Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,090 --> 00:00:04,920
Update the video we're going to be taking a look at Canary tokens now, if you're not familiar with
2
00:00:04,920 --> 00:00:12,510
Canary tokens, a Canary token is essentially a token that when a target triggers it, it's going to
3
00:00:12,510 --> 00:00:15,180
alert us and it's going to give us some basic information on them.
4
00:00:15,780 --> 00:00:21,690
It'll tell us things like their IP address, what type of browser they're using and what type of operating
5
00:00:21,690 --> 00:00:24,970
system they're using, what time they open it, things like that.
6
00:00:25,020 --> 00:00:31,650
For the most part, and there's a few caveats to that that we're going to be going over now.
7
00:00:31,650 --> 00:00:34,530
There's several places where you can generate Canary tokens.
8
00:00:35,100 --> 00:00:44,430
Personally, I use Canary tokens dot org, and this is also a little bit different than what I normally
9
00:00:44,430 --> 00:00:46,950
do usually when I do an investigation.
10
00:00:47,180 --> 00:00:54,450
It's pretty much I don't directly Iraq with the target, but there are exceptions to this.
11
00:00:55,200 --> 00:01:02,100
Things like If we're being the place I'm working at, if we're being spear fished, I might generate
12
00:01:02,100 --> 00:01:11,670
a canary token to try to figure out who it is, especially if they're using a C email address where
13
00:01:12,060 --> 00:01:14,070
you can't really get the information from.
14
00:01:15,120 --> 00:01:17,580
So Google is a good example of that.
15
00:01:18,480 --> 00:01:24,060
I'm not a huge fan of Google for the most part, but I have to admit some of their security is pretty
16
00:01:24,060 --> 00:01:28,200
good for at least the end user point of view against other people.
17
00:01:29,670 --> 00:01:36,600
Now, the problem with Gmail for ocean investigators is you can't just take the email header from a
18
00:01:36,600 --> 00:01:42,000
Gmail user and feed it in and take a look at where they are location wise.
19
00:01:42,010 --> 00:01:46,990
If you take a look at the at the header of an email from a Gmail user.
20
00:01:47,550 --> 00:01:53,130
The IP address is going to go back to Google, which again, for the end user, that's that's great.
21
00:01:53,130 --> 00:01:56,150
It's good security for ocean investigation.
22
00:01:56,160 --> 00:02:02,880
It makes a little bit harder for us to figure out who that person is, and that's where Canary tokens
23
00:02:03,120 --> 00:02:04,650
could kind of come in handy.
24
00:02:05,460 --> 00:02:07,110
And so let's let's dive in.
25
00:02:07,110 --> 00:02:08,220
Let's take a look at this.
26
00:02:09,620 --> 00:02:14,750
So again, I'm a HTP is calling for a forward slash canary tokens.
27
00:02:15,590 --> 00:02:18,030
Org Forward Slash generate and get this.
28
00:02:18,050 --> 00:02:18,980
This one is free.
29
00:02:20,330 --> 00:02:24,320
So what you want to do is you click here, you can select your token.
30
00:02:24,320 --> 00:02:26,330
As you see, there's a bunch of different tokens here.
31
00:02:26,340 --> 00:02:33,950
There is a web bug URL token, so when you URLs visit, it is going to alert us Diaz DSN tokens.
32
00:02:34,160 --> 00:02:36,280
They'll learn as when the host name is requested.
33
00:02:37,010 --> 00:02:41,810
Unique email address alerts when IM when an email sent to a unique address.
34
00:02:42,950 --> 00:02:47,450
Custom images so we could actually take an image.
35
00:02:48,050 --> 00:02:51,020
And when the person clicks on the image, it's going to alert us.
36
00:02:51,650 --> 00:02:57,590
Likewise, we can make word documents, PDF documents, windows folder notes files from Window Folder.
37
00:02:57,740 --> 00:02:58,810
It's browsed on it.
38
00:02:59,750 --> 00:03:09,410
Windows Explorer Kazmi axes or deals clone websites learn US money websites cloned, which is great
39
00:03:09,410 --> 00:03:10,910
for if you have your own site.
40
00:03:10,910 --> 00:03:16,610
You can set up that and you can find if someone's clone your site for whatever reason.
41
00:03:17,450 --> 00:03:26,690
SQL Server, a QR code voice in a whiskey's, are being used fast redirects, slow redirects, so there's
42
00:03:26,690 --> 00:03:28,790
a lot of options here that we could use.
43
00:03:30,970 --> 00:03:35,200
Now I'm going to show you a couple of different different ways to do this.
44
00:03:35,710 --> 00:03:41,230
So the first one to do is let's choose a web bug image.
45
00:03:42,250 --> 00:03:43,630
So if we click here.
46
00:03:45,060 --> 00:03:50,910
It's going to ask us for which email address we're going to use to receive these alerts, so I'm going
47
00:03:50,910 --> 00:03:53,370
to choose DHS.
48
00:03:54,320 --> 00:04:01,430
It to ProtonMail dot com in it here, this is where you put your notes, so when it gets triggered,
49
00:04:01,430 --> 00:04:05,570
these are the notes that they're going to pop up on the information sheet.
50
00:04:06,410 --> 00:04:11,420
No, I do recommend you put a good amount of notes in there.
51
00:04:11,690 --> 00:04:16,370
That way, you really, you know, if the person triggers it, you know, a couple of weeks from now
52
00:04:16,370 --> 00:04:21,440
or a month from now, you'll know you'll remember what it is.
53
00:04:22,430 --> 00:04:26,070
So I like to do is I like to put down whoever my target is.
54
00:04:26,070 --> 00:04:31,280
So in this case, I'm just going to let you dummy.
55
00:04:33,370 --> 00:04:39,670
Demo and then I like to put down what the trigger was, I'm going to do web.
56
00:04:41,950 --> 00:04:42,670
Image.
57
00:04:47,930 --> 00:04:49,130
Embedded in the email.
58
00:04:50,320 --> 00:04:53,830
And that's exactly what we're going to do, we're going to embed this image in an email.
59
00:04:55,390 --> 00:04:56,470
You don't have to do this.
60
00:04:56,470 --> 00:05:02,710
You could actually put it on if you have a website you put on your web site or you could put it in a
61
00:05:02,710 --> 00:05:03,850
forum somewhere.
62
00:05:04,390 --> 00:05:06,850
And when people start clicking and alert you.
63
00:05:07,330 --> 00:05:11,890
But for this example, I just want to show you how you can actually embed this into an email.
64
00:05:13,090 --> 00:05:15,670
OK, so I think that's enough information for that.
65
00:05:16,030 --> 00:05:18,420
And in here, you're going to select whatever the images.
66
00:05:18,430 --> 00:05:21,970
So pigeon gif jpeg.
67
00:05:22,720 --> 00:05:26,500
OK, so we're going to click this and I'm going to just choose an image here.
68
00:05:27,340 --> 00:05:28,750
We're going to choose this one here.
69
00:05:30,400 --> 00:05:30,790
OK.
70
00:05:31,900 --> 00:05:32,430
And I'm.
71
00:05:33,450 --> 00:05:38,160
When you're all ready, you're going to click this green button here and create my canary token.
72
00:05:39,030 --> 00:05:40,290
OK, so pretty quick.
73
00:05:41,400 --> 00:05:43,470
Here's where our image is going to sit.
74
00:05:44,170 --> 00:05:47,310
HTTPS Canary tokens dot com for static.
75
00:05:48,210 --> 00:05:49,410
Blah blah blah submit.
76
00:05:49,650 --> 00:05:53,670
OK, so you want to mess that?
77
00:05:53,680 --> 00:06:00,240
So again, this is a web image if you send someone this link, if they're little bit savvy, they're
78
00:06:00,240 --> 00:06:05,340
going to see Canary tokens are come and either they're going to know what it is or they're probably
79
00:06:05,340 --> 00:06:06,060
going to look it up.
80
00:06:06,270 --> 00:06:08,970
What a canary token is, and you're going to spook them off.
81
00:06:09,690 --> 00:06:12,030
So this is kind of how you can get around that.
82
00:06:13,430 --> 00:06:18,260
So I have my email up here, and I'm going to go in here.
83
00:06:19,250 --> 00:06:23,360
And I'm going to click this insert photo and this is for Gmail.
84
00:06:24,110 --> 00:06:29,210
Other email services, you could probably use the same system, so click here.
85
00:06:30,080 --> 00:06:37,430
And instead of choosing the photo, I am going to go to web address URL here, OK, and we're going
86
00:06:37,430 --> 00:06:39,650
to paste our you URL in here.
87
00:06:40,560 --> 00:06:40,950
OK.
88
00:06:41,970 --> 00:06:46,730
And there's our image I don't always have, but what I do is ethical somewhere.
89
00:06:46,770 --> 00:06:47,550
Click Insert.
90
00:06:48,300 --> 00:06:48,500
OK.
91
00:06:48,600 --> 00:06:53,940
And there's our image, so I'm going to just send it back to DG as.
92
00:06:55,790 --> 00:07:04,210
Actually, Jacinta herself, dispo games and gmail.com put on test, and I'm going to send this off
93
00:07:04,600 --> 00:07:05,230
now.
94
00:07:05,260 --> 00:07:10,810
The important thing is when you do this, when you upload that image into the your message, you're
95
00:07:10,810 --> 00:07:17,230
going to get one alert because Google is going to trigger that when you first click on it.
96
00:07:17,230 --> 00:07:18,190
So you click this.
97
00:07:19,590 --> 00:07:19,980
OK.
98
00:07:20,220 --> 00:07:21,870
And we're click here.
99
00:07:22,350 --> 00:07:23,100
And here we go.
100
00:07:23,910 --> 00:07:29,010
So if I go on my email here, I could see my Canary token was triggered.
101
00:07:30,420 --> 00:07:30,810
OK.
