Skip to content

Instantly share code, notes, and snippets.

@HackingLZ
Last active Jan 15, 2023
Embed
What would you like to do?
#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore
from colorama import Style
from colorama import init
init()
ignore_list = list({
'purl.org',
'microsoft.com',
'openxmlformats.org',
'w3.org',
}) # use of set within list ensures that all items are unique
alert_list = list({
'internalcanarytokendomain.org',
'canarytokens.com',
})
url = re.compile("(https?:\/\/[\w.-]+[\/\w .-]*)")
ap = argparse.ArgumentParser()
ap.add_argument("--input", "-i", required=True, help="Input file")
args = ap.parse_args()
with zipfile.ZipFile(args.input) as doc:
match = []
for i in doc.filelist:
with doc.open(i.filename) as file:
for line in file:
match.extend(url.findall(line.decode('utf-8')))
match = list(filter(
lambda x: not any((urlparse(x).hostname.endswith(y) for y in ignore_list)),
match
))
for item in match:
if any((urlparse(item).hostname.endswith(y) for y in alert_list)):
foreground_color = Fore.RED
else:
foreground_color = Fore.YELLOW
print(foreground_color + item + Style.RESET_ALL)
@mr-r3b00t
Copy link

this is cool! we need a powershell one ;)

@n3tsurge
Copy link

n3tsurge commented Oct 31, 2022

Awesome stuff, really useful if you know the destination URL, but if someone is running their own Canary Token instance under a customer domain you may not find it. I started something similar here https://github.com/n3tsurge/detect-canary/blob/main/detect-canary.py that detects the actual embedding technique Canary Tokens uses (at least for DOCX for now) but I never finished it

@C0axx
Copy link

C0axx commented Nov 3, 2022

Powershell version, it's janky but works :)

https://gist.github.com/C0axx/ebf65d863ee708464287c7040b15162a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment