Slack post-exploitation script for leaked bot tokens and "d" cookies
Project description
Slackattack
Background
Slackattack is a Python script designed to interact with Slack's API using a Slack token or cookie that you may obtain during an engagement. It supports Slack's new API authentication model, allowing you to demonstrate the risks associated with plaintext Slack bot tokens and achieve your objectives!
Description
Slackattack can perform various enumeration tasks, such as dumping channel information, downloading files, and enumerating users. It offers the following capabilities:
- Get Channel List: Retrieve a list of channels in your Slack workspace.
- Get File URLs: Obtain a list of file URLs within specific Slack channels.
- Download Files: Download files from Slack channels to your local machine.
- Get User List: Retrieve a list of users in your Slack workspace.
- Pillage conversations: Leverages detect-secrets libraries to automatically find secrets in files and conversations.
python3 slackattack.py --examples
Examples of usage:
Using a Slack API token:
python slackattack.py --token xoxb-1234567890 --list-users
python slackattack.py --token xoxb-1234567890 --list-channels
python slackattack.py --token xoxb-1234567890 --test
python slackattack.py --token xoxb-1234567890 --check-permissions
python slackattack.py --token xoxb-1234567890 --pillage
Using a user-supplied cookie:
python slackattack.py --cookie xoxd-abcdefghijklmn --workspace-url https://your-workspace.slack.com --list-users
python slackattack.py --cookie xoxd-abcdefghijklmn --workspace-url https://your-workspace.slack.com --list-channels
python slackattack.py --cookie xoxd-abcdefghijklmn --workspace-url https://your-workspace.slack.com --test
python slackattack.py --cookie xoxd-abcdefghijklmn --workspace-url https://your-workspace.slack.com --check-permissions
python slackattack.py --cookie xoxd-abcdefghijklmn --workspace-url https://your-workspace.slack.com --pillage
Installation
From Pypi with Pip:
pip install slackattack
From Github
git clone https://github.com/fr4nk3nst1ner/slackattack.git
cd slackattack
pip3 install -r requirements.txt
Usage
You can use Slackattack with various command-line arguments to perform specific actions. Here's how to use each argument:
-
Token: You need to provide your Slack API token as an argument for authentication. Replace
YOUR_TOKENwith your actual token. -
Cookie: You can alternatively use a "xoxd-" cookie for authentication. It will automate the processes involved to retrieve the "xoxc-" session cookie to interact with the API. Replace
YOUR_COOKIEwith your actual cookie.
Note: you must supply the --workspace-url https://[workspace].slack.com when you pass the --cookie argument
Want to quickly get the l00t and move on?
Use the --pillage argument to scan conversations for secrets
python3 slackattack.py --cookie YOUR_COOKIE --workspace-url https://[workspace].slack.com --pillage
Check the permissions and what you can do with your token or cookie
Use the --check-permissions argument to list permissions and return commands you can run:
python3 slackattack.py --token YOUR_TOKEN --check-permissions
or
python3 slackattack.py --cookie 'YOUR_COOKIE' --workspace-url https://[workspace].slack.com --check-permissions
Get Channel List
Retrieve a list of channels in your Slack workspace:
python3 slackattack.py --token YOUR_TOKEN --list-channels
or
python3 slackattack.py --cookie 'YOUR_COOKIE' --workspace-url https://[workspace].slack.com --list-channels
Get File URLs
Retrieve file URLs for a specific channel using the --channel argument:
python3 slackattack.py --token YOUR_TOKEN --list-file-urls --channel CHANNEL_ID
or
python3 slackattack.py --cookie 'YOUR_COOKIE' --workspace-url https://[workspace].slack.com --list-file-urls --channel CHANNEL_ID
Download Files
Download files from Slack channels:
python3 slackattack.py --token YOUR_TOKEN --download-files
or
python3 slackattack.py --cookie 'YOUR_COOKIE' --workspace-url https://[workspace].slack.com --download-files
Get User List
Retrieve a list of users in your Slack workspace:
python3 slackattack.py --token YOUR_TOKEN --list-users
or
python3 slackattack.py --cookie 'YOUR_COOKIE' --workspace-url https://[workspace].slack.com --list-users
Replace YOUR_TOKEN, YOUR_COOKIE, and other placeholders with your actual Slack API token, cookie, and workspace when running the commands.
Remember, you must supply the --workspace-url https://[workspace].slack.com when you pass the --cookie argument
Feel free to contribute to this project or report any issues by creating a GitHub issue or pull request.
Happy Slack hacking!
Shoutouts
Props to the author of Slack Pirate. While there may be other tools out there that have solved this problem, Slack Pirate was my main source of inspiration when creating this tool beyond just the one-off proof of concept that solved my unique need.
Quick Note on "d" Cookies
The "d" cookie can be used to interact with the Slack API. This d cookie is used to get a user session token. Normally this all happens on the backend without the user knowing it. However, there area series of steps we must take in order to convert that d cookie in to a xoxc-* user session token.
This is handled by you automatically when you pass the --cookie [d cookie value here]. When you pass the cookie, it should be passed in the same "smart" encoded (special characters only encoded) format as if it were being passed through the browser. If you need an example of this, just log in to Slack and grab your d cookie value from the browser developer tools or Burp.
For more information on this, see this article.
To Do
- Add functionality to return associated permissions for supplied token or cookie.
- Add functionality to identify secrets or sensitive data from files or conversations (e.g., regex).
- Add support and distinguish usability from bot and user tokens.
- Add functionality to support cookie auth.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file slackattack-1.2.4.tar.gz.
File metadata
- Download URL: slackattack-1.2.4.tar.gz
- Upload date:
- Size: 15.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6ef53277699ffcaac9cf0749eeed088e10bddd67417b3b9279d487aef17a856d |
|
| MD5 | e58696e4740fbe6b2270158449cc8cd6 |
|
| BLAKE2b-256 | f7ae7788458bfab7b1134efd544c088eaf8fab0259772208d61a7abe0f82390a |
File details
Details for the file slackattack-1.2.4-py3-none-any.whl.
File metadata
- Download URL: slackattack-1.2.4-py3-none-any.whl
- Upload date:
- Size: 13.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.9.20
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2ba1b88eaa985e72952b8ae77bee5d5f8c25e244255be7f58e2a004d85e45568 |
|
| MD5 | 31cf1bd1fbef535763f224542c7ca64b |
|
| BLAKE2b-256 | 67a82817b7227e4fe9f41ea0b9e51d94e07a08fea7d89da485bce7c942457e24 |
