Welcome to Thinkst Canary!
We are so glad to have you on board! We work really hard to make sure that setting up Canaries is quick and running them is painless. (If any of this isn't true, please let us know!)
Setting up your Canaries should be dead simple. Here's what you need to do.
Log into your Canary Console
You will notice a bird (or multiple birds) tagged as "in-flight"
Clicking on that tile will give you in-flight tracking details
Clicking on that tile will give you in-flight tracking details
Unbox your Canary and plug it in
That's it! Seriously... 😀
Your Canary LED will turn green, and the "in-flight" designation will change to let you know you have a new bird on your network.
(The bird is already useful and is acting like a Windows Server with RDP and a file share, but if you want to give it another personality, simply follow these steps)
Halp! My Canary's LED is RED!
A Red status light indicates that the Canary can't reach the Console. Let's eliminate them one by one.
Did the Red status show directly after saving your settings and rebooting your new Canary? If so, you might have forgotten to approve the registration in the Console. Log in to your Console and approve the outstanding registration.
If the registration was approved in the Console, and the status light is still Red, this suggests a network issue. Your Canary needs a valid IP address and a valid DNS server that can make external DNS queries. Check that the Canary is plugged into the correct network and that the status LEDs around the network jack have lit up.
If the status light showed Green previously but now only shows Red, this likely indicates a network issue.
If you need further assistance, please contact us at firstname.lastname@example.org, and we will jump on it.
I want to reconfigure a Canary
Your Canary can be reconfigured from your console, using the remote configuration editor or over Bluetooth. To configure your Canary over Bluetooth, the device needs to be in Bluetooth configuration mode. A brand new, pristine Canary boots automatically into config mode (which can be determined by the pretty blue LED). If the device has already been configured, it boots to live mode (where the LED will turn green or red).
To re-enter config mode, disconnect the power supply and then reconnect it. While the device is booting hold down the button (LED) on top of the device until the status LED lights up. After a short while, the LED will go blue, at which point the config interface on http://setup.canary.tools will be accessible again.
What configuration options are supported?
A name for the device which can contain only alphanumeric characters. Use this to provide a unique identifier for your Canary.
Remind yourself where the Canary is deployed (or use it as a more general descriptor field).
A device personality combines an OS personality with services you'd expect to find on that OS. This will select services on your behalf.
OS IP stack personality
Tell the Canary's IP stack to imitate a different OS.
Enable or disable portscan detection on this Canary.
Enable or disable DHCP networking on your Canary.
Canary IP Address
IP Address for deployed Canary.
Netmask for deployed Canary.
IP Address of the default gateway. Your Canary does not require direct Internet access, but without a default route it will only be accessible to attackers on the local network segment.
DNS Server 1
IP Address of a DNS server reachable from the deployed network address. The DNS server is required, and must be able to resolve external queries otherwise your Canary will not be able to communicate with the console.
DNS Server 2
Provide a second DNS server for redundancy. If only one is is available, enter the same IP address in this field.
Windows File Share
File Share enabled
Check to enable the File Share module, uncheck to disable.
Select between "Workgroup" for a standalone file share server, or "Domain member" to join an Active Directory domain.
In "Workgroup" mode, provide a name for the Windows Workgroup (e.g. "OFFICE").
Fully Qualified Active Directory Domain Name
In "Domain Member" mode, provide the full Active Directory domain name (e.g. "corp.example.com").
Configure the NetBIOS Name advertised to the network.
Set the comment shown next to servers in the server listing.
Name the share exposed on the Canary.
Set the comment shown next to share in the share listing.
Files in the Share
Add new files to the share by clicking the + button. Give the files a name, and choose their type.
Check to enable the HTTP module, uncheck to disable.
The port number on which to listen for HTTP connections.
HTTP Page Skin
Select the Login page you want to serve to attackers.
Check to enable the SSH module, uncheck to disable.
Choose the port on which to run the SSH service.
Provide an SSH version string.
Check to enable the FTP module, uncheck to disable.
Choose the port on which to run the FTP service.
Provide an FTP banner.
- Bluetooth pairing on a Windows Machine
What are the detection modules?
Your Canary ships with six types of detection modules:
Host port scan
Detects whether a Canary was subjected to a port scan from a single originator.
Network port scan
Detects when an attacker scans across your network for a particular port. This requires multiple Canaries on your network.
Exposes a web-based login page, and reports when login attempts are made.
Windows shared files
Provides a fully functional Windows file share complete with actual files named by you. Alerts whenever someone tries to open the files. Includes the ability to join Active Directories.
