Using Route53 with CanaryTokens.org to Better Disguise Your Honeypot

Objectives

Background

CanaryTokens.org is a third party website. The idea behind the website is to help you know when an attacker has gained access to your systems by sending you an email alert. The email alert is triggered by an attacker visiting a link that you've purposefully planted for this very purpose.

Over at CanaryTokens.org they provide a number of really smart ways to trigger the email alert, this article focuses on using an http link. You can also buy stuff from them, so if you're looking for more, see Canary.Tools.

An Example Scenario

Imagine that you're an attacker and you've hacked into my web mail. You're now looking for passwords or other high value information. If you see an email titled "Customer Passwords" containing a link, you'll most likely think:

  1. What a dumb-ass for not securely storing passwords and
  2. Jackpot!

What you (as the attacker) don't realise, is that I used CanaryTokens.org to create that link, and that by visiting it, you'll trigger an alert to be sent to one of my other email addresses. I'll now know that there's a problem and take swift action.

Using CanaryTokens.org to Create the Link

Step 1 - Go to the website and generate a token

  • Browse to CanaryTokens.org
  • Enter an email address for notifications of when the link is clicked
  • Provide a reminder note to include in any notification emails (so you know which link was clicked)
  • Click the Generate Token button

Step 2 - Copy your CanaryToken

  • Open the Web Bugs section (by clicking the words Web Bugs)
  • Copy the unique URL

Step 3 - Place the link somewhere designed to be irresistible to an attacker

  • Place the link anywhere an attacker might look
  • Generate new links for each place you want to put links
  • For this example, I'm using an email to myself

Recap

You've created a link and if anyone visits it, you'll be emailed. Now if you ever receive an email saying the link has been visited, then you know you've compromised!

Ok... Life Is Good... Why Do I Need Route53?

So, life is good, but we can make it even better... the problem is, the link doesn't look that convincing.

Over at CanaryTokens.org they explain that you can customise the link. As long as the link contains the string of gibberish then it'll still work. This means we can change it to look more realistic by changing the URL to include govt-customers/server-passwords.html .

Ok, we've done better, but we're still hoping our attacker is pretty dumb and going to click a link that includes "Canary Tokens".

Enter Route53

This is where Route53 comes in to it. Instead of the link pointing to CanaryTokens.com, using Route53 you can point it to one of your own domains. This is done by creating a CNAME record on an existing domain that you control. By pointing the CNAME to CanaryTokens.com you can construct a link that uses your domain instead of CanaryTokens.com. This example creates private.awsGunForHire.com and points it to CanaryTokens.com.

Step 1 - In the Route53 Management Console, go to the record sets for your domain

  • Select Hosted Zones
  • Select the domain to use in the link

Step 2 - Create a new record set

  • Click the Create Record Set button at the top
  • In the Name field on the right, enter the name you'd like to use. I've gone with private.
  • Change the Type drop down to CNAME
  • In the Value field enter canarytokens.com.
  • Click the Create button

Step 3 - Alter your CanaryTokens link

Change your CanaryTokens link to use your domain. The example above created private.awsGunForHire.com. I can now use this for any Canary Token link. So my email to myself now looks like:

Mission accomplished! We now have a link that looks pretty genuine, and should fool all but the most canny of attackers.

When the link is visited, the DNS record for private.awsGunForHire.com will resolve to CanaryTokens.com. Because the server for CanaryTokens.com answers any web request coming to its IP address, it'll respond just as if the link had contained CanaryTokens.com.

Be sure to visit the wonderful folks at Thinkst Applied Research (thinkst.com), CanaryTokens.org is their project.