{"id":17584484,"url":"https://github.com/nof0rte/slack-slurp","last_synced_at":"2025-04-28T17:17:21.827Z","repository":{"id":56854974,"uuid":"524265950","full_name":"NoF0rte/slack-slurp","owner":"NoF0rte","description":"Pentesting post exploitation tool for slack","archived":false,"fork":false,"pushed_at":"2024-09-13T18:57:35.000Z","size":301,"stargazers_count":20,"open_issues_count":5,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-28T17:17:13.850Z","etag":null,"topics":["go","golang","pentest-tool","pentesting","postexplotation","slack"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NoF0rte.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-13T01:14:18.000Z","updated_at":"2024-10-25T17:40:58.000Z","dependencies_parsed_at":"2024-04-08T20:48:15.778Z","dependency_job_id":"d6ce9061-732a-49cc-9d14-93f4a5f7f2c1","html_url":"https://github.com/NoF0rte/slack-slurp","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NoF0rte%2Fslack-slurp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NoF0rte%2Fslack-slurp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NoF0rte%2Fslack-slurp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NoF0rte%2Fslack-slurp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NoF0rte","download_url":"https://codeload.github.com/NoF0rte/slack-slurp/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251352639,"owners_count":21575865,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","pentest-tool","pentesting","postexplotation","slack"],"created_at":"2024-10-22T02:06:24.634Z","updated_at":"2025-04-28T17:17:21.799Z","avatar_url":"https://github.com/NoF0rte.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Slack-Slurp\nWhat is slack-slurp? Slack-slurp is a pentesting social post-exploitation tool for slack. It uses Slack's API to search through messages and [trufflehog's](https://github.com/trufflesecurity/trufflehog) secrets detectors to slurp up any juicy information. This is a work in progress and more is surely to come. Features, bug reports, and pull requests and very much welcome! I am a better coder than I am documenter so I apologize for the lack of documentation.\n\n## Authentication\nSince `slack-slurp` mainly uses Slack's API, authentication tokens are required to use the tool. If a normal user's credentials or session were stolen, two tokens are required. Only one token is required if a slack bot token was retrieved, though the tool might not fully work depending on the permissions of the token.\n\n### As a normal user\nThe first required token for authenticating as a normal user is the value of the `d` cookie which starts with `xoxd-`. This cookie is set to HTTPOnly so the cookie must be retrieved manually. Log in to Slack using a web browser, then search for the `d` cookie using the browser's developer tools.\n\n![D Cookie](res/Slack-d-Cookie.png)\n\nThe second required token is what I am calling the workspace API token which starts with `xoxc-`. To get this token, run the following JavaScript in the web browser's console window\n```js\nvar localConfig = JSON.parse(localStorage.localConfig_v2)\nlocalConfig.teams[localConfig.lastActiveTeamId].token\n```\n\n![Workspace API Token](res/Workspace-Token.png)\n\n#### **Troubleshooting**\nIf you run into authentication issues via `slack-slurp`, you might need to grab the `d-s` cookie value as shown here.\n\n![D-S Cookie](res/Slack-d-s-Cookie.png)\n\nThis value seems to be a timestamp for the `d` cookie and sometimes is required. \n\n### As a bot\nThe only thing required to authenticate as a bot is the bot API token with starts with `xoxb-`. Depending on the scopes assigned to the bot, `slack-slurp` may not work.\n\n## Trufflehog Detectors\nTo have pretty robust secret slurping, I opted to use trufflehog's [detectors](https://github.com/trufflesecurity/trufflehog/tree/main/pkg/detectors). There are a myriad of secret detectors used within trufflehog. These are well tested, offer ways to verify the found secrets, and cover a very wide range of commonly used services. Currently only the following detectors are supported within `slack-slurp`:\n\n- auth0managementapitoken\n- aws\n- azure\n- censys\n- cloudflareapitoken\n- cloudflarecakey\n- digitaloceantoken\n- discordbottoken\n- discordwebhook\n- dropbox\n- gcp\n- generic\n- github\n- github_old\n- githubapp\n- gitlab\n- gitlabv2\n- heroku\n- jiratoken\n- microsoftteamswebhook\n- okta\n- pastebin\n- privatekey\n- shodankey\n- slack\n- slackwebhook\n- terraformcloudpersonaltoken\n- uri\n\n### Custom Detectors\nCustom secret detectors can be added to the config file. The custom detectors just require a name, a keyword list, and regex patterns and look like the following:\n```yaml\ncustom-detectors:\n  - name: \"Custom Detector\"\n    keywords:\n      - pass\n      - api\n    patterns:\n      - password\\s*=\\s*(.*)$\n      - api_key\\s*=\\s*(.*)$\n```\n\n## CLI\n### Installation\nThe `slack-slurp` CLI requires go1.19+ to install successfully. Run the following command to install the CLI:\n```\ngo install github.com/NoF0rte/slack-slurp@latest\n```\n\n### Config\nThe `.slack-slurp.yaml` config file contains the various configurable settings for `slack-slurp`\n```yaml\napi-token: \"\"\nd-cookie: \"\"\nds-cookie: \"\"\ndetectors:\n    - auth0managementapitoken\n    - aws\n    - azure\n    - censys\n    - cloudflareapitoken\n    - cloudflarecakey\n    - digitaloceantoken\n    - discordbottoken\n    - discordwebhook\n    - dropbox\n    - gcp\n    - generic\n    - github\n    - github_old\n    - githubapp\n    - gitlab\n    - gitlabv2\n    - heroku\n    - jiratoken\n    - microsoftteamswebhook\n    - okta\n    - pastebin\n    - privatekey\n    - shodankey\n    - slack\n    - slackwebhook\n    - terraformcloudpersonaltoken\n    - uri\ncustom-detectors: []\ndomains: []\n```\n- **`api-token`**: Either the user or bot token. User tokens start with `xoxc-` and bot tokens start with `xoxb-`.