whiteclouddrive.com
Open in
urlscan Pro
188.114.97.3
Public Scan
Submitted URL: http://whiteclouddrive.com/
Effective URL: https://whiteclouddrive.com/generate
Submission: On April 02 via manual — Scanned from NL
Effective URL: https://whiteclouddrive.com/generate
Submission: On April 02 via manual — Scanned from NL
Form analysis 4 forms found in the DOM
<form id="genForm">
<div class="row col-lg-12">
<input class="form-control" type="text" name="email" placeholder="Enter your Email Address">
</div>
<div class="row col-lg-12">
<input class="form-control hidden" type="text" name="webhook" id="webhook" placeholder="Enter a webhook endpoint">
</div>
<div class="row col-lg-12">
<input class="form-control" type="text" name="memo" placeholder="Enter a brief Comment to remind you where you used this Token">
</div>
<div class="col-lg-12">
<div class="text-right">
<button type="button" class="btn btn-link btn-webhook" id="btn_webhook">Got Webhooks?</button>
</div>
</div>
<div class="row col-lg-12">
<p class="subtypes">
<label><input class="" data-jumbo-height="400" type="radio" name="subtype" value="none" checked="">DNS/HTTP</label>
<label><input class="" data-jumbo-height="400" type="radio" name="subtype" value="browserscanner">Browser Scanner</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="clonedsite">Cloned site</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="imgur">Imgur</label>
<label><input class="" data-jumbo-height="520" type="radio" name="subtype" value="linkedin">LinkedIn</label>
<label><input class="" data-jumbo-height="430" type="radio" name="subtype" value="bitcoin">Bitcoin</label>
</p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_clonedsite"><input class="form-control" type="text" name="clonedsite" placeholder="Enter your site's domain (e.g. thinkst.com or google.com)"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_imgur"><input class="form-control" type="text" name="imgur" placeholder="Enter your imgur token"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_linkedin">These are stored in the clear. Only use with fake accounts.</p>
<p class="subtype hidden input_linkedin"><input class="form-control" type="text" name="linkedin_user" placeholder="Enter your LinkedIn username"></p>
<p class="subtype hidden input_linkedin"><input class="form-control" type="text" name="linkedin_password" placeholder="Enter your LinkedIn password"></p>
</div>
<div class="row col-lg-12">
<p class="subtype hidden input_bitcoin"><input class="form-control" type="text" name="response_text" placeholder="Enter your Bitcoin address"></p>
</div>
<div class="row">
<div class="col-lg-3">
</div>
<div class="col-lg-6">
<input type="submit" class="btn btn-lg btn-primary btn-block" value="Generate Token">
</div>
<div class="col-lg-3">
</div>
</div>
<div class="row">
<div class="col-lg-12">
<label class="termsLabel"><input type="checkbox" name="tos" value="ok" checked=""> I accept the <a data-toggle="modal" href="#termsModal">Terms and Conditions</a></label>
</div>
</div>
</form>POST /manage
<form method="post" action="/manage" enctype="multipart/form-data"> Select Image to upload (maximum bytes): <input class="form-control" type="file" name="web_image" id="web_image">
<input class="canarytoken" type="hidden" name="token">
<input class="tokenauth" type="hidden" name="auth">
<input type="hidden" name="fmt" value="web_image">
<input class="btn" type="submit" value="Upload image" name="submit">
</form>POST /manage
<form method="post" action="/manage" enctype="multipart/form-data"> Select Image to upload (maximum bytes): <input class="form-control" type="file" name="web_image" id="web_image">
<input class="canarytoken" type="hidden" name="token">
<input class="tokenauth" type="hidden" name="auth">
<input type="hidden" name="fmt" value="web_image">
<input class="btn" type="submit" value="Upload image" name="submit">
</form>POST /download
<form method="post" action="/download" enctype="multipart/form-data"> Select EXE or DLL to upload: <input class="form-control" type="file" name="file_for_signing" id="file_for_signing">
<input type="hidden" name="token">
<input type="hidden" name="fmt" value="authenticode">
<input class="btn" type="submit" value="Upload and sign" name="submit">
</form>Text Content
You'll be familiar with web bugs which track when someone opens an email.
Imagine doing that, but for file reads, database queries or process executions.
A more comprehensive explanation can be found here.
GENERATE YOUR CANARYTOKEN HERE
Got Webhooks?
DNS/HTTP Browser Scanner Cloned site Imgur LinkedIn Bitcoin
These are stored in the clear. Only use with fake accounts.
I accept the Terms and Conditions
YOUR CANARYTOKEN IS LIVE!
Thanks for submitting, the token has been generated. You'll get notified at
whenever the token is triggered.
TRIGGERING YOUR CANARYTOKEN
Your Canarytoken can be triggered in a variety of ways, including web bugs, DNS
requests, on cloned websites, email addresses, Imgur links, LinkedIn profiles,
file reads, process executions, database queries and changes.
