Replying to Avatar Felix

This image sends me your IP address via email once you see it/the preview loads:

http://canarytokens.com/about/tags/traffic/4sf64fusw6x3p94hztcplg6kc/index.html

Avatar
hzrd149 2y ago

I'm running a VPN but I don't see any image 🤔

Reply to this note

Please Login to reply.

Discussion

Avatar
Felix 2y ago

Interesting, its a .html link created with canarytokens.org. Amethyst renders it as image, probably kind of a webpage preview.

Avatar
hzrd149 2y ago

it looks like it either returns an image or html page based on the requests "Accept" header

I just tested it with curl -v -H "Accept: text/html" and it returned html

Avatar
Ingwie Phoenix (aka. birb) 2y ago

Snort uses an image proxy. But it definitively returns an image.

# curl -x socks5h://192.168.2.1:9050 -Lv "http://canarytokens.com/about/tags/traffic/4sf64fusw6x3p94hztcplg6kc/index.html"

* Trying 192.168.2.1:9050...

* Connected to 192.168.2.1 (192.168.2.1) port 9050

* SOCKS5 connect to canarytokens.com:80 (remotely resolved)

* SOCKS5 request granted.

* Connected to 192.168.2.1 (192.168.2.1) port 9050

> GET /about/tags/traffic/4sf64fusw6x3p94hztcplg6kc/index.html HTTP/1.1

> Host: canarytokens.com

> User-Agent: curl/8.5.0

> Accept: */*

>

< HTTP/1.1 200 OK

< Server: nginx

< Date: Wed, 03 Jan 2024 22:40:19 GMT

< Content-Type: image/png <----------------- Here

< Content-Length: 192391

< Connection: keep-alive

< Access-Control-Allow-Origin: *

<

Warning: Binary output can mess up your terminal. Use "--output -" to tell

Warning: curl to output it to your terminal anyway, or consider "--output

Warning: " to save to a file.

* Failure writing output to destination

* Closing connection