Created
June 23, 2021 18:10
-
-
Save arnydo/635944ce71bbae6fadfaf3a54bebcd03 to your computer and use it in GitHub Desktop.
Quickly generate CararyTokens with Powershell
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function New-CanaryPDF { | |
| param ( | |
| [string]$ThreatActor, | |
| [string]$NotifyEmail | |
| ) | |
| Invoke-RestMethod -Uri "https://canarytokens.org/generate" ` | |
| -Method "POST" ` | |
| -ContentType "multipart/form-data; boundary=----WebKitFormBoundaryKLrj8QtQRBMCWR38" ` | |
| -Body ([System.Text.Encoding]::UTF8.GetBytes("------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"type`"$([char]13)$([char]10)$([char]13)$([char]10)adobe_pdf$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"email`"$([char]13)$([char]10)$([char]13)$([char]10)$($notifyEmail)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"webhook`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"fmt`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"memo`"$([char]13)$([char]10)$([char]13)$([char]10)$($ThreatActor)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"clonedsite`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_table_name`"$([char]13)$([char]10)$([char]13)$([char]10)TABLE1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_view_name`"$([char]13)$([char]10)$([char]13)$([char]10)VIEW1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_function_name`"$([char]13)$([char]10)$([char]13)$([char]10)FUNCTION1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_trigger_name`"$([char]13)$([char]10)$([char]13)$([char]10)TRIGGER1$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38$([char]13)$([char]10)Content-Disposition: form-data; name=`"redirect_url`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryKLrj8QtQRBMCWR38--$([char]13)$([char]10)")) | |
| } | |
| function New-CanaryURL { | |
| [cmdletbinding()] | |
| param ( | |
| [string]$ThreatActor, | |
| [string]$NotifyEmail, | |
| [string]$URL | |
| ) | |
| Write-Verbose $ThreatActor | |
| Write-Verbose $NotifyEmail | |
| Write-Verbose $URL | |
| $Response = Invoke-RestMethod -Uri "https://canarytokens.org/generate" ` | |
| -Method "POST" ` | |
| -ContentType "multipart/form-data; boundary=----WebKitFormBoundaryluBYgZbD68nwBPw4" ` | |
| -Body ([System.Text.Encoding]::UTF8.GetBytes("------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"type`"$([char]13)$([char]10)$([char]13)$([char]10)slow_redirect$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"email`"$([char]13)$([char]10)$([char]13)$([char]10)$($NotifyEmail)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"webhook`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"fmt`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"memo`"$([char]13)$([char]10)$([char]13)$([char]10)Slow redirect for $($ThreatActor)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"clonedsite`"$([char]13)$([char]10)$([char]13)$([char]10)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_table_name`"$([char]13)$([char]10)$([char]13)$([char]10)TABLE1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_view_name`"$([char]13)$([char]10)$([char]13)$([char]10)VIEW1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_function_name`"$([char]13)$([char]10)$([char]13)$([char]10)FUNCTION1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"sql_server_trigger_name`"$([char]13)$([char]10)$([char]13)$([char]10)TRIGGER1$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4$([char]13)$([char]10)Content-Disposition: form-data; name=`"redirect_url`"$([char]13)$([char]10)$([char]13)$([char]10)$($URL)$([char]13)$([char]10)------WebKitFormBoundaryluBYgZbD68nwBPw4--$([char]13)$([char]10)")) | |
| $ManageUrl = "https://canarytokens.org/manage?token={0}&auth={1}" -f $Response.Token, $Response.Auth | |
| $Response | Add-Member -MemberType NoteProperty -Name Manage -Value $ManageUrl | |
| return $Response | |
| } | |
| function New-TinyUrl { | |
| [CmdletBinding()] | |
| param | |
| ( | |
| [Parameter(Mandatory=$true, ValueFromPipeline=$true)] | |
| [ValidateNotNullOrEmpty()] | |
| [string] $Url | |
| ) | |
| $tinyUrlApi = 'http://tinyurl.com/api-create.php' | |
| $response = Invoke-WebRequest ("{0}?url={1}" -f $tinyUrlApi, $Url) | |
| $response.Content | |
| } | |
| function Invoke-CanaryToken { | |
| param ( | |
| $ThreatActor, | |
| $NotifyEmail | |
| ) | |
| $canpdf = New-CanaryPDF -ThreatActor $ThreatActor -NotifyEmail $NotifyEmail | |
| $Url = "https://canarytokens.org/download?fmt=pdf&token={0}&auth={1}" -f $CanPDF.token, $CanPDF.auth | |
| $canurl = New-CanaryURL -ThreatActor $ThreatActor -NotifyEmail $NotifyEmail -Url $Url | |
| $TinyURL = New-TinyURL $canUrl.Url | |
| $Out = [PSCustomObject]@{ | |
| PDFManageUrl = "https://canarytokens.org/manage?token={0}&auth={1}" -f $CanPDF.token, $CanPDF.auth | |
| URLManageURL = "https://canarytokens.org/manage?token={0}&auth={1}" -f $CanURL.token, $CanURL.auth | |
| CanaryURL = $CanUrl.url | |
| TinyURL = $TinyURL | |
| } | |
| return $Out | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment