Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace
GPL-3.0 License
This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token.
As of May 2018, Slack has over 8 million customers and that number is rapidly rising - the integration and 'ChatOps' possibilities are endless and allows teams (not just developers!) to create some really powerful workflows and Slack bot/application interactions.
As is the way with corporations large and small, it is not unusual for tools such as Slack to fly under the Information Security governance/policy radar which ultimately leads to precarious situations whereby sensitive and confidential information end up in places they shouldn't be.
The purpose of this tool is two-fold:
The tool allows you to easily gather sensitive information for offline viewing at your convenience.
Note: I'm a Python n00b and have no doubt that the script can be optimised and improved massively - please feel free to make pull requests; I'll review and merge them as appropriate!
The tool uses the native Slack APIs to extract 'interesting' information and looks for the following information, today:
The Slack web application uses a number of cookies - the one of special interest is called, wait for it... d
. This d
cookie is the same across all Workspaces the victim has access to. What this means in reality is that a single stolen d
cookie would allow an attacker to get access to all of the Workspaces the victim is logged-in to; my experience with the Slack web application is that once you are logged in, you'll remain logged in indefinitely.
The Slack API token is a per-workspace token. One token cannot (as far as I know) access other workspaces in the same way the d
cookie above allows access to all Workspaces.
For the tool to search for and extract information, you will need to provide it an API token. There are two straight forward ways of doing this:
d
cookie by using the --cookie
flag. The tool will output the associated Workspaces and tokens--token
flag. You can find this by viewing the source of the Workspace URL and doing a search for XOX
The token will look something like this:
api_token: "xoxs-x-x-x-x"
Make a copy of that and pass that in to the script using the --token
flag.
The script has been developed, tested and confirmed working on Python 3.5, 3.6 and 3.7. A quick test on Python 2 presented some compatibility issues.
git clone https://github.com/emtunc/SlackPirate
pip install virtualenv
virtualenv SlackPirate
source SlackPirate/bin/activate
pip install -r requirements.txt
./SlackPirate.py --help
git clone https://github.com/emtunc/SlackPirate
chmod +x SlackPirate.py
pip install -r requirements.txt
./SlackPirate.py --help
git clone https://github.com/emtunc/SlackPirate
pip install virtualenv
virtualenv SlackPirate
SlackPirate\Scripts\activate.bat
pip install -r requirements.txt
python SlackPirate.py --help
git clone https://github.com/emtunc/SlackPirate
pip install -r requirements.txt
python SlackPirate.py --help
python3 SlackPirate.py --help
python3 SlackPirate.py --interactive
python3 SlackPirate.py --cookie <cookie>
This will do the following:
python3 SlackPirate.py --token <token>
This will do the following:
True
python3 SlackPirate.py --token <token> --s3-scan
python3 SlackPirate.py --token <token> --no-s3-scan
python3 SlackPirate.py --token <token> --verbose
A public Slack Workspace has been set-up where anyone can join and discuss new features, changes, feature requests or simply ask for help. Here's the invite link: https://join.slack.com/t/slackpirate/shared_invite/zt-6o3d9tjq-PhbMxtM2o5ALgFkOB9V_dg