Unlike pinned messages, if the passwords, aws-keys.txt, private-keys, urls are not found it is not acknowledged properly.
In case of specific harvesting, such as for example only credential-scan an empty folder is created inspite of no harvested data.

Steps to reproduce

• Replace CREDENTIAL_REGEX with a random value such that it does not match any message.
  CREDENTIAL_REGEX=r"lorem ipsum xyz abc mno"
  

  SlackPirate/SlackPirate.py

  Line 92 in 5014833

  CREDENTIALS_REGEX = r"(?i)(" \

  
  and replace CREDENTIALS_QUERIES with random value.
  CREDENTIALS_QUERIES = ["lorem"]
  

  SlackPirate/SlackPirate.py

  Line 38 in 5014833

  CREDENTIALS_QUERIES = ["password:", "password is", "pwd", "passwd"]

• Run $ ./SlackPirate.py --token xoxs-xxxxx --credential-scan
• Observe creation of a new folder but no passwords.txt created.

Dependabot was set up to create pull requests against the branch develop, but couldn't find it.

If the branch has been permanently deleted you can update Dependabot's target branch from your dashboard.

You can mention @dependabot in the comments below to contact the Dependabot team.

START: Attempting to find references to interesting URLs
INFO: Slack API rate limit hit - sleeping for 60 seconds
Traceback (most recent call last):
  File "SlackPirate.py", line 643, in <module>
    scan(token=provided_token, output_info=collected_output_info)
  File "SlackPirate.py", line 463, in find_interesting_links
    pagination[query] = (r['messages']['pagination']['page_count'])
KeyError: 'messages'

The above happens because it first does a HTTP request which returns 'ratelimited' as the response... the script then sleeps for 60 seconds THEN continues to look for something on the page which it can't because it's still holding the contents of the 'ratelimited' page.

Traceback (most recent call last):
File "./SlackPirate.py", line 831, in
scan(token=provided_token, scan_context=collected_scan_context)
File "./SlackPirate.py", line 680, in download_interesting_files
_retrieve_file_batch(batch, completed_file_names)
File "./SlackPirate.py", line 601, in _retrieve_file_batch
request.start()
File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/multiprocessing/process.py", line 112, in start
self._popen = self._Popen(self)
File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/multiprocessing/context.py", line 223, in _Popen
return _default_context.get_context().Process._Popen(process_obj)
File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/multiprocessing/context.py", line 277, in _Popen
return Popen(process_obj)
File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/multiprocessing/popen_fork.py", line 20, in init
self._launch(process_obj)
File "/usr/local/Cellar/python/3.7.4/Frameworks/Python.framework/Versions/3.7/lib/python3.7/multiprocessing/popen_fork.py", line 69, in _launch
parent_r, child_w = os.pipe()
OSError: [Errno 24] Too many open files

When you use the --cookie option it sends the d cookie to https://slackpirate-donotuse.slack.com

It is not clear from the readme that this will happen and what / if anything is in that slack workspace is captures all the d cookies submitted.

• Consider updating the readme to make it clear how the d cookie is used when the --cookie option is specified
• Is there a way to add transparency to the contents of the slackpirate-donotuse workspace ?

Let's use this ticket to add and vote on new scan types and data sources that can be added to the tool.

Most voted comments are prioritised first.

START: Attempting to locate and download interesting files (this may take some time)
INFO: Slack API rate limit hit - sleeping for 60 seconds
Traceback (most recent call last):
File "./SlackPirate.py", line 831, in
scan(token=provided_token, scan_context=collected_scan_context)
File "./SlackPirate.py", line 664, in download_interesting_files
new_files = [new_file for new_file in response_json['files']['matches'] if
KeyError: 'files'

Unable to get data.

this was using a token.

Python 3.7.2

[Credentials]: Attempting to find references to credentials
Traceback (most recent call last):
  File "./SlackPirate.py", line 1006, in <module>
    _interactive_command_line(args, selected_agent)
  File "./SlackPirate.py", line 937, in _interactive_command_line
    scan(token=provided_token, scan_context=collected_scan_context)
  File "./SlackPirate.py", line 393, in find_credentials
    page_count_by_query[query] = (r['messages']['pagination']['page_count'])
KeyError: 'messages'

See title..

Python 3.10.5

python3 SlackPirate.py --token xxxxxx

[INFO]: Token looks valid! URL https://xxxxx.slack.com

  File "/Users/rwiggins/tools/SlackPirate/SlackPirate.py", line 1036, in <module>
    if check_if_admin_token(token=provided_token, scan_context=collected_scan_context):
  File "/Users/rwiggins/tools/SlackPirate/SlackPirate.py", line 238, in check_if_admin_token
    return r['user']['is_admin'] or r['user']['is_owner'] or r['user']['is_primary_owner']

JSON returned. suspect account might not have the right permissions so needs to error out properly.

{
   "ok": false,
   "error": "missing_scope",
   "needed": "users:read",
   "provided": "identify,incoming-webhook,chat:write:user,chat:write:bot"
}

Currently if the script makes a query for 'password' and finds a file file1.pdf and makes another query for 'passwords' and finds the same file file1.pdf, it will download the file twice.

It should be possible to keep a list of file_id's and only download when the file_id is not in the list.

Should be fairly easy to implement I think.

Hey,
Running on Python 3.6 on Windows, I get the following stack trace

START: Attempting to find references to credentials
Traceback (most recent call last):
File "SlackPirate.py", line 454, in
find_credentials()
File "SlackPirate.py", line 274, in find_credentials
file_cleanup(file_credentials)
File "SlackPirate.py", line 434, in file_cleanup
lines = set(file.readlines())
File "C:\Program Files\Python36\lib\encodings\cp1252.py", line 23, in decode
return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8f in position 3702: character maps to

This happens consistently

I ran the main function to extract credentials as :
$ ./SlackPirate.py --token xoxs-xxxxxxxx --credential-scan
the harvested credentials were successfully written to ./<folder>/passwords.txt

Meanwhile, in my private experimental slack workspace I have the following messages in the #general channel.

I expected the password.txt file to contain these credentials, but what I found in it is:

password is "abcdef"',
password is "abcdef"'}]}]}],
password is"',

When using python 3.5.2

Command

python3 SlackPirate.py --token xoxb-xxx

Output.

START: Attempting to find references to S3 buckets
Traceback (most recent call last):
  File "SlackPirate.py", line 831, in <module>
    scan(token=provided_token, scan_context=collected_scan_context)
  File "SlackPirate.py", line 327, in find_s3
    page_count_by_query[query] = (r['messages']['pagination']['page_count'])
KeyError: 'messages'

It would be useful to display to the user if the token they have is an admin token

So in the community with 4700 people it grabs only 900.
When I change MAX_RETRIEVAL_COUNT = 9000 it grabs only 1000.
I believe something is wrong with pagination, so he does not collect the next pages.

It appears that slack has changed the way authentication is performed. If you login to slack via a browser (i.e. chrome) you can not use the xoxc token by itself to authenticate to Slack.

From this SO post:

xoxc tokens are special tokens that are used by the web client. These tokens are cookie dependent, so even if the token is somehow stolen, it would not be very useful.

If you want to test this yourself, in incognito go to https://api.slack.com/methods/auth.test and try to use an XOXC token by itself. You will get invalid_auth. If you then login to slack, and try again, it will work. The reason is the browser (chrome) automatically adds the slack cookie in addition to the XOXC token to the request. If you open debugger tools (network tab) you will see the actual request that is being sent to slack includes both the token and cookie. E.g. in curl it looks like this (I stripped a bunch of unnecessary headers)

curl 'https://slack.com/api/auth.test?pretty=1' \
  -H 'cookie: d=xoxd-xxxx' \
  -H 'content-type: multipart/form-data; boundary=' \
  --data-raw $'--\r\nContent-Disposition: form-data; name="token"\r\n\r\nxoxc-xxx\r\n----\r\n'

I used https://curlconverter.com/ to convert the curl request to python, and then stuck those hardcoded header/data values at the top of the code as global variables and switched every method to POST, and passed those hardcoded values. E.g.

That seemed to work around the need for both cookie and token as I successfully received results in this way.

In dump_user_list(...) the r['members'] are appended to the outfile without any separation.

Putting "[ ]" around outfile to create an array and replacing every "}{" with "},{" solves this issue.
I don't know if it's best to append the commas inside the loop or do the replacing when the loop has finished.

Hi,
Slack no longer produce legacy tokens, will it accept the new style app tokens?

Also with slack you can now export all messages etc to a file, is it possible to search an exported directory of json files?

I'm getting [ERROR]: No Workspaces were found with this cookie no matter what I do.

Looking at the source it looks like it's trying to find the xoxs token by searching inside the source of "https://" + workspace + "/customize/emoji". From what I can tell that's no longer there.

It would be good to be able to specify a proxy to run all requests though.

Hi!

I suggest adding a --interactive flag which would make it even easier to go from cookie -> token -> scanning/dumping.

python SlackPirate.py --interactive and/or python SlackPirate.py --interactive --cookie COOKIE

$ python SlackPirate.py --interactive
Give me a cookie: <input cookie here> (providing the script with --interactive --cookie would skip this step)
This cookie has access to the following workspaces:
[0] https://example.slack.com
[1] https://example2.slack.com
[2] https://example3.slack.com
Select which workspace(s) to dump: <input number(s), either a single number or comma separated>

Select what you want to dump:
[A] All
[0] Dump team access logs in .json format if the token provided is a privileged token
[1] Dump the user list in .json format
[2] Find references to S3 buckets
[3] Find references to passwords and other credentials
[4] Find references to AWS keys
[5] Find references to private keys
[6] Find references to interesting URLs and links
Input: <input A for all, a single number or comma separated numbers for multiple>

The tool would then create individual folders for each workspace (like it does today) and use each token to do the dumping/scanning on each workspace.

Rather than hard-coding the user agent strings (which can be detected easily by the Blue team/detect function within a few weeks when everyone has moved on to a newer version of Chrome/Slack), provide a large-ish(?) list of user agent strings.

Maybe even hook in to a user-agent API to randomly select a relatively active/popular user-agent?

Worth thinking about

Currently the script performs HTTP requests synchronously - although there are Slack API rate limits in place, there are certain functions and calls that can benefit greatly by introducing asynchronous requests.

For example:

• File downloads - there is no need to wait for each file to download before moving on to the next. Also, as far as I can tell, there is no rate limit in place for file downloads. No reason why this function couldn't start asynchronously with the other functions in the script

• The cookie check and Workspace token grabbing feature - again, no reason why we can't make requests to the Workspace URLs all in one go rather than one at a time. On average it takes around 1 second per Workspace * total number of Workspaces to get all tokens back. This could be reduced to a couple of seconds for a large number of Workspaces.

I may need some assistance with this but in the mean time I will try and play around with some of the recommended async packages.

Sometime in the past week, Slack seems to have drastically changed the formatting of the "login to other slacks" page that is displayed when you access a Slack you don't have access to (like slackpirate-donotuse.slack.com). Now, instead of the other Slacks being actual HTML entities, they seem to be created by Javascript.

I updated my re-implementation of this technique like so: cdanis/emojifs@95190f9

Add optional --flags that can be used to turn on/off certain scans/functions.
For example, if I only want to scan for AWS keys then I should be able to execute something like this:

./SlackPirate.py --token 123 --aws-keys

or if I want to scan for AWS keys and private keys:

./SlackPirate.py --token 123 --aws-keys --private-keys

Suggestion made by @milangfx which I fully agree with:

Currently the tool simply appends all results to existing files if they exist. This can mix results up and cause unintended consequences.

A better way of creating output files is to create new, timestamped ones. The added benefit of doing it this way is you have the option of diff'ing the output files.

Hi,
Is it possible for passwords, aws keys, urls and s3 to have where they've come from added to the text doc?
Its awesome having a list, but I need to track down the users/channels that these relate to

Thanks