Sawaba

curl -s -A "smuggled message" http://canarytokens.com/tokenurl

wget -U "smuggled message" http://canarytokens.com/tokenurl

exec 3<>/dev/tcp/canarytokens.com/80
echo -e "GET /articles/traffic/guln4qekd7zjfd4thw5sw48uh/post.jsp HTTP/1.1\r\nUser-Agent: If i trip my own token, i can pass it any useragent info i want to, effectively smuggling data in a token\r\nHost: canarytokens.com\r\nAccept: */*\r\n\r\n">&3

Sawaba

declare -a sshclient
sshclient=($SSH_CLIENT)
args="$@"
curl -s -A "Someone just ran nc $args as User:$USER on Hostname:$HOSTNAME from SourceIP: ${sshclient[0]}" http://7c589debfgpn.o3n.io/files/dkgs6rpqh7nyjrf1hr1pabc7u/logo.gif > /dev/null
/bin/nc "$@"

Sawaba

# Generate AWS Creds 0.1
# canarygen_awscreds.py
#
# This is the "auto" version of this script. Run it unattended and it will 
# automatically grab username and hostname variables from the system it is
# run on.
#
# PREREQS
# python 3
# pip3 install canarytools

Sawaba

import requests
import sys
import re

def main(args):
    if len(args) < 2:
        print("usage: python delete_tokens.py <console_url> <api_key>")
    auth = args[1]
    console = args[0]
    get_url = "{base}/api/v1/canarytokens/fetch?auth_token={auth}".format(

Sawaba

@echo off
REM Test script to generate AWS creds

REM Requires curl and jq. Customize name/path to EXEs below.
set curl=curl
set jq=jq-win64.exe

REM Grab the date and time for creating unique files
for /f "tokens=1,2,3,4 delims=/ " %%a in ('date /t') do set currdate=%%d%%c%%b
for /f "tokens=1,2,3,4 delims=.:" %%a in ("%time%") do set currtime=%%a%%b%%c

Sawaba

#!/bin/bash
# Create a CSV with the last week's worth of alerts from your Canary console
# Requires curl and jq to be in the path

# Set this variable to your API token
export token=deadbeef12345678

# Customize this variable to match your console URL
export console=ab123456.canary.tools

Sawaba

#!/bin/bash
# This script adapted from an older post on StackOverflow by user fieldju
# https://stackoverflow.com/questions/36478741/installing-oracle-jdk-on-windows-subsystem-for-linux
# The script was for JDK 8. 
# Due to major changes with JDK 11 (no JRE, no Derby, Unlimited Strength included), it was necessary to update the entire script.
set -ex

# UPDATE THESE URLs (this one updated as of 2019-03-06)
export JDK_URL=http://download.oracle.com/otn-pub/java/jdk/11.0.2+9/f51449fcd52f4d52b93a989c5c56ed3c/jdk-11.0.2_linux-x64_bin.tar.gz

Sawaba

@echo off
goto begin

+-----------------------------------------------------------------------------+
| Internal Network Discovery Scan                                             |
|                                                                             |
| DESCRIPTION: This script discovers NETWORKS, not hosts. It attempts to find |
| every class C in use throughout the enterprise. Note that, on larger ranges,|
| we're sampling IPs to save time. This is a calculated time/accuracy tradeoff|
|                                                                             |

Sawaba

@echo off
REM Local Windows check to ensure we're safe from CVE-2017-11937 
REM https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11937
cls
ECHO.
ECHO CVE-2017-11937 Vulnerability Check version 1.0
ECHO Checking to make sure your antivirus isn't going to sell you out to cyberbaddies.
ECHO The last vulnerable version was 1.1.14306.0 - anything newer should be safe.
ECHO.

Sawaba

Keybase proof

I hereby claim:

• I am sawaba on github.
• I am adriansanabria (https://keybase.io/adriansanabria) on keybase.
• I have a public key ASB_775JHuSPY2VjHpo6kYDsJCI74ICzkgipLHiMLNCSngo

To claim this, I am signing this object: