?Infosec: Setting up a Canary Ambush

?Infosec: Setting up a Canary Ambush

At my sites I have a SBC node deployed that provides the ability to diagnose problems. It is used to run speedtests as doing that on the edge device is not a good idea because of processor saturation. It also acts as a rport endpoint and hosts a local speedtest. The local speedtest is used to check the local wifi because that is often the problem.

But I also use it as a Canary Ambush. This is basically setting up a SMB share waiting for lurking hackers to trigger a Canarytoken when they access it. You can then move it to give them a snotklap.

Here is how you set it up:

sudo apt-get install samba
sudo systemctl enable --now smbd

sudo nano /etc/samba/smb.conf

[public]
path = /home/user/public
public = yes
guest only = yes
writable = yes
force create mode = 0666
force directory mode = 0777
browseable = yes

sudo mkdir /home/user/public
sudo chmod -R ugo+w /home/user/public

sudo systemctl restart smbd        

We now create a few Canarytokens and upload them to the SBC node using rport. The bad guy accesses the share while snooping around on the network and triggers an email when the Canarytoken is accessed in the form of a PDF, excel or word document.

* Ronald works connecting Internet inhabiting things at Fusion Broadband.

要查看或添加评论,请登录

Ronald Bartels的更多文章

社区洞察

其他会员也浏览了