Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:04,920 Update the video we're going to be taking a look at Canary tokens now, if you're not familiar with 2 00:00:04,920 --> 00:00:12,510 Canary tokens, a Canary token is essentially a token that when a target triggers it, it's going to 3 00:00:12,510 --> 00:00:15,180 alert us and it's going to give us some basic information on them. 4 00:00:15,780 --> 00:00:21,690 It'll tell us things like their IP address, what type of browser they're using and what type of operating 5 00:00:21,690 --> 00:00:24,970 system they're using, what time they open it, things like that. 6 00:00:25,020 --> 00:00:31,650 For the most part, and there's a few caveats to that that we're going to be going over now. 7 00:00:31,650 --> 00:00:34,530 There's several places where you can generate Canary tokens. 8 00:00:35,100 --> 00:00:44,430 Personally, I use Canary tokens dot org, and this is also a little bit different than what I normally 9 00:00:44,430 --> 00:00:46,950 do usually when I do an investigation. 10 00:00:47,180 --> 00:00:54,450 It's pretty much I don't directly Iraq with the target, but there are exceptions to this. 11 00:00:55,200 --> 00:01:02,100 Things like If we're being the place I'm working at, if we're being spear fished, I might generate 12 00:01:02,100 --> 00:01:11,670 a canary token to try to figure out who it is, especially if they're using a C email address where 13 00:01:12,060 --> 00:01:14,070 you can't really get the information from. 14 00:01:15,120 --> 00:01:17,580 So Google is a good example of that. 15 00:01:18,480 --> 00:01:24,060 I'm not a huge fan of Google for the most part, but I have to admit some of their security is pretty 16 00:01:24,060 --> 00:01:28,200 good for at least the end user point of view against other people. 17 00:01:29,670 --> 00:01:36,600 Now, the problem with Gmail for ocean investigators is you can't just take the email header from a 18 00:01:36,600 --> 00:01:42,000 Gmail user and feed it in and take a look at where they are location wise. 19 00:01:42,010 --> 00:01:46,990 If you take a look at the at the header of an email from a Gmail user. 20 00:01:47,550 --> 00:01:53,130 The IP address is going to go back to Google, which again, for the end user, that's that's great. 21 00:01:53,130 --> 00:01:56,150 It's good security for ocean investigation. 22 00:01:56,160 --> 00:02:02,880 It makes a little bit harder for us to figure out who that person is, and that's where Canary tokens 23 00:02:03,120 --> 00:02:04,650 could kind of come in handy. 24 00:02:05,460 --> 00:02:07,110 And so let's let's dive in. 25 00:02:07,110 --> 00:02:08,220 Let's take a look at this. 26 00:02:09,620 --> 00:02:14,750 So again, I'm a HTP is calling for a forward slash canary tokens. 27 00:02:15,590 --> 00:02:18,030 Org Forward Slash generate and get this. 28 00:02:18,050 --> 00:02:18,980 This one is free. 29 00:02:20,330 --> 00:02:24,320 So what you want to do is you click here, you can select your token. 30 00:02:24,320 --> 00:02:26,330 As you see, there's a bunch of different tokens here. 31 00:02:26,340 --> 00:02:33,950 There is a web bug URL token, so when you URLs visit, it is going to alert us Diaz DSN tokens. 32 00:02:34,160 --> 00:02:36,280 They'll learn as when the host name is requested. 33 00:02:37,010 --> 00:02:41,810 Unique email address alerts when IM when an email sent to a unique address. 34 00:02:42,950 --> 00:02:47,450 Custom images so we could actually take an image. 35 00:02:48,050 --> 00:02:51,020 And when the person clicks on the image, it's going to alert us. 36 00:02:51,650 --> 00:02:57,590 Likewise, we can make word documents, PDF documents, windows folder notes files from Window Folder. 37 00:02:57,740 --> 00:02:58,810 It's browsed on it. 38 00:02:59,750 --> 00:03:09,410 Windows Explorer Kazmi axes or deals clone websites learn US money websites cloned, which is great 39 00:03:09,410 --> 00:03:10,910 for if you have your own site. 40 00:03:10,910 --> 00:03:16,610 You can set up that and you can find if someone's clone your site for whatever reason. 41 00:03:17,450 --> 00:03:26,690 SQL Server, a QR code voice in a whiskey's, are being used fast redirects, slow redirects, so there's 42 00:03:26,690 --> 00:03:28,790 a lot of options here that we could use. 43 00:03:30,970 --> 00:03:35,200 Now I'm going to show you a couple of different different ways to do this. 44 00:03:35,710 --> 00:03:41,230 So the first one to do is let's choose a web bug image. 