{"id":13792930,"url":"https://github.com/PaperMtn/slack-watchman","last_synced_at":"2025-05-12T17:31:39.809Z","repository":{"id":56426240,"uuid":"258988017","full_name":"PaperMtn/slack-watchman","owner":"PaperMtn","description":"Slack enumeration and exposed secrets detection tool","archived":false,"fork":false,"pushed_at":"2024-09-27T20:41:16.000Z","size":2385,"stargazers_count":303,"open_issues_count":0,"forks_count":36,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-09-27T20:49:24.781Z","etag":null,"topics":["blue-team","blueteam","cybersecurity","infosec","monitoring","purple-team","purpleteam","red-team","redteam","slack","slack-api","slack-workspaces","tools"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PaperMtn.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-04-26T09:16:51.000Z","updated_at":"2024-09-27T20:40:48.000Z","dependencies_parsed_at":"2024-09-14T11:17:24.291Z","dependency_job_id":"3c2f824e-d25d-4d7e-a999-75e6701abb8a","html_url":"https://github.com/PaperMtn/slack-watchman","commit_stats":{"total_commits":130,"total_committers":3,"mean_commits":"43.333333333333336","dds":0.06153846153846154,"last_synced_commit":"f5a896f49751f0cebcd46f11f71b9066bc8d6a9d"},"previous_names":[],"tags_count":28,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Fslack-watchman","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Fslack-watchman/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Fslack-watchman/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PaperMtn%2Fslack-watchman/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PaperMtn","download_url":"https://codeload.github.com/PaperMtn/slack-watchman/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225144934,"owners_count":17427894,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","blueteam","cybersecurity","infosec","monitoring","purple-team","purpleteam","red-team","redteam","slack","slack-api","slack-workspaces","tools"],"created_at":"2024-08-03T22:01:18.401Z","updated_at":"2025-05-12T17:31:39.796Z","avatar_url":"https://github.com/PaperMtn.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)","Инструменты"],"sub_categories":["Поиск секретов"],"readme":"\u003cimg src=\"https://i.imgur.com/jeU9F0a.png\" width=\"550\"\u003e\n\n# Slack Watchman\n![Python 2.7 and 3 compatible](https://img.shields.io/pypi/pyversions/slack-watchman)\n![PyPI version](https://img.shields.io/pypi/v/slack-watchman.svg)\n![License: MIT](https://img.shields.io/pypi/l/slack-watchman.svg)\n\nMonitoring and enumerating Slack for exposed secrets\n\n## About Slack Watchman\n\u003cimg src=\"/images/slack_watchman.png\" width=\"500\"\u003e\n\nSlack Watchman is an application that uses the Slack API to find potentially sensitive data exposed in a Slack workspace, and to enumerate other useful information for red, blue and purple teams.\n\nMore information about Slack Watchman can be found [on my blog](https://papermtn.co.uk/slack-watchman-monitoring-slack-workspaces-for-sensitive-information/).\n\n### Features\n#### Secrets Detection\n\u003cimg src=\"/images/slack_watchman_finding.png\" width=\"500\"\u003e\n\nSlack Watchman looks for:\n\n- API Keys, Tokens \u0026 Service Accounts\n  - AWS, Azure, GCP, Google API, Slack (keys \u0026 webhooks), Twitter, Facebook, GitHub and more\n  - Generic Private keys\n  - Access Tokens, Bearer Tokens, Client Secrets, Private Tokens\n- Files\n    - Certificate files\n    - Potentially interesting/malicious/sensitive files (.docm, .xlsm, .zip etc.)\n    - Executable files\n    - Keychain files\n    - Config files for popular services (Terraform, Jenkins, OpenVPN and more)\n- Personal Data\n    - Leaked passwords\n    - Passport numbers, Dates of birth, Social security numbers, National insurance numbers and more\n- Financial data\n    - Paypal Braintree tokens, Bank card details, IBAN numbers, CUSIP numbers and more\n\n#### Time based searching\nYou can run Slack Watchman to look for results going back as far as:\n- 24 hours\n- 7 days\n- 30 days\n- All time\n\n#### Enumeration\n\u003cimg src=\"/images/slack_watchman_enumeration.png\" width=\"500\"\u003e\n\nIt also enumerates the following:\n- User data\n    - All users \u0026 all admins\n- Conversation data\n    - All conversations, including externally shared conversations\n    - All conversations that include a Slack Canvas (which often contain sensitive or important information)\n- Workspace authentication options\n\n\nThis means after one deep scan, you can schedule Slack Watchman to run regularly and only return results from your chosen timeframe.