102
00:07:31,080 --> 00:07:38,280
And I'm going to go down here, and here's our information IP address.
103
00:07:38,550 --> 00:07:47,460
The Channel HTP, the time the kangaroo token I.D. Here's our token reminder you dummy demo web image
104
00:07:47,460 --> 00:07:48,630
embedded in email.
105
00:07:49,680 --> 00:07:52,020
Token type web image Here's our source IP.
106
00:07:52,020 --> 00:07:53,770
Again, this is in this.
107
00:07:53,820 --> 00:07:55,530
I could be accurate because.
108
00:07:57,400 --> 00:08:01,690
This is coming through a Gmail address, and that's going to be the main problem with Gmail and also
109
00:08:01,690 --> 00:08:07,000
Yahoo may be a problem for some other email, depending how they do it.
110
00:08:07,780 --> 00:08:13,060
But it is when you do trigger it through those, it is going to give you the information from that provider.
111
00:08:13,060 --> 00:08:20,890
So either Yahoo or Google Microsoft will actually tell you who that person is.
112
00:08:20,890 --> 00:08:27,460
You will actually give you that person's IP address and their computer type, their browser, proper
113
00:08:27,460 --> 00:08:28,300
browser type.
114
00:08:28,930 --> 00:08:36,760
So again, it depends on what who the email provider is, but you can see here there's some great information
115
00:08:36,760 --> 00:08:37,120
here.
116
00:08:38,110 --> 00:08:41,800
Again, if you're not Google or Yahoo email.
117
00:08:43,780 --> 00:08:48,310
But, you know, again, this could show how how this could be incredibly useful.
118
00:08:48,820 --> 00:08:56,470
No, the other thing is this trigger, I like this trigger because when the person opens, email is
119
00:08:56,470 --> 00:08:57,910
going to trigger automatically.
120
00:08:58,150 --> 00:09:02,950
It's not going to be situations where you have to, you know, hold the person who was the email and
121
00:09:02,950 --> 00:09:06,580
then hope they run the document again.
122
00:09:06,940 --> 00:09:09,760
They open the email is going to automatically trigger the payload.
123
00:09:11,600 --> 00:09:16,790
But on the other side, again, if it's Google or Yahoo and potentially some other email accounts,
124
00:09:17,720 --> 00:09:19,190
that's not going to work right?
125
00:09:20,440 --> 00:09:27,340
So what do you do in that situation or if you want to deliver a different payload, say you want to
126
00:09:27,880 --> 00:09:31,840
put this on a USB drive, you want to drop it somewhere and you're pretty sure someone's going to pick
127
00:09:31,840 --> 00:09:37,780
it up and run it, or you just want an email attachment or you want to put a honeypot out in your site.
128
00:09:38,440 --> 00:09:46,240
Say a word document says payroll, and you're hoping they're going to click on it and execute it and
129
00:09:46,270 --> 00:09:47,320
get that information.
130
00:09:47,800 --> 00:09:52,600
So again, we're going to go back here to Canary Tokens dot org for a slice generate.
131
00:09:52,720 --> 00:09:55,850
Let me go back here and we're a selector token.
132
00:09:55,870 --> 00:09:59,380
We could do a word document, a PDF or whatnot.
133
00:10:00,340 --> 00:10:01,090
These are great.
134
00:10:01,410 --> 00:10:04,390
This actually could generate a real PDF or a word document.
135
00:10:05,920 --> 00:10:09,040
Certainly, the word document I'm going to do is.
136
00:10:10,390 --> 00:10:22,480
Those sent to and I'm going to put down you dummy word doc demo, and I'm going to create my token.
137
00:10:24,480 --> 00:10:24,800
OK.
138
00:10:25,200 --> 00:10:28,530
So again, pretty quick, we could download our word file.
139
00:10:31,000 --> 00:10:31,420
OK.
140
00:10:31,720 --> 00:10:37,160
Paul, download it now this we could actually change the name to whatever you want.
141
00:10:37,180 --> 00:10:40,810
It's not going to break the Canary token, so I'm just to put down payroll.
142
00:10:42,560 --> 00:10:42,790
OK.
143
00:10:42,830 --> 00:10:46,820
Matter of fact, we could actually open this again when we open, it is going to trigger the Canary
144
00:10:46,820 --> 00:10:47,300
token.
145
00:10:47,840 --> 00:10:51,640
And we could actually edit the word document however we want.
146
00:10:51,650 --> 00:10:52,520
We could put
147
00:10:55,310 --> 00:10:56,900
photos, we could put text in there.
148
00:10:56,940 --> 00:10:59,750
You could actually make it look like actual payroll file.
149
00:11:00,230 --> 00:11:04,550
So when they click on it, it will trigger it will give the information out to you.
150
00:11:05,180 --> 00:11:11,210
So again, this is canary tokens and different ways they could use it to for eurozone investigation.
151
00:11:11,990 --> 00:11:14,570
Thank you for watching, and I'll see you in the next video.
14712
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.