45 00:03:42,250 --> 00:03:43,630 So if we click here. 46 00:03:45,060 --> 00:03:50,910 It's going to ask us for which email address we're going to use to receive these alerts, so I'm going 47 00:03:50,910 --> 00:03:53,370 to choose DHS. 48 00:03:54,320 --> 00:04:01,430 It to ProtonMail dot com in it here, this is where you put your notes, so when it gets triggered, 49 00:04:01,430 --> 00:04:05,570 these are the notes that they're going to pop up on the information sheet. 50 00:04:06,410 --> 00:04:11,420 No, I do recommend you put a good amount of notes in there. 51 00:04:11,690 --> 00:04:16,370 That way, you really, you know, if the person triggers it, you know, a couple of weeks from now 52 00:04:16,370 --> 00:04:21,440 or a month from now, you'll know you'll remember what it is. 53 00:04:22,430 --> 00:04:26,070 So I like to do is I like to put down whoever my target is. 54 00:04:26,070 --> 00:04:31,280 So in this case, I'm just going to let you dummy. 55 00:04:33,370 --> 00:04:39,670 Demo and then I like to put down what the trigger was, I'm going to do web. 56 00:04:41,950 --> 00:04:42,670 Image. 57 00:04:47,930 --> 00:04:49,130 Embedded in the email. 58 00:04:50,320 --> 00:04:53,830 And that's exactly what we're going to do, we're going to embed this image in an email. 59 00:04:55,390 --> 00:04:56,470 You don't have to do this. 60 00:04:56,470 --> 00:05:02,710 You could actually put it on if you have a website you put on your web site or you could put it in a 61 00:05:02,710 --> 00:05:03,850 forum somewhere. 62 00:05:04,390 --> 00:05:06,850 And when people start clicking and alert you. 63 00:05:07,330 --> 00:05:11,890 But for this example, I just want to show you how you can actually embed this into an email. 64 00:05:13,090 --> 00:05:15,670 OK, so I think that's enough information for that. 65 00:05:16,030 --> 00:05:18,420 And in here, you're going to select whatever the images. 66 00:05:18,430 --> 00:05:21,970 So pigeon gif jpeg. 67 00:05:22,720 --> 00:05:26,500 OK, so we're going to click this and I'm going to just choose an image here. 68 00:05:27,340 --> 00:05:28,750 We're going to choose this one here. 69 00:05:30,400 --> 00:05:30,790 OK. 70 00:05:31,900 --> 00:05:32,430 And I'm. 71 00:05:33,450 --> 00:05:38,160 When you're all ready, you're going to click this green button here and create my canary token. 72 00:05:39,030 --> 00:05:40,290 OK, so pretty quick. 73 00:05:41,400 --> 00:05:43,470 Here's where our image is going to sit. 74 00:05:44,170 --> 00:05:47,310 HTTPS Canary tokens dot com for static. 75 00:05:48,210 --> 00:05:49,410 Blah blah blah submit. 76 00:05:49,650 --> 00:05:53,670 OK, so you want to mess that? 77 00:05:53,680 --> 00:06:00,240 So again, this is a web image if you send someone this link, if they're little bit savvy, they're 78 00:06:00,240 --> 00:06:05,340 going to see Canary tokens are come and either they're going to know what it is or they're probably 79 00:06:05,340 --> 00:06:06,060 going to look it up. 80 00:06:06,270 --> 00:06:08,970 What a canary token is, and you're going to spook them off. 81 00:06:09,690 --> 00:06:12,030 So this is kind of how you can get around that. 82 00:06:13,430 --> 00:06:18,260 So I have my email up here, and I'm going to go in here. 83 00:06:19,250 --> 00:06:23,360 And I'm going to click this insert photo and this is for Gmail. 84 00:06:24,110 --> 00:06:29,210 Other email services, you could probably use the same system, so click here. 85 00:06:30,080 --> 00:06:37,430 And instead of choosing the photo, I am going to go to web address URL here, OK, and we're going 86 00:06:37,430 --> 00:06:39,650 to paste our you URL in here. 87 00:06:40,560 --> 00:06:40,950 OK. 88 00:06:41,970 --> 00:06:46,730 And there's our image I don't always have, but what I do is ethical somewhere. 89 00:06:46,770 --> 00:06:47,550 Click Insert. 90 00:06:48,300 --> 00:06:48,500 OK. 91 00:06:48,600 --> 00:06:53,940 And there's our image, so I'm going to just send it back to DG as. 92 00:06:55,790 --> 00:07:04,210 Actually, Jacinta herself, dispo games and gmail.com put on test, and I'm going to send this off 93 00:07:04,600 --> 00:07:05,230 now. 94 00:07:05,260 --> 00:07:10,810 The important thing is when you do this, when you upload that image into the your message, you're 95 00:07:10,810 --> 00:07:17,230 going to get one alert because Google is going to trigger that when you first click on it. 96 00:07:17,230 --> 00:07:18,190 So you click this. 97 00:07:19,590 --> 00:07:19,980 OK. 98 00:07:20,220 --> 00:07:21,870 And we're click here. 99 00:07:22,350 --> 00:07:23,100 And here we go. 100 00:07:23,910 --> 00:07:29,010 So if I go on my email here, I could see my Canary token was triggered. 101 00:07:30,420 --> 00:07:30,810 OK. 102 00:07:31,080 --> 00:07:38,280 And I'm going to go down here, and here's our information IP address. 