Skip to content

Instantly share code, notes, and snippets.

@arnydo

arnydo/Invoke-CarnaryToken.ps1

Created June 23, 2021 18:10
Show Gist options
  • Save arnydo/635944ce71bbae6fadfaf3a54bebcd03 to your computer and use it in GitHub Desktop.
Save arnydo/635944ce71bbae6fadfaf3a54bebcd03 to your computer and use it in GitHub Desktop.
Download ZIP
Quickly generate CararyTokens with Powershell
Raw
Invoke-CarnaryToken.ps1
function New-CanaryPDF {
param (
[string]$ThreatActor,
[string]$NotifyEmail
)
Invoke-RestMethod -Uri "https://canarytokens.org/generate" `
-Method "POST" `
-ContentType "multipart/form-data; boundary=----WebKitFormBoundaryKLrj8QtQRBMCWR38" `
-Body ([System.Text.Encoding]::UTF8.GetBytes("------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"type`"$([char]13)$([char]10)$([char]13)$([char]10)adobe_pdf$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"email`"$([char]13)$([char]10)$([char]13)$([char]10)$($notifyEmail)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"webhook`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"fmt`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"memo`"$([char]13)$([char]10)$([char]13)$([char]10)$($ThreatActor)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"clonedsite`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_table_name`"$([char]13)$([char]10)$([char]13)$([char]10)TABLE1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_view_name`"$([char]13)$([char]10)$([char]13)$([char]10)VIEW1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_function_name`"$([char]13)$([char]10)$([char]13)$([char]10)FUNCTION1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_trigger_name`"$([char]13)$([char]10)$([char]13)$([char]10)TRIGGER1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"redirect_url`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38--$([char]13)$([char]10)"))
}
function New-CanaryURL {
[cmdletbinding()]
param (
[string]$ThreatActor,
[string]$NotifyEmail,
[string]$URL
)
Write-Verbose $ThreatActor
Write-Verbose $NotifyEmail
Write-Verbose $URL
$Response = Invoke-RestMethod -Uri "https://canarytokens.org/generate" `
-Method "POST" `
-ContentType "multipart/form-data; boundary=----WebKitFormBoundaryluBYgZbD68nwBPw4" `
-Body ([System.Text.Encoding]::UTF8.GetBytes("------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"type`"$([char]13)$([char]10)$([char]13)$([char]10)slow_redirect$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"email`"$([char]13)$([char]10)$([char]13)$([char]10)$($NotifyEmail)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"webhook`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"fmt`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"memo`"$([char]13)$([char]10)$([char]13)$([char]10)Slow redirect for $($ThreatActor)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"clonedsite`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_table_name`"$([char]13)$([char]10)$([char]13)$([char]10)TABLE1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_view_name`"$([char]13)$([char]10)$([char]13)$([char]10)VIEW1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_function_name`"$([char]13)$([char]10)$([char]13)$([char]10)FUNCTION1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_trigger_name`"$([char]13)$([char]10)$([char]13)$([char]10)TRIGGER1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"redirect_url`"$([char]13)$([char]10)$([char]13)$([char]10)$($URL)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4--$([char]13)$([char]10)"))
$ManageUrl = "https://canarytokens.org/manage?token={0}&auth={1}" -f $Response.Token, $Response.Auth
$Response | Add-Member -MemberType NoteProperty -Name Manage -Value $ManageUrl
return $Response
}
function New-TinyUrl {
[CmdletBinding()]
param
(
[Parameter(Mandatory=$true, ValueFromPipeline=$true)]
[ValidateNotNullOrEmpty()]
[string] $Url
)
$tinyUrlApi = 'http://tinyurl.com/api-create.php'
$response = Invoke-WebRequest ("{0}?url={1}" -f $tinyUrlApi, $Url)
$response.Content
}
function Invoke-CanaryToken {
param (
$ThreatActor,
$NotifyEmail
)
$canpdf = New-CanaryPDF -ThreatActor $ThreatActor -NotifyEmail $NotifyEmail
$Url = "https://canarytokens.org/download?fmt=pdf&token={0}&auth={1}" -f $CanPDF.token, $CanPDF.auth
$canurl = New-CanaryURL -ThreatActor $ThreatActor -NotifyEmail $NotifyEmail -Url $Url
$TinyURL = New-TinyURL $canUrl.Url
$Out = [PSCustomObject]@{
PDFManageUrl = "https://canarytokens.org/manage?token={0}&auth={1}" -f $CanPDF.token, $CanPDF.auth
URLManageURL = "https://canarytokens.org/manage?token={0}&auth={1}" -f $CanURL.token, $CanURL.auth
CanaryURL = $CanUrl.url
TinyURL = $TinyURL
}
return $Out
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment