(The making of a MySQL Canarytoken)
Consider this scenario: An industrious attacker lands on one of your servers and finds a 5MB MySQL dump file (say, called prod_primary.dump). What do they do next?
As soon as they do, you get an email/SMS/alert letting you know:
Eds note: You can create and deploy these by visiting canarytokens.org
There are obvious benefits to these sorts of booby-traps, but some rise above the rest:
- They can be deployed in seconds;
- They aren’t prone to high false-positives;
- An attacker who suspects you are using these is no better off for knowing this (if nothing else, they now have to second-guess everything they touch);
- It’s such a pure illustration of attack-minded defense.
- Can we get the system to surf to a URL we control;
- Can we get the system to lookup a DNS entry that we control;
Sizing up the problem
A deeper dive into the MySQL Handshake
- Create a unique DNS host-name on a domain we control; (this is done by simply visiting Canarytokens.org and creating a DNS-Canarytoken: we get back something like: 0iep6h5na3p4coxx4hax132b8.canarytokens.com)
- On the MySQL server, issue the commands MASTER_HOST=’0iep6h5na3p4coxx4hax132b8.canarytokens.com; START REPLICA
Even though the actual replication never takes place, the MySQL server resolves the DNS name of the foreign server (effectively tripping the DNS token) and letting us know that it’s happened.
If we can get the remote server to complete the MySQL handshake, we’d get a connecting IP address and we can possibly stuff more information from the MySQL server into the username/password fields that we submit.
Using the Canarytoken
- An email address to receive the alert;
- A reminder note to jog your memory when this alert fires;
SET @bb = CONCAT(“CHANGE MASTER TO MASTER_PASSWORD=’my-secret-pw’, MASTER_RETRY_COUNT=1, MASTER_PORT=3306, MASTER_HOST=’k5sk4zeo5csej6pps4vkgzmtp.canarytokens.com’, MASTER_USER=’k5sk4zeo5csej6pps4vkgzmtp”, @@lc_time_names, @@hostname, “‘;”);
PREPARE stmt FROM @bb;EXECUTE stmt;START REPLICA;
- Her server will lookup k5sk4zeo5csej6pps4vkgzmtp.canarytokens.com triggering the DNS token and letting us know that the MySQL dump file we left safely on NYC-DC1 was just loaded into MySQL somewhere;
- Her server will connect to our fake MySQL server (which now knows her MySQL Server’s IP address, which is a strong thread to pull on);
- Her server will attempt to login to our fake MySQL server with the username: ‘k5sk4zeo5csej6pps4vkgzmtp”, @@lc_time_names, @@hostname which now gives us more information on the attacker that we can report on when letting you know the token has tripped.
For users who don’t have a mysql dump file lying around (or don’t want to risk creating one with real data), we also offer option-2, where we take a sample MySQL file, run it through a quick mixer to generate some random linked tables with data, and insert the tokened snippet into it. No mess, no fuss. Simply drop the file on your server (or in your dropbox, or in your email) and if you ever get the notification to let you know that it’s been loaded, you know you have a problem.
In many ways, tokens like this are a joy. If you leave this Staff_Salaries-2021.mysql-dump.sql file in your email and forget about it for 10 years, it costs you nothing.
If you get a notification letting you know that the mysql dump you left in your mailbox just got loaded into a MySQL server in $FOREIGN_COUNTRY? That’s priceless.
There’s no chance of it being an accidental alert, and there’s almost no chance that an attacker would find a large enough mysql dump file without loading it into a DB to check it out.
1 comments On Good attacks make good detections make good attacks make..
Jacob, Less technical and more philosophical, it seems to me Cliff Stoll, used a less modern version of this technique in 1986 to track his hacker…36 years later we swing all the way back to the honeypot with alert… Walk me through why we wasted decades running down so many rabbit holes of ineffective defense from invader strategies when the elegant solution has been with us the entire time?