whiteclouddrive.com
Open in
urlscan Pro
188.114.97.3
Public Scan
Submitted URL: http://whiteclouddrive.com/
Effective URL: https://whiteclouddrive.com/generate
Submission: On April 02 via manual — Scanned from NL
Effective URL: https://whiteclouddrive.com/generate
Submission: On April 02 via manual — Scanned from NL
Form analysis
4 forms found in the DOM<form id="genForm">
<div class="row col-lg-12">
<input class="form-control" type="text" name="email" placeholder="Enter your Email Address">
</div>
<div class="row col-lg-12">
<input class="form-control hidden" type="text" name="webhook" id="webhook" placeholder="Enter a webhook endpoint">
</div>
<div class="row col-lg-12">
<input class="form-control" type="text" name="memo" placeholder="Enter a brief Comment to remind you where you used this Token">
</div>
<div class="col-lg-12">
<div class="text-right">
<button type="button" class="btn btn-link btn-webhook" id="btn_webhook">Got Webhooks?</button>
</div>
</div>
<div class="row col-lg-12">
<p class="subtypes">
<label><input class="" data-jumbo-height="400" type="radio" name="subtype" value="none" checked="">DNS/HTTP</label>
<label><input class="" data-jumbo-height="400" type="radio" name="subtype" value="browserscanner">Browser Scanner</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="clonedsite">Cloned site</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="imgur">Imgur</label>
<label><input class="" data-jumbo-height="520" type="radio" name="subtype" value="linkedin">LinkedIn</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="bitcoin">Bitcoin</label>
</p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_clonedsite"><input class="form-control" type="text" name="clonedsite" placeholder="Enter your site's domain (e.g. thinkst.com or google.com)"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_imgur"><input class="form-control" type="text" name="imgur" placeholder="Enter your imgur token"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_linkedin">These are stored in the clear. Only use with fake accounts.</p>
<p class="subtype hidden input_linkedin"><input class="form-control" type="text" name="linkedin_user" placeholder="Enter your LinkedIn username"></p>
<p class="subtype hidden input_linkedin"><input class="form-control" type="text" name="linkedin_password" placeholder="Enter your LinkedIn password"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_bitcoin"><input class="form-control" type="text" name="response_text" placeholder="Enter your Bitcoin address"></p>
</div>
<div class="row">
<div class="col-lg-3">
</div>
<div class="col-lg-6">
<input type="submit" class="btn btn-lg btn-primary btn-block" value="Generate Token">
</div>
<div class="col-lg-3">
</div>
</div>
<div class="row">
<div class="col-lg-12">
<label class="termsLabel"><input type="checkbox" name="tos" value="ok" checked=""> I accept the <a data-toggle="modal" href="#termsModal">Terms and Conditions</a></label>
</div>
</div>
</form>
POST /manage
<form method="post" action="/manage" enctype="multipart/form-data"> Select Image to upload (maximum bytes): <input class="form-control" type="file" name="web_image" id="web_image">
<input class="canarytoken" type="hidden" name="token">
<input class="tokenauth" type="hidden" name="auth">
<input type="hidden" name="fmt" value="web_image">
<input class="btn" type="submit" value="Upload image" name="submit">
</form>
POST /manage
<form method="post" action="/manage" enctype="multipart/form-data"> Select Image to upload (maximum bytes): <input class="form-control" type="file" name="web_image" id="web_image">
<input class="canarytoken" type="hidden" name="token">
<input class="tokenauth" type="hidden" name="auth">
<input type="hidden" name="fmt" value="web_image">
<input class="btn" type="submit" value="Upload image" name="submit">
</form>
POST /download
<form method="post" action="/download" enctype="multipart/form-data"> Select EXE or DLL to upload: <input class="form-control" type="file" name="file_for_signing" id="file_for_signing">
<input type="hidden" name="token">
<input type="hidden" name="fmt" value="authenticode">
<input class="btn" type="submit" value="Upload and sign" name="submit">
</form>
Text Content
