No alert email received when opening pdf about canarytokens HOT 17 CLOSED

Hi @lgflyman7611,

Sorry that it is causing some pain; im sure we will be able to get it sorted soon. The way the PDF token works, is it uses a DNS token embedded in the PDF.

So the first test I suggest is create a DNS token, and try trigger that. You can trigger it by:
host xxxxxxx.your.private.hostname.com.
If you receive an alert, then you know that you have the DNS token working. We can then try digging a little deeper.

Please try the above test and let me know how it goes.

from canarytokens.

OK, I happen to be testing DNS tokens now and it doesn't work. I registered those two domains on godaddy and did host xxxxxxx.1111.abc, returned no such name.

But host xxxx.canarytokens.com returned an IP that is exactly the one binding to canarytokens.org.

so, is it the godaddy that cause the failure?

from canarytokens.

OK ok, this is progress.

So lets make sure that your DNS is setup correctly. Have you made your DNS server the authoritative DNS server for your domain? This will mean adding SOA and NS records;

The NS records for your root domain; say 1111.abc will point the godaddy namerservers (they usually tell you just underneath where you config your DNS file).

The SOA record will also point to the primary nameserver.

Please let me know how this goes.

from canarytokens.

from canarytokens.

Ok that sounds good (and looks good). So it really doesn't matter whether host xxxx.111.abc returns the IP address or an NXDOMAIN. The reason is that we control that DNS server so we can serve whatever response.

If you on your canarytokens server, you should be able to watch the queries come in. So if you run docker exec -ti switchboard /bin/bash, you will be inside one of the containers.

Now you can tail -f switchboard.log and try your queries again. And see if they are making it to your server.

from canarytokens.

tried host xxxx.1111.adc again, nothing appeared in switchboard.log. But there are several errors as you can see in the image above. I don't know if they are relevant?

so far, DNS, PDF and exe tokens are the only ones that can't work. The rest works fine. (SQL/SVN/AWS have not been tested yet)@jayjb

from canarytokens.

The NoRouteError: No route to host exception isn't something i've seen before. The tokens that you have listed that aren't working, look to all be DNS-baed Canarytokens.

Would you mind checking if host 111.abc shows up in your switchboard.log? I know it returns the correct IP already; but im wondering why subdomains of your main domain aren't reaching your server.

What kind of machine are you running the docker on? If you nmap your server, which ports are open?

from canarytokens.

Yes, the host 111.abc did show up in switchbaord.log. I hide it under the yellow rectangle in the image above (right after http://). I am running docker on an ubuntu 18.04 server, with 22, 53, 25, 80 port open.

I am wondering too. In my understanding, the DNS token would be triggered when the subdomain resolution requests are forwarded to canarytokens server. If I am right about that, the DNS token is triggered on canarytokens.org because the resolution requests of subdomain xxxx.canarytokens.com can be forwarded successfully to canarytokens.org (can't be sure because I don't have access to the backend system of canarytokens.org) , while the requests of resolving xxx.111.abc can't be forwarded to my server for some reason. I guess something is not right with resolution request forwarder in the DNS chain, but I don't know where.

from canarytokens.

So that log line looks more to me like the an HTTP GET request showing up. What I am asking is when you do a host 111.abc, does that DNS query show up?

Your understanding of how it works is spot on. Im glad we on the same track. So if you can confirm that DNS queries for your domain 111.abc show up in the logs, then we can figure why subdomains aren't showing up.

For example:
if i run $ host w2yt5t62fjje8uxwx2d62qzsi.xxxxxxxx-srv.com
and I check my switchboard.log file, I see

from canarytokens.

Yes, I tried to run host 111.abc and host xxx.111.abc, both got nothing in switchboard.log. I guess my DNS server did not forward the resolution request for xxx.111.adc to my canarytoken server. I don't know how to configure my DNS server to make sure it forwards those requests which it can't resolve to my canarytokens server...

from canarytokens.

I am thinking about a possible reason that those DNS-based tokens did not work, which might be DNS service provider? I am using godaddy and did not find the way to make it forward irresolvable requests to my canarytokens server. Could you please tell me which provider you are working with? I could have a try of applying new domain names from your provider to rule out this possibility...

from canarytokens.

Hi @lgflyman7611,

Sorry for the delay. Ye we need to figure out why those requests aren't being forwarded. My automatic response is that your need to make sure that your Canarytokens server is the authoritative DNS server for your domain.

With regards to your provider; i've setup one using Godaddy before as well. Im going to try setup another one and see if i can get it working. And let you know the steps.

from canarytokens.

Hi @lgflyman7611,

I tried quickly setting one up on Google. And it worked (also using Godaddy). What I did was use the following in my DNS setup:
A @ <IP>
NS @ ns72.domaincontrol.com
NS @ ns71.domaincontrol.com
NS tokens <IP-backwards>.bc.googleusercontent.com
NS nx <IP-backwards>.bc.googleusercontent.com
SOA @ Primary nameserver: ns71.domaincontrol.com.

And then in my canarytokens config files I have set the important values to:
frontend.env:
CANARY_DOMAINS=tokens.domain
CANARY_NXDOMAINS=nx.domain

switchboard.env:
CANARY_PUBLIC_DOMAIN=tokens.domain

Perhaps try using a subdomain as the main domain and setup the DNS like above?

from canarytokens.

Finally, I got all dns-based tokens working! Thank you so much!

Here is my settings (say 111.abc is the domain name I got on godaddy):

A @ <IP>
NS @ ns72.domaincontrol.com
NS @ ns71.domaincontrol.com
NS tokens @
SOA @ Primary nameserver: ns71.domaincontrol.com.

And then in my canarytokens config files I have set the important values to:
frontend.env:
CANARY_DOMAINS=tokens.111.abc
CANARY_NXDOMAINS=tokens.111.abc

switchboard.env:
CANARY_PUBLIC_DOMAIN=tokens.111.abc

Little differet from yours. But it works. The key part is the NS record "NS tokens @" which can forward resolving requests carrying hostname "tokens" to the IP in the corresponding A record.

Thanks again! Have nice weekend!

from canarytokens.

@lgflyman7611 thats great! Im glad it is working for you. I hope it is useful.

from canarytokens.

Hi @jayjb ,
I was wondering if canarytokens supports RESTful API so that I can fetch alert logs through API, or support syslog that I can send alert logs to a remote server?

from canarytokens.

Hi @lgflyman7611,

Currently we dont have those for canarytokens. The closest there would be to use a webhook; which would send you alert information when a Canarytoken is triggered.

from canarytokens.