- Use honeyλ to create and monitor URL honeytokens automatically
- Use honeybits to generate honeyfiles and breadcrumbs
- Set up CanaryTokens
Source: https://github.com/0x4d31/honeyLambda
- AWS Account
Serverless is a Node.js CLI tool so the first thing you need to do is to install Node.js on your machine.
- Download: https://nodejs.org/en/download/
- Installing Node.js via package manager (https://nodejs.org/en/download/package-manager/)
- Serverless runs on Node v4 or higher
node --version
npm install -g serverlessserverless --version
Note: All AWS users get access to the Free Tier for AWS Lambda (More info: AWS Free Tier).
- Creating a new AWS account:
- Create your account (provide an email, password and contact info)
- Add a payment method
- Verify your phone number
To run serverless commands that interface with your AWS account, you will need to setup your AWS account credentials on your machine.
- Setting up AWS credentials
- Create an IAM user and generate an Access Key (Access Key ID, Secret Access Key)
- Add permissions to the IAM user (Attach Policy)
- Using AWS Access Keys:
As a quick setup to get started you can export them as environment variables so they would be accessible to Serverless:
export AWS_ACCESS_KEY_ID=<your-key-here>
export AWS_SECRET_ACCESS_KEY=<your-secret-key-here>
{OR} For a more permanent solution you can also set up credentials through AWS profiles:
- Setup with serverless config credentials command:
serverless config credentials --provider aws --key <your-key-here> --secret <your-secret-key-here>
- {OR} Setup with the aws-cli:
$ aws configure
AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Default region name [None]: us-west-2
Default output format [None]: ENTER
serverless install --url https://github.com/0x4d31/honeyLambda- {OR}
git clone https://github.com/0x4d31/honeyLambda - Edit
serverless.yml- Set HTTP endpoint path (default: /v1/get-pass)
- Change the other configurations as needed
- Edit
config.json- Fill in your Slack Webhook URL
- Change the trap/token configurations as you need
- You can customize the HTTP response for each token
- For example you can return a 1x1px beacon image in response and embed the token in your decoy documents or email (tracking pixel!)
- In order to deploy honeyλ, simply run:
serverless deploy
Source: https://github.com/0x4d31/honeybits
- Install Go Lang 1.7+
- Download honeybits
go get github.com/0x4d31/honeybits
- Install the dependencies:
- Enter
go get ./...inside the honeybits directory - {OR}:
- Enter
go get github.com/spf13/viper
go get github.com/xordataexchange/crypt/config
- Install the Audit package for monitoring the honeyfiles:
- go-audit or auditd
- Configure the honeybits (honeytokens/breadcrumbs) in
hbconf.yaml - Test:
$ go run honeybits.go
/\ /\___ _ __ ___ _ _| |__ (_) |_ ___
/ /_/ / _ \| '_ \ / _ \ | | | '_ \| | __/ __|
/ __ / (_) | | | | __/ |_| | |_) | | |_\__ \
\/ /_/ \___/|_| |_|\___|\__, |_.__/|_|\__|___/
========================|___/=================
Failed reading remote config. Reading the local config file...
Local config file loaded.
[failed] honeyfile already exists at this path: /tmp/secret.txt
[done] go-audit rule for /home/test/secret.txt is added
[done] honeyfile is created (/home/test/secret.txt)
[done] go-audit rule for /opt/secret.txt is added
[done] sshpass honeybit is inserted
[done] wget honeybit is inserted
[done] ftp honeybit is inserted
[done] rsync honeybit is inserted
[done] scp honeybit is inserted
[done] mysql honeybit is inserted
[failed] aws honeybit already exists
[done] hostsconf honeybit is inserted
[done] awsconf honeybit is inserted
[done] awscred honeybit is inserted
[done] custom honeybit is inserted
Source: https://github.com/thinkst/canarytokens-docker
- At least one domain name. If you want to enabled PDF-opening tracking, at least two domains.
- Internet-facing Docker host. You can install Docker on a Linux host quickly.
- Boot your Docker host, and take note of the public IP.
- Configure your domains so that their nameservers point to the public IP of the Docker host. This requires a change at your Registrar, simply changing NS records in the zonefile is insufficient.
- Clone the Docker setup:
$ git clone https://github.com/thinkst/canarytokens-docker
$ cd canarytokens-docker
- Install Docker compose (if not already present):
$ sudo apt-get install python-pip python-dev
$ sudo pip install -U docker-compose
#if this breaks with PyYAML errors, install the libyaml development package
# sudo apt-get install libyaml-dev
- Configuration is held in the two .env files. Edit these. Uncomment 'CANARY_PUBLIC_DOMAIN' in
switchboard.evand set it to one of the domains defined for 'CANARY_DOMAIN' infrontend.ev(if you do not uncomment and set it, the Public IP will be used). If you are using Mailgun to send emails, uncomment 'CANARY_MAILGUN_DOMAIN_NAME' and 'CANARY_MAILGUN_API_KEY' fromswitchboard.evand set the values. If you are using Mandrill instead, uncomment 'CANARY_MANDRILL_API_KEY' and set it. Here's example files for a setup that generates tokens on example1.com, example2.com and example3.com (PDFs), running on a host with public domain 'my.domain' and IP 1.1.1.1, using Mailgun Domain Name 'x.y' and API Key 'zzzzzzzzzz':- frontend.ev
#These domains are used for general purpose tokens
CANARY_DOMAINS=example1.com,example2.com
#These domains are only used for PDF tokens
CANARY_NXDOMAINS=example3.com
- switchboard.ev (using Mailgun for email)
CANARY_MAILGUN_DOMAIN_NAME=x.y
CANARY_MAILGUN_API_KEY=zzzzzzzzzz
#CANARY_MANDRILL_API_KEY=
CANARY_PUBLIC_IP=1.1.1.1
CANARY_PUBLIC_DOMAIN=my.domain
CANARY_ALERT_EMAIL_FROM_ADDRESS=noreply@example.com
CANARY_ALERT_EMAIL_FROM_DISPLAY="Example Canarytokens"
CANARY_ALERT_EMAIL_SUBJECT="Canarytoken"
- Finally, download and instatiate the images:
$ docker-compose up
- The frontend and switchboard will now be running in the foreground. The frontend is accessible at http://example1.com/generate