Target Fingerprinting for Client-Side Attacks

Before you can craft a convincing client-side attack, you need to know who you are dealing with. What browser are they running? What OS? Where are they located? Are they behind a VPN? This is what fingerprinting is for, and it is one of the most underrated steps in a red team engagement.

Disclaimer

Everything in this tutorial exists to help you become a better security professional. Reconnaissance, fingerprinting, and social engineering are real threats. Understanding them is how you defend against them and test your clients' defenses. Deploying these techniques without written authorization is illegal in most jurisdictions. Always operate under a signed scope of work. 

What Is Target Fingerprinting?

Fingerprinting is the process of passively or semi-passively collecting information about a target's system and environment without them knowing they are being profiled. Unlike active scanning (Nmap, Nikto), fingerprinting happens silently. The target clicks something, and you already know more than they realize.

In client-side attacks, you are not going after the server. You are going after the human and their machine. That means your attack has to be tailored. A macro-laced Word document will not help you if your target is on a Mac. A Chrome extension exploit is useless against Firefox. Fingerprinting tells you which weapon to pick.

What you can collect:

• Browser type and version
• Operating system and architecture
• Screen resolution and timezone
• IP address (and approximate geolocation)
• Whether a VPN or Tor is being used
• Installed fonts (canvas fingerprinting)
• Whether the target is on mobile or desktop
• Referrer URL (how they got to your link)

Canary Tokens

Canarytokens.org is a free tool built for exactly this. It generates tracking tokens that can be embedded in URLs, documents, images, emails, and more. When triggered, it fires an alert to your email with juicy details about whoever triggered it.

Setting Up a Canary Token

Go to canarytokens.org. You will see different token types including:

Web bug / URL token - A plain link. When visited, it fires.

DNS token - Triggered when the hostname is resolved. Useful for detecting reconnaissance tools, not just browsers.

MS Word document token - A Word doc that calls home when opened.

Web Image - For tracking via images

And lots more.

To create a token:

1. Select your token type
2. Enter your email to receive alerts
3. Add a reminder note (something that will help you identify which target triggered it)
4. Click "Create Canarytoken"

You will receive a unique URL. That is your tracking link. When anyone loads it, you get an email notifying you. You can test it yourself by loading the link in a browser.

From the user agent you know their OS and browser. User agent data isn’t always reliable but CanaryToken takes it a step further by providing Javascript extracted data that is more reliable.

We can see that the target is in Abuja, Nigeria, they’re using Firefox and Windows OS. This is all correct.

Embedding a Tracking Link in an Image

Now that we know how to generate the tokens, we need to be discrete to avoid suspicion from our target during delivery. A link that leads to an unexpected site may raise suspicion. To achieve this, we’ll track via images. Images are one of the most versatile delivery methods. They load automatically in email clients, browsers, chat apps, Word documents, and mobile viewers without any application dependency or user action beyond opening the message.

The mechanism is simple: your canary token URL serves as the image source. The moment any client fetches that URL to render the image, the token fires. 

Step 1: Create a Custom Image Token

Go to canarytokens.org and select "Web Image" from the listed options.

Upload any small professional-looking image. A company logo placeholder, a document header graphic, or even a small "secure document" badge all work. The image just needs to look like it belongs in whatever you are sending.

Fill in your email and a reminder note, then click "Create Canarytoken".

On the results page you will see your token URL. It looks like this:

http://canarytokens.com/stuff/r5xcs8z36lt3rx29kyvcd48b4/photo1.jpg

That URL serves your uploaded image but logs every request made to it.

Opening the URL in a browser:

We can see that the link serves the image. So we can use a pretext telling a friend or colleague to take a look at your new logo design and give you feedback.

Obfuscating Our Link

To be even more discrete, we may choose to represent our tracking URL in such a way that the user can’t immediately tell where it leads. Currently, our generated URL: http://canarytokens.com/stuff/r5xcs8z36lt3rx29kyvcd48b4/photo1.jpg

Tells the target that they’re going to the domain canarytokens.org if a user knows what canary tokens does, they may not click and even block you. 

To obfuscate our URL, we can shorten it using our URL shortening service. 

So we can simply send them the shortened URL, and they’d still get taken to our intended tracking token.

Understanding Pretexts

A pretext is your cover story. It is the reason your target has for engaging with whatever you send them. This is where most client-side attacks succeed or fail.

Technical execution is the easy part. Getting someone to open a PDF from a stranger is the hard part. Pretexts solve that.

A good pretext has at least  three qualities:

Relevance - It matches something the target actually cares about or deals with regularly.

Authority - It comes from (or appears to come from) someone with a reason to send it.

Urgency or curiosity - It creates a reason to act now rather than later.

Pretext Examples

Scenario 1: Professional setting, someone you do not know

You are targeting an employee at a company after finding their LinkedIn. They work in finance.

Subject: Q3 Audit Compliance Update - Action Required

Hi Sarah,

I am reaching out from the external audit team coordinating the Q3 compliance review. We have uploaded the preliminary findings document to the shared portal. Please review section 3 before our sync on Thursday.

[View Compliance Report - PDF link (your canary URL)]

Let me know if you have questions.

James Okafor Compliance Advisory | Deloitte

The PDF they download has your tracking pixel. They open it, you get their IP, OS, browser. Now you know they are running Windows 11, Chrome, in Lagos, and not behind a VPN. Your next move is informed.

Scenario 2: Professional setting, someone you know (insider threat simulation)

You are on an authorized red team engagement. Your client wants to test whether employees click on spear-phishing emails from someone impersonating a colleague.

Subject: Quick review needed - budget proposal

Hey Mike,

I updated the budget proposal from last week. Can you take a look before I send it to finance? Just a few changes from our Wednesday call.

[Updated Budget Proposal.pdf]

Cheers, Lara

Because "Lara" and "Mike" interact regularly, this lands. No red flags. The familiarity lowers every guard.

Scenario 3: Tracking a bad actor (threat intelligence / legal investigation context)

Say you are working with a client whose internal documents were leaked. You suspect an insider. You want to know who opens a specific file you seed into the environment.

You create a sensitive-looking document (fake "executive compensation plan," fake "acquisition targets list") and drop it on a shared drive. Every version has a different canary token.

When one fires, you know which file was opened, from which IP, at what time. That is your lead.

This is called a honeyfile or honeydocument. It is a legitimate and widely used technique in digital forensics and insider threat programs.

Scenario 4: Casual / social engineering someone you know personally

"Hey, I made a shared photo album from the trip. Here is the link to view it."

The link goes to a page with a tracking token. Before the album even loads, you have their browser fingerprint, IP, and timezone. In a CTF or authorized test, this can reveal useful information about a target.

Putting It All Together: The Full Workflow

Here is what a real engagement flow looks like:

1. Identify your target. LinkedIn, OSINT, company website.
2. Build your pretext. Craft something relevant to their role.
3. Create your tracking asset. A canary token URL, a PDF with an embedded pixel, or an image (as I showed you).
4. Send it. Via email, LinkedIn DM, WhatsApp, whatever the pretext supports.
5. Review the alert. IP address, geolocation, browser, OS, time of access.
6. Decide your next move. Now you know what payload to build, what OS to target, whether they use VPN, and their working hours.

When we check the history, we can see all trigger alerts and accompanying details:

What to Do With the Data

IP and Geolocation: Even though it provides you, you can still run the IP through a lookup tool like ipinfo.io or shodan.io. Confirm their physical location. Check if it matches the expected country or flags as a VPN/proxy/datacenter.

User Agent: Parse it at useragentparser.com or ua-parser.js. Extract OS version, browser version, device type.

Timezone vs IP Location mismatch: If their IP says US but their timezone is UTC+1, they are likely using a VPN. Adjust your approach.

Browser and OS: Determine which client-side exploits or payloads are relevant. A Windows 10 target with an older Chrome build opens different doors than a macOS Ventura user on Safari.

Other Ways to Fingerprint a Target

Canary Tokens covers many use cases, but other tools and manual techniques are worth knowing.

Grabify (grabify.link) works similarly to Canary Tokens but focuses mainly on link tracking. You can paste any destination URL, get a tracking link back. When clicked, you get IP, location, device, and browser. It also lets you use a custom URL as the destination so the redirect looks natural. Good for quick deployments when you do not want to set up anything.

IPLogger (iplogger.org) is another link-based tracker. Supports image tracking and has a built-in URL shortener. Useful as a backup if Grabify links are getting flagged.

Spiderfoot (spiderfoot.net) takes a different angle. Instead of waiting for the target to trigger something, it actively pulls open-source intelligence about them from dozens of sources: social media, breach databases, DNS records, and more. You can use this before you deploy any tracking asset to build a fuller picture of your target first.

Hunter.io (hunter.io) helps you find verified email addresses tied to a company domain. Pair it with any of the email-based tracking methods in this tutorial and you have a complete pipeline from target discovery to fingerprint collection.

Manual Methods

These require a bit more work but give you more control and leave less of a trail pointing back to third-party services.

Hosting your own tracking endpoint is the most flexible approach. You spin up a simple web server, create a route that logs every incoming request, and use that URL anywhere. You own the data, there is no third-party service that could get the link flagged, and you can customize exactly what gets collected. Let me know in the comments if you want me to cover some manual techniques

Manage Your Recon, Alerts, and Engagements in One Place

If you are running multiple engagements or tracking several canary tokens across different operations, keeping everything organized in spreadsheets gets messy fast.

ZeroPanic is a security operations platform built for professionals like you. It includes a credential vault, an AI security assistant, and an agentic reconnaissance layer that can help you run and document engagements systematically. Worth checking out if you want your workflow to match the quality of your tradecraft.

Happy hacking.