\n\n#### Unauthenticated Probe\n\u003cimg src=\"/images/slack_watchman_probe.png\" width=\"500\"\u003e\n\nYou can run Slack Watchman in unauthenticated probe mode to enumerate authentication options and other information on a Workspace. This doesn't need a token, and returns:\n\n- Workspace name\n- Workspace ID\n- Approved domains (which can create accounts)\n- OAuth providers\n- SSO auth status\n- Two-factor requirements\n\nTo run this mode use Slack Watchman with the `--probe` flag and the workspace domain to probe:\n\n```commandline\nslack-watchman --probe https://domain.slack.com\n```\n\n### Signatures\nSlack Watchman uses custom YAML signatures to detect matches in Slack. These signatures are pulled from the central [Watchman Signatures repository](https://github.com/PaperMtn/watchman-signatures). Slack Watchman automatically updates its signature base at runtime to ensure its using the latest signatures to detect secrets.\n\n#### Suppressing Signatures\nYou can define signatures that you want to disable when running Slack Watchman by adding their IDs to the `disabled_signatures` section of the `watchman.conf` file. For example:\n\n```yaml\nslack_watchman:\n  token: ...\n  cookie: ...\n  url: ...\n  disabled_signatures:\n    - tokens_generic_bearer_tokens\n    - tokens_generic_access_tokens\n```\n\nYou can find the ID of a signature in the individual YAML files in [Watchman Signatures repository](https://github.com/PaperMtn/watchman-signatures).\n\n### Logging\n\nSlack Watchman gives the following logging options:\n- Terminal-friendly Stdout\n- JSON to Stdout\n\nSlack Watchman defaults to terminal-friendly stdout logging if no option is given. This is designed to be easier for humans to read.\n\nJSON logging is also available, which is perfect for ingesting into a SIEM or other log analysis platforms.\n\nJSON formatted logging can be easily redirected to a file as below:\n```commandline\nslack-watchman --timeframe a --all --output json \u003e\u003e slack_watchman_log.json \n```\n\n## Authentication Requirements\n### Slack API token\nTo run Slack Watchman, you will need a Slack API OAuth access token. You can do this by creating a simple [Slack App](https://api.slack.com/apps).\n\nThe app needs to have the following **User Token Scopes** added:\n```\nchannels:read\nfiles:read\ngroups:read\nim:read\nlinks:read\nmpim:read\nremote_files:read\nsearch:read\nteam:read\nusers:read\nusers:read.email\n```\n**Note**: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private conversations and chats.\n\n#### App Manifest\nSlack apps can be created from JSON manifests which define the details of the application and the scopes to approve. The app manifest for Slack Watchman can be found in [docs/app_manifest.json](/docs/app_manifest.json), you can use this to speed up creating your Slack app.\n\n### Cookie Authentication\nAlternatively, Slack Watchman can also authenticate to Slack using a user `d` cookie, which is stored in the browser of each user logged into a workspace.\n\nTo use cookie authentication, you will need to provide the `d` cookie, and the URL of the target workspace. Then you will need to use the `--cookie` flag when running Slack Watchman\n\nMore information on cookie authentication can be found [on my blog](https://papermtn.co.uk/category/tools/slack-watchman/)\n#### Providing tokens\nSlack Watchman will first try to get the Slack token (plus the cookie token and URL if selected) from the environment variables \n- `SLACK_WATCHMAN_TOKEN`\n- `SLACK_WATCHMAN_COOKIE`\n- `SLACK_WATCHMAN_URL`\n\nIf this fails it will try to load the token(s) from `.conf` file (see below).