoming GET requests. These are normally 1×1 invisible images.

Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots.

Pretty cool, and even better you can do this for free!

AMD Ryzen 5 3600 6-Core, 12-Thread Unlocked Desktop Processor with Wraith Stealth Cooler $199.99

The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 6 cores and 12 processing threads bundled with the quiet AMD wraith stealth cooler max temps 95°C 4 2 G... read more

(as of January 24, 2021 - )

AMD Ryzen 7 3700X 8-Core, 16-Thread Unlocked Desktop Processor with Wraith Prism LED Cooler $329.99

The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 8 cores and 16 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED s... read more

(as of January 24, 2021 - )

AMD Ryzen 9 3900X 12-core, 24-thread unlocked desktop processor with Wraith Prism LED Cooler $489.99

The world's most advanced processor in the desktop PC gaming segment Can deliver ultra-fast 100+ FPS performance in the world's most popular games 12 cores and 24 processing threads, bundled with the AMD Wraith Prism cooler with color controlled LED ... read more

(as of January 24, 2021 - )

Now, I have been using them here and there for a while, some get triggered often, some have never fired apart from a couple of times I was testing them but today lets get into how to use canary tokens with telegram. There are a number of ways you can do this, some ways use your own infastructure, some rely on other services. If you want to use your own, you’ll need to roll your own, this guide is for using Canary Tokens, Integromat and Telegram.

Things we are gunna need:

Telegram
Integromat
Canary Token
Curiosity, Time and maybe something to eat…

We are going to need to make a bot. To do this we need to talk to the “BotFather”.

So open up Telegram, and send a message to @BotFather. Once that chat comes up, you will need to type some commands in.

/newbot

#Then a name for your bot like:
MyCoolCanaryThing

#Then you need to give the bot a username, I usually take the above and add _bot at the end like:
MyCoolCanaryThing_bot

Now we have the bot and and API token, we will need these later, also DO NOT SHARE THEM WITH ANYONE YOU DON’T TRUST!

To add your bot to your Telegram application, click the link in the message from BotFather or enter it manually to your browser. The link is t.me/yourBotName.

Now click on START

Your bot is now ready and waiting! This is all we need to do in Telegram for now.

Lets hope over to Integromat now. Login and go to “Scenarios” then “Create A New Scenario“

Search for Telegram, select it and click on “Continue“

Choose “Telegram Bot“

Scroll down and select “Watch Updates“

Add a new “Webhook” (A webhook [also called a web callback or HTTP push API] is a way for an app to provide other applications with real-time information.) Click on Add.

Give it a name then click on “Add“

Now you need that Telegram API bot token from earlier for the “connection“

Click on “Continue“

Now click on “Save“

On the next screen you need to click “Show Address“

This will give you a URL similar to :

https://hook.integromat.com/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

You are going to need this, so make a note of it somewhere.

So moving on, we want to “Add another module“

The module we are going to attach this to is “Send a Text Message or a Reply“

On the next screen we need to put some information in that we don’t have just yet.

Just click on OK to go back to the scenario. Now you must SAVE the scenario in the bottom left-hand corner. If you don’t save, the next part will fail.

You may get an alert like you can see below but you can just click on “Save Anyway“

So to get this next bit of information, we need to jump over to Thinkst Canary. You can get to it here https://canarytokens.org/generate

We need to generate a new canary token and you have a number you can choose, but we are going for the “Custom Image Web bug“

Do you remember that webhook from Integromat that I told you to keep safe? Now you need it… you did keep it safe, right??

Setup the Canary Token with the webhook.

Now click on “Create my Canarytoken“

Hopefully, if you have been following along you will see a success screen like this one.

DON’T CLOSE THIS PAGE YET!!

We need to copy that URL for the token again, we are going to need it later. And at the top right, it says “Manage this token“, we need the URL to this too. Keep these safe for now.

We need some more information for our Integromat scenario from earlier, so head over to Telegram bot channel and do the following.

Send a message in the bot channel

Now Forward that “test” message to @getidsbot

You should see a screen similar to this one:

Copy that ID and paste it into the Integromat “send a message” box from earlier.

Now we want to craft the message that we will get in Telegram when the token is triggered. This is where the “Manage this token” URL from earlier comes in handy. Click on it and get the URL for the link shown below.