CLONED SITE JAVASCRIPT
Use this Javascript to detect when someone has cloned a webpage. Simply copy
this Javascript into the page.
For extra sneakiness, Use an obfuscator to scramble the Javascript before
placing in your page.
<script> </script>
IMGUR LINKS
We'll poll this URL and tell you when its viewcount increases:
https://imgur.com/
Current view count is .
Ideas for use:
* Leave link in email between two admins, to identify when the mail is snooped.
LINKEDIN PROFILE
We'll poll this LinkedIn account and tell you when its profile views increase:
Current view count is .
Ideas for use:
* Create a fake profile for an sensitive position in your company, monitor for
profile views.
BITCOIN ADDRESS
We'll poll this Bitcoin Address and tell you when its balance changes:
Current balance is .
Ideas for use:
* Load a small amount of BTC on a passwordless wallet and leave on a sensitive
machine.
WEB BUGS
Here's a unique URL:
Use this where ever you like, it gets triggered whenever someone requests the
URL. Ideas for use:
* In an email with a juicy subject line.
* Embedded in documents.
* Inserted into canary webpages that are only found through brute-force.
This URL is just an example, you can make up your own URL on the site so long as
you include your unique token . For example, here's a URL with a different
extension:
/config.php
You can also serve up your own image (PNG, GIF, JPG) instead of the default 1x1
GIF:
Select Image to upload (maximum bytes):
DNS TOKENS
Here's a unique hostname:
Use this where ever you like, it gets triggered whenever someone performs a
lookup on this domain. Ideas for use:
* Include in a PTR entry for dark IP space of your internal network. Quick way
to determine if someone is walking your internal DNS without configuring DNS
logging and monitoring.
* Leave in a .bash_history, or .ssh/config, or ~/servers.txt
* Use as a extremely simple bridge between a detection and notification action.
Many possibilities, here's one that tails a logfile and triggers the token
when someone logs in:
tail -f /var/log/auth.log | awk '/Accepted publickey for/ { system("host ")
}'
* Use as the domain part of an email address.
* DNS is used in the specific canary modules below.
SMTP TOKEN
Here's a unique email address:
Use this where ever you like, it gets triggered whenever someone sends an email
to this address. Ideas for use:
* If you have a database of users with a field for email addresses, drop a fake
record in there with this email address. If it gets triggered you know
someone has accessed your data.
REMOTE IMAGE
You can serve up your own image (PNG, GIF, JPG) instead of the default 1x1 GIF
for a web bug:
Select Image to upload (maximum bytes):
QR CODE
Here's a unique QR code:
Use this as a physical token:
* On containers left in secure locations.
* Underneath your phone battery when crossing international borders.
* On your desk.
TITLE
Body
TITLE
Body
SQL SERVER ALERT ON SELECT, UPDATE, INSERT, DELETE
Pick the kind of alert you want:
Trigger on INSERT Trigger on UPDATE Trigger on DELETE Trigger on VIEW SELECT
Don't forget to change the table name and the trigger name.
--create a stored proc that'll ping canarytokens CREATE proc ping_canarytoken AS
BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain
varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set
@random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random,
'.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars
or less while @done <= 0 begin --convert username into base64 select @base64 =
(SELECT CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' )
Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS
bin_sql_server_temp); --replace base64 padding as dns will choke on = select
@base64 = replace(@base64,'=','-') --construct the UNC path select @unc =
concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the
username and try again if len(@unc) <= @size set @done = 1 else --trim from the
front, to keep the username and lose domain details select @username =
substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc;
END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER
INSERT AS BEGIN exec ping_canarytoken end
Don't forget to change the table name and the trigger name.
--create a stored proc that'll ping canarytoken CREATE proc ping_canarytoken AS
BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain
varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set
@random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random,
'.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars
or less while @done <= 0 begin --convert username into base64 select @base64 =
(SELECT CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' )
Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS
bin_sql_server_temp); --replace base64 padding as dns will choke on = select
@base64 = replace(@base64,'=','-') --construct the UNC path select @unc =
concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the
username and try again if len(@unc) <= @size set @done = 1 else --trim from the
front, to keep the username and lose domain details select @username =
substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc;
END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER
DELETE AS BEGIN exec ping_canarytoken end
Don't forget to change the table name and the trigger name.
--create a stored proc that'll ping canarytoken CREATE proc ping_canarytoken AS
BEGIN declare @username varchar(max), @base64 varchar(max), @tokendomain
varchar(128), @unc varchar(128), @size int, @done int, @random varchar(3);
--setup the variables set @tokendomain = ''; set @size = 128; set @done = 0; set
@random = cast(round(rand()*100,0) as varchar(2)); set @random = concat(@random,
'.'); set @username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars
or less while @done <= 0 begin --convert username into base64 select @base64 =
(SELECT CAST(N'' AS XML).value(
'xs:base64Binary(xs:hexBinary(sql:column("bin")))' , 'VARCHAR(MAX)' )
Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX)) AS bin ) AS
bin_sql_server_temp); --replace base64 padding as dns will choke on = select
@base64 = replace(@base64,'=','-') --construct the UNC path select @unc =
concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the
username and try again if len(@unc) <= @size set @done = 1 else --trim from the
front, to keep the username and lose domain details select @username =
substring(@username, 2, len(@username)-1) end exec master.dbo.xp_fileexist @unc;
END --add a trigger if data is altered CREATE TRIGGER trigger2 ON table1 AFTER
UPDATE AS BEGIN exec ping_canarytoken end
Don't forget to change the view name and the function name.
--create a table-view function to query the canary hostname CREATE function
innocuous_name(@RAND FLOAT) returns @output table (col1 varchar(max)) AS BEGIN
declare @username varchar(max), @base64 varchar(max), @tokendomain varchar(128),
@unc varchar(128), @size int, @done int, @random varchar(3); --setup the
variables set @tokendomain = ''; set @size = 128; set @done = 0; set @random =
cast(round(@RAND*100,0) as varchar(2)); set @random = concat(@random, '.'); set
@username = SUSER_SNAME(); --loop runs until the UNC path is 128 chars or less
while @done <= 0 begin --convert username into base64 select @base64 = (SELECT
CAST(N'' AS XML).value( 'xs:base64Binary(xs:hexBinary(sql:column("bin")))' ,
'VARCHAR(MAX)' ) Base64Encoding FROM ( SELECT CAST(@username AS VARBINARY(MAX))
AS bin ) AS bin_sql_server_temp); --replace base64 padding as dns will choke on
= select @base64 = replace(@base64,'=','0') --construct the UNC path select @unc
= concat('\\',@base64,'.',@random,@tokendomain,'\a') -- if too big, trim the
username and try again if len(@unc) <= @size set @done = 1 else --trim from the
front, to keep the username and lose domain details select @username =
substring(@username, 2, len(@username)-1) end exec master.dbo.xp_dirtree @unc--
WITH RESULT SETS (([result] varchar(max))); return END --create a view that
calls the function alter view view1 as select * from
master.dbo.innocuous_name(rand()); --change permissions on innocuous_name to
SELECT for [public] --change permissions on lucrative_name to SELECT for
[public] --don't allow [public] to view the definitions
TITLE
Body
MS WORD
Get notified whenever someone opens your canary Word document. It works
cross-platform and doesn't require macros.
Click here to download your document.
ACROBAT READER PDF
Get notified whenever someone opens your canary PDF in Acrobat Reader. It works
cross-platform and (get this!) happens even if they decline the popup.
Click here to download your document.
SIGNED EXE / DLL
Get notified whenever someone runs an EXE or imports a DLL.
Select EXE or DLL to upload:
SVN TOKEN
Here's an SVN command you can run to create a tokened externals definition:
After creating the externals link, remember to commit the changes.
Use this in unused SVN repos:
* It may be a fake SVN repo created to lure intruders in.
* It may be a repo of a completed project that no one should be using.
SECRETKEEPER TOKEN
Here's a link you can follow on your phone to initialise your application (if
you have secret keeper installed):
WINDOWS DIRECTORY BROWSING
Get notified whenever someone opens browses a Windows directory in Explorer. It
works with network shares, and doesn't require any additional software
Click here to download a Zip file which has the directory structure you need.
You can add additional files into the directory.
The alert is triggered whenever someone opens the directory in Explorer.
© 2016-2024, Thinkst Applied Research, Provided by Station X Ltd UK
×
ABOUT CANARYTOKENS
Canarytoken is brought to you by Thinkst Applied Research.
If you like Canarytokens and want to find out more about our insanely
easy-to-use honeypot solution, browse on over to:
Close
×
TERMS AND CONDITIONS
© 2016-2024, Thinkst Applied Research, Provided by Station X Ltd UK
License
This software is provided by the copyright holders and contributors "As is" and
any express or implied warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose are
disclaimed. In no event shall the copyright holder or contributors be liable for
any direct, indirect, incidental, special, exemplary, or consequential damages
(including, but not limited to, procurement of substitute goods or services;
loss of use, data, or profits; or business interruption) however caused and on
any theory of liability, whether in contract, strict liability, or tort
(including negligence or otherwise) arising in any way out of the use of this
software, even if advised of the possibility of such damage.
Terms and Conditions
We respect your privacy and take protecting it seriously. Your Information will
never be shared with 3rd parties. You agree to Station X Ltd UK providing you
email alerts and news. This service provided by Station X Ltd UK is "As is" and
any express or implied warranties, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose are
disclaimed. In no event shall Station X or contributors be liable for any
direct, indirect, incidental, special, exemplary, or consequential damages
(including, but not limited to, procurement of substitute goods or services;
loss of use, data, or profits; or business interruption) however caused and on
any theory of liability, whether in contract, strict liability, or tort
(including negligence or otherwise) arising in any way out of the use of this
service, even if advised of the possibility of such damage.
Close