Instantly share code, notes, and snippets.

Embed
What would you like to do?

CryptoAUS Honeytoken Workshop

Honeytoken {Creation | Distribution | Monitoring}

How-To

  • Use honeyλ to create and monitor URL honeytokens automatically
  • Use honeybits to generate honeyfiles and breadcrumbs
  • Set up CanaryTokens

honeyλ

Source: https://github.com/0x4d31/honeyLambda

Prerequisites

  • AWS Account

Setup & Deploy

Serverless is a Node.js CLI tool so the first thing you need to do is to install Node.js on your machine.

1. Installing Node.js:

2. Installing the Serverless Framework:

  • npm install -g serverless
  • serverless --version

3. Setting up AWS:

Note: All AWS users get access to the Free Tier for AWS Lambda (More info: AWS Free Tier).

  • Creating a new AWS account:
    1. Create your account (provide an email, password and contact info)
    2. Add a payment method
    3. Verify your phone number

To run serverless commands that interface with your AWS account, you will need to setup your AWS account credentials on your machine.

As a quick setup to get started you can export them as environment variables so they would be accessible to Serverless:

export AWS_ACCESS_KEY_ID=<your-key-here>
export AWS_SECRET_ACCESS_KEY=<your-secret-key-here>

{OR} For a more permanent solution you can also set up credentials through AWS profiles:

  • Setup with serverless config credentials command:
serverless config credentials --provider aws --key <your-key-here> --secret <your-secret-key-here>
  • {OR} Setup with the aws-cli:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: ENTER

4. Install honeyλ:

  • serverless install --url https://github.com/0x4d31/honeyLambda
  • {OR} git clone https://github.com/0x4d31/honeyLambda
  • Edit serverless.yml
    • Set HTTP endpoint path (default: /v1/get-pass)
    • Change the other configurations as needed
  • Edit config.json
    • Fill in your Slack Webhook URL
    • Change the trap/token configurations as you need
    • You can customize the HTTP response for each token
      • For example you can return a 1x1px beacon image in response and embed the token in your decoy documents or email (tracking pixel!)

5. Deploy

  • In order to deploy honeyλ, simply run:
    • serverless deploy

Honeybits

Source: https://github.com/0x4d31/honeybits

Setup

  • Install Go Lang 1.7+
  • Download honeybits
    • go get github.com/0x4d31/honeybits
  • Install the dependencies:
    • Enter go get ./... inside the honeybits directory
    • {OR}:
go get github.com/spf13/viper
go get github.com/xordataexchange/crypt/config
  • Install the Audit package for monitoring the honeyfiles:
  • Configure the honeybits (honeytokens/breadcrumbs) in hbconf.yaml
  • Test:
$ go run honeybits.go

  /\  /\___  _ __   ___ _   _| |__ (_) |_ ___
 / /_/ / _ \| '_ \ / _ \ | | | '_ \| | __/ __|
/ __  / (_) | | | |  __/ |_| | |_) | | |_\__ \
\/ /_/ \___/|_| |_|\___|\__, |_.__/|_|\__|___/
========================|___/=================

Failed reading remote config. Reading the local config file...
Local config file loaded.

[failed] honeyfile already exists at this path: /tmp/secret.txt
[done] go-audit rule for /home/test/secret.txt is added
[done] honeyfile is created (/home/test/secret.txt)
[done] go-audit rule for /opt/secret.txt is added
[done] sshpass honeybit is inserted
[done] wget honeybit is inserted
[done] ftp honeybit is inserted
[done] rsync honeybit is inserted
[done] scp honeybit is inserted
[done] mysql honeybit is inserted
[failed] aws honeybit already exists
[done] hostsconf honeybit is inserted
[done] awsconf honeybit is inserted
[done] awscred honeybit is inserted
[done] custom honeybit is inserted

Dockerized Canarytokens:

Source: https://github.com/thinkst/canarytokens-docker

Prerequisites

  • At least one domain name. If you want to enabled PDF-opening tracking, at least two domains.
  • Internet-facing Docker host. You can install Docker on a Linux host quickly.

Setup (in Ubuntu)

  • Boot your Docker host, and take note of the public IP.
  • Configure your domains so that their nameservers point to the public IP of the Docker host. This requires a change at your Registrar, simply changing NS records in the zonefile is insufficient.
  • Clone the Docker setup:
$ git clone https://github.com/thinkst/canarytokens-docker
$ cd canarytokens-docker
  • Install Docker compose (if not already present):
$ sudo apt-get install python-pip python-dev
$ sudo pip install -U docker-compose
#if this breaks with PyYAML errors, install the libyaml development package
# sudo apt-get install libyaml-dev
  • Configuration is held in the two .env files. Edit these. Uncomment 'CANARY_PUBLIC_DOMAIN' in switchboard.ev and set it to one of the domains defined for 'CANARY_DOMAIN' in frontend.ev(if you do not uncomment and set it, the Public IP will be used). If you are using Mailgun to send emails, uncomment 'CANARY_MAILGUN_DOMAIN_NAME' and 'CANARY_MAILGUN_API_KEY' from switchboard.ev and set the values. If you are using Mandrill instead, uncomment 'CANARY_MANDRILL_API_KEY' and set it. Here's example files for a setup that generates tokens on example1.com, example2.com and example3.com (PDFs), running on a host with public domain 'my.domain' and IP 1.1.1.1, using Mailgun Domain Name 'x.y' and API Key 'zzzzzzzzzz':
    • frontend.ev
#These domains are used for general purpose tokens
CANARY_DOMAINS=example1.com,example2.com

#These domains are only used for PDF tokens
CANARY_NXDOMAINS=example3.com
  • switchboard.ev (using Mailgun for email)
CANARY_MAILGUN_DOMAIN_NAME=x.y
CANARY_MAILGUN_API_KEY=zzzzzzzzzz
#CANARY_MANDRILL_API_KEY=
CANARY_PUBLIC_IP=1.1.1.1
CANARY_PUBLIC_DOMAIN=my.domain
CANARY_ALERT_EMAIL_FROM_ADDRESS=noreply@example.com
CANARY_ALERT_EMAIL_FROM_DISPLAY="Example Canarytokens"
CANARY_ALERT_EMAIL_SUBJECT="Canarytoken"
  • Finally, download and instatiate the images:
$ docker-compose up
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment