DIY Web Bugs

by Vince
in Blog
Hits: 139

If you're not familiar with Canarytokens, they are web bugs that you can embed into various forms.  From their website:  "You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests.  Imagine doing that, but for file reads, database queries, process executions or patterns in log files. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots."

Perhaps we want to do something similar but we do not want to involve a third party.  We could do this on our own and we could borrow from the Canarytoken to do so.  Let's say we want to lace a Word document.  Let's step back for a second and talk about -- What is a Word document?  To keep it simple, a Word document is a collection of documents zipped up and with a .docx extension.  If we create a Canarytoken laced Word document, change the extension to .zip, and we extract that zip, we now have the template for our own web bug.

We need a few parts for our self-hosted version.  First, we need a file to capture the request.  

If we hit this page, we see the following:

For our final version, we can remove that "echo" line, you can also leave it because it doesn't really matter.

On the back end, when we view the output, we see basically the same thing as what we saw above.

Now to the actual document.  We've extracted our .docx file:

If you search through the files for "" we found two files we need to modify.  The first:

Which contains this and we see the line I've modified:

The second file:

Again, we see the line I've modified:

And that's it.  Zip up the contents of the Resume folder (from within the Resume folder), rename to .docx, and open the document.  You will not receive a security alert nor will you have to enable a macro, it just works.  You will see an entry in that output file for each time you open the document.