Fun with Files, Folders, and Canaries.
What happens when you request / (slash) from a Webserver ?
you should get index.htm, html, php, aspx, etc … when actually / is a directory … so that’s it, let’s play with that!
On my Webserver I’ve created the following folder structure inside of the webroot :
What’s going to happen if someone requests /etc/passwd from my site ? – well, nothing if the site has no flaws, I should get a page not found, and if there are flaws it might return the passwd file, from the directory of /etc/ outside of webroot, oh dear. anyway as I don’t have that flaw, and I can see from my logs requests for that file, I thought it would be fun to pull this old trick out, they will now in fact get the motherflippin index.htm file, what can you put in html ? all kinds of shit, but I’ll be nice.
I also made a folder named backup.zip/index.htm so if someone tried to search for backup.zip they’ll get the same treatment
What happens when we attempt to get backup.zip (a common backup file name that lazy / rushed admins name and dump the whole site including configs and stored passwords).
Below is a little video of the experience, then we can look at what a naughty visitor will see requesting https://ctus.io/backup.zip :
Running with it
In each of the index.htm we have the following code but with a different canary token in each of the img src locations for easier identification of where:
Prior to this ^ I had gone to Thinkst’s Canary Tokens website to set the canaries up, by selecting my trigger type, provide some context and my email (https://canarytokens.org/generate) I implore you to head over there and think about how you could creatively introduce these triggers into your environment or work, I’ve used them defensively and offensively in the past, there are many to play with, in this instance we’re using the web bug, beautifully simple concept, and sneaky AF too. love it!. provide it some context and an email.
Click Create and you’re presented with your unique web bug address to include:
Copy our URL and include it in our index pages in the img src html, when it’s loaded, I’ll receive my alert from them:
- I want the canary to fire so I know treachery is a foot
- I want to send them to the computer misuse act
- most non-uk security internet researchers (or criminals) won’t care about that but whatever**
Let’s look at the raw requests and responses :
Request to backup.zip (that’s actually backup.zip/index.htm)
Anyway… so, that’s that.
Once you understand the mechanics of the folder / file manipulation there is a lot of fun to be had, I have some interesting ideas for CDN cached straw-man files possibly pissing on a lot of chips for bug hunters, attackers and pen-testers… but that idea is still bubbling. the CanaryTokens.org is so cool if you have active defenders you don’t need to use their domain, you can pull from git, and you can even get the canary tokens configured with your canary honeypot.
From an abuse case on this view the url looks like it’s going to an expected file, as does the alt tag if you put your mouse over this link here: http://ctus.io/ceonaked.jpg
you will see the alt tag suggests that in fact that link is to a jpg of a CEO naked (I use that as an example to plant the hook in the phish)
now check out googles advice on learning to trust or identify a phish technique:
Googles phishing quiz is actually pretty good for free, but … OUWWWW, careful now.
the quiz can be found here https://phishingquiz.withgoogle.com
OR CAN IT?!?! (yes, it can, it’s the right link)
like I said … Just a bit of fun, I hadn’t written anything for a while, and you lot might be bored enough to enjoy it.
While I am technically a reseller of the Canary Product, … speak to their sales team if you’re curious, if they maul you (and they won’t) I’ll buy you lunch (I won’t have to).
If you’re already using them, I’d love to hear how you’re thinking outside the box with these fine collection of simple tools too. HMU on LinkedIn
- **There is a great initiative lead by NCC Group on improving the CMA check it out here