\n\n#### watchman.conf file\nConfiguration options can be passed in a file named `watchman.conf` which must be stored in your home directory. The file should follow the YAML format, and should look like below:\n```yaml\nslack_watchman:\n  token: xoxp-xxxxxxxx\n  cookie: xoxd-%2xxxxx\n  url: https://xxxxx.slack.com\n  disabled_signatures:\n    - tokens_generic_bearer_tokens\n    - tokens_generic_access_tokens\n```\nSlack Watchman will look for this file at runtime, and use the configuration options from here. If you are not using cookie auth, leave `cookie` and `url` blank.\n\nIf you are having issues with your .conf file, run it through a YAML linter.\n\nAn example file is in `docs/example.conf`\n\n**Note**: Cookie and URL values are optional, and not required if not using cookie authentication.\n\n## Installation\nYou can install the latest stable version via pip:\n\n```commandline\npython3 -m pip install slack-watchman\n```\n\nOr build from source yourself:\n\nDownload the release source files, then from the top level repository run:\n```commandline\npython3 -m pip build\npython3 -m pip install --force-reinstall dist/*.whl\n```\n\n## Docker Image\n\nSlack Watchman is also available from the Docker hub as a Docker image:\n\n`docker pull papermountain/slack-watchman:latest`\n\nYou can then run Slack Watchman in a container, making sure you pass the required environment variables:\n\n```commandline\n// help\ndocker run --rm papermountain/slack-watchman -h\n\n// scan all\ndocker run --rm -e SLACK_WATCHMAN_TOKEN=xoxp... papermountain/slack-watchman --timeframe a --all --output json\ndocker run --rm --env-file .env papermountain/slack-watchman --timeframe a --all --output stdout\n```\n\n## Usage\nSlack Watchman will be installed as a global command, use as follows:\n```commandline\nusage: slack-watchman [-h] [--timeframe {d,w,m,a}] [--output {json,stdout}] [--version] [--all] [--users] [--channels] [--pii] [--secrets] [--debug] [--verbose] [--cookie] [--probe PROBE_DOMAIN]\n\nMonitoring and enumerating Slack for exposed secrets\n\noptions:\n  -h, --help            show this help message and exit\n  --timeframe {d,w,m,a}, -t {d,w,m,a}\n                        How far back to search: d = 24 hours w = 7 days, m = 30 days, a = all time\n  --output {json,stdout}, -o {json,stdout}\n                        Where to send results\n  --version, -v         show program's version number and exit\n  --all, -a             Find secrets and PII\n  --users, -u           Enumerate users and output them to .csv in the current working directory\n  --channels, -c        Enumerate channels and output them to .csv in the current working directory\n  --pii, -p             Find personal data: DOB, passport details, drivers licence, ITIN, SSN etc.\n  --secrets, -s         Find exposed secrets: credentials, tokens etc.\n  --debug, -d           Turn on debug level logging\n  --verbose, -V         Turn on more verbose output for JSON logging. This includes more fields, but is larger\n  --cookie              Use cookie auth using Slack d cookie. REQUIRES either SLACK_WATCHMAN_COOKIE and SLACK_WATCHMAN_URL environment variables set, or both values set in watchman.conf\n  --probe PROBE_DOMAIN  Perform an un-authenticated probe on a workspace for available authentication options and other information. Enter workspace domain to probe\n  ```\n\nYou can run Slack Watchman to look for everything, and output to default stdout:\n\n```commandline\nslack-watchman --timeframe a --all\n```\n\n## Other Watchman apps\nYou may be interested in the other apps in the Watchman family:\n- [Slack Watchman for Enterprise Grid](https://github.com/PaperMtn/slack-watchman-enterprise-grid)\n- [GitLab Watchman](https://github.com/PaperMtn/gitlab-watchman)\n- [GitHub Watchman](https://github.com/PaperMtn/github-watchman)\n\n## License\nThe source code for this project is released under the [GNU General Public Licence](https://www.gnu.org/licenses/licenses.html#GPL). This project is not associated with Slack Technologies or Salesforce.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPaperMtn%2Fslack-watchman","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPaperMtn%2Fslack-watchman","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPaperMtn%2Fslack-watchman/lists"}