103 00:07:38,550 --> 00:07:47,460 The Channel HTP, the time the kangaroo token I.D. Here's our token reminder you dummy demo web image 104 00:07:47,460 --> 00:07:48,630 embedded in email. 105 00:07:49,680 --> 00:07:52,020 Token type web image Here's our source IP. 106 00:07:52,020 --> 00:07:53,770 Again, this is in this. 107 00:07:53,820 --> 00:07:55,530 I could be accurate because. 108 00:07:57,400 --> 00:08:01,690 This is coming through a Gmail address, and that's going to be the main problem with Gmail and also 109 00:08:01,690 --> 00:08:07,000 Yahoo may be a problem for some other email, depending how they do it. 110 00:08:07,780 --> 00:08:13,060 But it is when you do trigger it through those, it is going to give you the information from that provider. 111 00:08:13,060 --> 00:08:20,890 So either Yahoo or Google Microsoft will actually tell you who that person is. 112 00:08:20,890 --> 00:08:27,460 You will actually give you that person's IP address and their computer type, their browser, proper 113 00:08:27,460 --> 00:08:28,300 browser type. 114 00:08:28,930 --> 00:08:36,760 So again, it depends on what who the email provider is, but you can see here there's some great information 115 00:08:36,760 --> 00:08:37,120 here. 116 00:08:38,110 --> 00:08:41,800 Again, if you're not Google or Yahoo email. 117 00:08:43,780 --> 00:08:48,310 But, you know, again, this could show how how this could be incredibly useful. 118 00:08:48,820 --> 00:08:56,470 No, the other thing is this trigger, I like this trigger because when the person opens, email is 119 00:08:56,470 --> 00:08:57,910 going to trigger automatically. 120 00:08:58,150 --> 00:09:02,950 It's not going to be situations where you have to, you know, hold the person who was the email and 121 00:09:02,950 --> 00:09:06,580 then hope they run the document again. 122 00:09:06,940 --> 00:09:09,760 They open the email is going to automatically trigger the payload. 123 00:09:11,600 --> 00:09:16,790 But on the other side, again, if it's Google or Yahoo and potentially some other email accounts, 124 00:09:17,720 --> 00:09:19,190 that's not going to work right? 125 00:09:20,440 --> 00:09:27,340 So what do you do in that situation or if you want to deliver a different payload, say you want to 126 00:09:27,880 --> 00:09:31,840 put this on a USB drive, you want to drop it somewhere and you're pretty sure someone's going to pick 127 00:09:31,840 --> 00:09:37,780 it up and run it, or you just want an email attachment or you want to put a honeypot out in your site. 128 00:09:38,440 --> 00:09:46,240 Say a word document says payroll, and you're hoping they're going to click on it and execute it and 129 00:09:46,270 --> 00:09:47,320 get that information. 130 00:09:47,800 --> 00:09:52,600 So again, we're going to go back here to Canary Tokens dot org for a slice generate. 131 00:09:52,720 --> 00:09:55,850 Let me go back here and we're a selector token. 132 00:09:55,870 --> 00:09:59,380 We could do a word document, a PDF or whatnot. 133 00:10:00,340 --> 00:10:01,090 These are great. 134 00:10:01,410 --> 00:10:04,390 This actually could generate a real PDF or a word document. 135 00:10:05,920 --> 00:10:09,040 Certainly, the word document I'm going to do is. 136 00:10:10,390 --> 00:10:22,480 Those sent to and I'm going to put down you dummy word doc demo, and I'm going to create my token. 137 00:10:24,480 --> 00:10:24,800 OK. 138 00:10:25,200 --> 00:10:28,530 So again, pretty quick, we could download our word file. 139 00:10:31,000 --> 00:10:31,420 OK. 140 00:10:31,720 --> 00:10:37,160 Paul, download it now this we could actually change the name to whatever you want. 141 00:10:37,180 --> 00:10:40,810 It's not going to break the Canary token, so I'm just to put down payroll. 142 00:10:42,560 --> 00:10:42,790 OK. 143 00:10:42,830 --> 00:10:46,820 Matter of fact, we could actually open this again when we open, it is going to trigger the Canary 144 00:10:46,820 --> 00:10:47,300 token. 145 00:10:47,840 --> 00:10:51,640 And we could actually edit the word document however we want. 146 00:10:51,650 --> 00:10:52,520 We could put 147 00:10:55,310 --> 00:10:56,900 photos, we could put text in there. 148 00:10:56,940 --> 00:10:59,750 You could actually make it look like actual payroll file. 149 00:11:00,230 --> 00:11:04,550 So when they click on it, it will trigger it will give the information out to you. 150 00:11:05,180 --> 00:11:11,210 So again, this is canary tokens and different ways they could use it to for eurozone investigation. 151 00:11:11,990 --> 00:11:14,570 Thank you for watching, and I'll see you in the next video. 14712