Provides an authentication-only SSH daemon. All login attempts are recorded.
Provides an authentication-only FTP daemon. All login attempts are recorded.
I want to join a Windows Active Directory
Good choice! Joining your Canary to AD means it is easier for snoopers to find since it'll show up in the AD tree, and you'll have authentication information.
Before we start, you will need valid Active Directory credentials for a user who is allowed to join machines to the AD. This user is often a domain administrator but doesn't have to be (see Resolution→Method 2 on this Microsoft page).
Secondly, if you want your Canary to be placed in a specific OU, then you'll need to pre-create the Computer account in the right OU, before joining the AD. (See Resolution→Method 1 on the same page). The Canary's NetBIOS name must match the AD's Computer account name.
Lastly, the Canary must be on a network segment that can reach domain controllers. When the Canary enters config mode, in addition to the 22.214.171.124 address it also tries to obtain a second address via DHCP. This address, if present, is used to join the domain. If no DHCP address was obtained, domain join will fail.
- Under your Canary's Windows File Share configuration section, enable File Share and fill in the computer and share details.
- Ensure "Mode" is set to "Domain member".
- Ensure that the full qualified name of the AD is entered correctly.
- Click Save.
- You are shown a preparation screen that describes what is about to happen.
- Click Join Domain. The Canary will perform sanity checks, including looking up domain details. If any of these fail, you will be notified and the join process will halt. Resolve the failures before trying again.
- If the tests pass, then you will be prompted for the credentials of a user who is allowed to join machines to the domain. Enter the credentials then click Join domain.
- After successfully joining the domain, Continue.
What are HTTP skins?
The HTTP module reports login attempts on a website hosted by the Canary. To make the login appear legitimate, we let you pick from a range of fake websites that might be found on internal networks. The skin only holds the login page.
In some cases, the Canary's automatic registration can fail. Typically this occurs when the user configuring the Canary is not also logged into their hosted console, perhaps because the user does not have external web access at that time.
Canaries support an offline or manual registration flow too. This process requires you to copy data from the Canary's config interface to the hosted console, and vice versa. Here are the steps:
- After trying the Canary's automatic registration, you see this error:
- Copy the blob of data from the text field.
- Log in to your Canary Console, and click + located in your Canaries section.
- Click Add hardware Canary located in the Add New Canary pop up.
- Paste the blob copied from the Canary into the text area and click Import. This will pair the Canary with your console.
- Copy the data blob shown in your Canary Console.
- Then switch back to your Canary's config screen and paste the Console blob into the text field and click Submit:
- On your Canary Console, you can find your new Canary by looking for the New! annotation.
- Your Canary is now paired; you can unplug it and move it to its production location.
I want to configure notifications
Your hosted console supports two types of notifications, SMS and email, and you can configure one, both or neither. Browse the Setup link to configure your hosted console.
To enable email notifications, click the On button, and in the text field that appears enter the email address that will receive alerts. You can include multiple addresses, simply separate them with a comma.
To enable SMS notifications, click the On button, and in the text field that appears enter the phone numbers that will receive alerts. Numbers must start with "+
" and, apart from the "+", only consist of digits. You can include multiple numbers, simply separate them with a comma.
I want to enable 2FA on my console
Your hosted console supports Google Authenticator's time-based OTPs:
- To enable 2FA, click the On button.
- A configuration QR-code is shown. Open your Google Authenticator app, tap Settings then tap Scan a barcode.
- Alternatively, if you don't want to scan the barcode then manually enter the key. Tap Enter provided key and input the key string shown under the QR-code along with an account name. Ensure that Time based is selected, then tap Add.
- To use your 2FA, on the login select I use a second factor.
What do the LED colours mean?
The status LED provides feedback about the Canary's current state, using colour and flashing.
Canary software has not run, power is likely off.
Booting into config mode.
Config mode is running.
Booting into live mode.
Canary is running in live mode, in contact with the server.
Canary is running in live mode, but cannot contact the server.
Canary software has exited. Reboot your Canary.
What counts as an incident?
Your console doesn't simply report on every trigger, it bundles events together to form incidents if they are related. For example, if an attacker launches a brute-force attempt against your FTP server, you want to receive a single alert about the attack, not one per username tried.
Incidents are defined as duplicated events from the same source against the same target service within a time period.
Of course, we still record every event and when you open up an incident, you will be provided with the data about each event that makes up the incident.
You can use this link if it hasn't automatically downloaded.