You'll be familiar with web bugs which track when someone opens an email. Imagine doing that, but for file reads, database queries or process executions. A more comprehensive explanation can be found here. GENERATE YOUR CANARYTOKEN HERE Got Webhooks? DNS/HTTP Browser Scanner Cloned site Imgur LinkedIn Bitcoin These are stored in the clear. Only use with fake accounts. I accept the Terms and Conditions YOUR CANARYTOKEN IS LIVE! Thanks for submitting, the token has been generated. You'll get notified at whenever the token is triggered. TRIGGERING YOUR CANARYTOKEN Your Canarytoken can be triggered in a variety of ways, including web bugs, DNS requests, on cloned websites, email addresses, Imgur links, LinkedIn profiles, file reads, process executions, database queries and changes. CLONED SITE JAVASCRIPT Use this Javascript to detect when someone has cloned a webpage. Simply copy this Javascript into the page. For extra sneakiness, Use an obfuscator to scramble the Javascript before placing in your page. <script> </script> IMGUR LINKS We'll poll this URL and tell you when its viewcount increases: https://imgur.com/ Current view count is . Ideas for use: * Leave link in email between two admins, to identify when the mail is snooped. LINKEDIN PROFILE We'll poll this LinkedIn account and tell you when its profile views increase: Current view count is . Ideas for use: * Create a fake profile for an sensitive position in your company, monitor for profile views. BITCOIN ADDRESS We'll poll this Bitcoin Address and tell you when its balance changes: Current balance is . Ideas for use: * Load a small amount of BTC on a passwordless wallet and leave on a sensitive machine. WEB BUGS Here's a unique URL: Use this where ever you like, it gets triggered whenever someone requests the URL. Ideas for use: * In an email with a juicy subject line. * Embedded in documents. * Inserted into canary webpages that are only found through brute-force. This URL is just an example, you can make up your own URL on the site so long as you include your unique token . For example, here's a URL with a different extension: /config.php You can also serve up your own image (PNG, GIF, JPG) instead of the default 1x1 GIF: Select Image to upload (maximum bytes): DNS TOKENS Here's a unique hostname: Use this where ever you like, it gets triggered whenever someone performs a lookup on this domain. Ideas for use: * Include in a PTR entry for dark IP space of your internal network. Quick way to determine if someone is walking your internal DNS without configuring DNS logging and monitoring. * Leave in a .bash_history, or .ssh/config, or ~/servers.txt * Use as a extremely simple bridge between a detection and notification action. Many possibilities, here's one that tails a logfile and triggers the token when someone logs in: tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host ") }' * Use as the domain part of an email address. * DNS is used in the specific canary modules below. SMTP TOKEN Here's a unique email address: Use this where ever you like, it gets triggered whenever someone sends an email to this address. Ideas for use: * If you have a database of users with a field for email addresses, drop a fake record in there with this email address. If it gets triggered you know someone has accessed your data. REMOTE IMAGE You can serve up your own image (PNG, GIF, JPG) instead of the default 1x1 GIF for a web bug: Select Image to upload (maximum bytes): QR CODE Here's a unique QR code: Use this as a physical token: * On containers left in secure locations. * Underneath your phone battery when crossing international borders. * On your desk. TITLE Body TITLE Body SQL SERVER ALERT ON SELECT, UPDATE, INSERT, DELETE Pick the kind of alert you want: Trigger on INSERT Trigger on UPDATE Trigger on DELETE Trigger on VIEW SELECT Don't forget to change the table name and the trigger name. --create a stored proc that'll ping canarytokens CREATE proc ping_canarytoken AS BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3); --setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random, '.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less while @done <= 0 begin --convert username into base64 select @base64 = (SELECT CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on = select @base64 = replace(@base64,'=','-') --construct the UNC path select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the username and try again if len(@unc) <= @size set @done = 1 else --trim from the front, to keep the username and lose domain details select @username = substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc; END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER INSERT AS BEGIN exec ping_canarytoken end Don't forget to change the table name and the trigger name. --create a stored proc that'll ping canarytoken CREATE proc ping_canarytoken AS BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3); --setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random, '.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less while @done <= 0 begin --convert username into base64 select @base64 = (SELECT CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on = select @base64 = replace(@base64,'=','-') --construct the UNC path select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the username and try again if len(@unc) <= @size set @done = 1 else --trim from the front, to keep the username and lose domain details select @username = substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc; END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER DELETE AS BEGIN exec ping_canarytoken end Don't forget to change the table name and the trigger name. --create a stored proc that'll ping canarytoken CREATE proc ping_canarytoken AS BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3); --setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random, '.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less while @done <= 0 begin --convert username into base64 select @base64 = (SELECT CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on = select @base64 = replace(@base64,'=','-') --construct the UNC path select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the username and try again if len(@unc) <= @size set @done = 1 else --trim from the front, to keep the username and lose domain details select @username = substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc; END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER UPDATE AS BEGIN exec ping_canarytoken end Don't forget to change the view name and the function name. --create a table-view function to query the canary hostname CREATE function innocuous_name(@RAND FLOAT) returns @output table (col1 varchar(max)) AS BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3); --setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random = cast(round(@RAND*100,0) as varchar(2)); set @random = concat(@random, '.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less while @done <= 0 begin --convert username into base64 select @base64 = (SELECT CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on = select @base64 = replace(@base64,'=','0') --construct the UNC path select @unc = concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the username and try again if len(@unc) <= @size set @done = 1 else --trim from the front, to keep the username and lose domain details select @username = substring(@username, 2, len(@username)-1) end exec master.dbo.xp_dirtree @unc-- WITH RESULT SETS (([result] varchar(max))); return END --create a view that calls the function alter view view1 as select * from master.dbo.innocuous_name(rand()); --change permissions on innocuous_name to SELECT for [public] --change permissions on lucrative_name to SELECT for [public] --don't allow [public] to view the definitions TITLE Body MS WORD Get notified whenever someone opens your canary Word document. It works cross-platform and doesn't require macros. Click here to download your document. ACROBAT READER PDF Get notified whenever someone opens your canary PDF in Acrobat Reader. It works cross-platform and (get this!) happens even if they decline the popup. Click here to download your document. SIGNED EXE / DLL Get notified whenever someone runs an EXE or imports a DLL. Select EXE or DLL to upload: SVN TOKEN Here's an SVN command you can run to create a tokened externals definition: After creating the externals link, remember to commit the changes. Use this in unused SVN repos: * It may be a fake SVN repo created to lure intruders in. * It may be a repo of a completed project that no one should be using. SECRETKEEPER TOKEN Here's a link you can follow on your phone to initialise your application (if you have secret keeper installed): WINDOWS DIRECTORY BROWSING Get notified whenever someone opens browses a Windows directory in Explorer. It works with network shares, and doesn't require any additional software Click here to download a Zip file which has the directory structure you need. You can add additional files into the directory. The alert is triggered whenever someone opens the directory in Explorer. © 2016-2024, Thinkst Applied Research, Provided by Station X Ltd UK × ABOUT CANARYTOKENS Canarytoken is brought to you by Thinkst Applied Research. If you like Canarytokens and want to find out more about our insanely easy-to-use honeypot solution, browse on over to: Close × TERMS AND CONDITIONS © 2016-2024, Thinkst Applied Research, Provided by Station X Ltd UK License This software is provided by the copyright holders and contributors "As is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the copyright holder or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage. Terms and Conditions We respect your privacy and take protecting it seriously. Your Information will never be shared with 3rd parties. You agree to Station X Ltd UK providing you email alerts and news. This service provided by Station X Ltd UK is "As is" and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Station X or contributors be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this service, even if advised of the possibility of such damage. Close