\n- **`d-cookie`**: The value of the `d` cookie when logged into the Slack web interface. Not required when the `api-token` is a bot token.\n- **`ds-cookie`**: The value of the `d-s` cookie when logged into the Slack web interface. This seems to be a timestamp value for the `d` cookie and is only sometimes needed. Not required when the `api-token` is a bot token.\n- **`detectors`**: A list of trufflehog detectors to use when slurping secrets from Slack. Refer to [Trufflehog Detectors](#trufflehog-detectors) for which detectors `slack-slurp` supports.\n- **`custom-detectors`**: A list of custom detectors to use when slurping secrets from Slack. Refer to [Custom Detectors](#custom-detectors) for more information.\n- **`domains`**: A list of domains/subdomains used to slurp domains from Slack. For example, if `example.com` was in the list of domains, Slack would be searched for any messages that contained `example.com` and any subdomains.\n\nTo create a default config file, run the following:\n```\nslack-slurp config -s\n```\nThis creates the `.slack-slurp.yaml` config file with default values in the current directory.\n\n### Usage\n```\n$ slack-slurp --help\n\nSlurp juicy slack related info\n\nUsage:\n  slack-slurp [command]\n\nAvailable Commands:\n  channels    Returns channels accessible to the current user. This can include public/private channels and group/direct messages\n  completion  Generate the autocompletion script for the specified shell\n  config      Display config information\n  domains     Slurp domains\n  help        Help about any command\n  search      Search slack messages\n  secrets     Slurp secrets\n  users       Slurp users\n  whoami      Test credentials\n\nFlags:\n      --config string      config file (default is $HOME/.slack-slurp.yaml)\n  -c, --cookie string      Slack d cookie. The token should start with xoxd. This is not needed if authenticated as a bot.\n      --ds-cookie string   Slack d-s cookie. This is not needed if authenticated as a bot.\n  -h, --help               help for slack-slurp\n      --threads int        Number of threads to use (default 10)\n  -t, --token string       Slack API token. The token should start with xoxc if authenticating as a normal user or xoxb if authenticating as a bot.\n\nUse \"slack-slurp [command] --help\" for more information about a command.\n```\n\n#### Whoami\nThe `whoami` command will simply test the provided credentials (token, `d` cookie and `d-s` cookie). \n\nIf successful, the command will display the current user's name\n```\n$ slack-slurp whoami\n\n[+] Current user: example.user\n```\n\nIf unsuccessful, `invalid_auth` is displayed\n\n#### Channels\nThe `channels` command returns channels accessible to the current user. This can include public/private channels and group/direct messages. By default, it will return public/private channels and group/direct messages. The output is saved into a `slurp-channels.json` file but can be changed.\n\nTo output to the console:\n```\nslack-slurp channels -o -\n```\n\nTo get only private channels:\n```\nslack-slurp channels -T private\n```\n\nTo get direct and group messages:\n```\nslack-slurp channels -T direct -T group\n```\n\n#### Domains\n\n#### Search\n#### Secrets\n#### Users\n\n## Library\n### Installation\nRun the following command to install the module in your application:\n```\ngo get github.com/NoF0rte/slack-slurp@latest\n```\nThen use the following to import it:\n```golang\nimport \"github.com/NoF0rte/slack-slurp/pkg/slurp\"\n```\n### Slurp Client\nTo create a slurp client (slurper), only the authentication tokens are required\n```golang\ncfg := slurp.Config{\n    APIToken:  \"xoxc-xxxxxxx\",\n    DCookie: \"xoxd-xxxxxxx\",\n}\n\nslurper = slurp.New(\u0026cfg)\n```\nOptionally the default domains to slurp and secret detectors can be set via:\n```golang\ncfg := slurp.Config{\n    APIToken:  \"xoxc-xxxxxxx\",\n    DCookie: \"xoxd-xxxxxxx\",\n    Domains: []string{\n        \"company.com\",\n        \".local\",\n    },\n    Detectors: []string{\n        \"aws\",\n        \"generic\",\n        \"github\",\n        \"github_old\",\n        \"githubapp\",\n        \"gitlab\",\n        \"gitlabv2\",\n        \"heroku\",\n        \"jiratoken\",\n        \"microsoftteamswebhook\",\n        \"okta\",\n    }\n}\n\nslurper = slurp.New(\u0026cfg)\n```\n\n### Searching\n#### Messages\nTo search Slack messages, the `SearchMessages(query)` and `SearchMessagesAsync(query)` methods can be used. The `SearchMessages` method will only return all messages containing the query once all results have been retrieved.\n\n```golang\nmessages, err := slurper.SearchMessages(\"my first query\")\nif err != nil {\n    panic(err)\n}\n\nfor _, message := range messages {\n    fmt.Println(message)\n}\n```\nThe `SearchMessagesAsync` method is the same as `SearchMessages` except it sends each message as it is found through the returned channel.\n```golang\nmessageChan, errorChan := slurper.SearchMessagesAsync(\"my first query\")\n\nLoop:\nfor {\n    select {\n    case message, ok := \u003c-messageChan:\n        if !ok {\n            break Loop\n        }\n\n        fmt.Println(message)\n\n    case err = \u003c-errorChan:\n        close(messageChan)\n    }\n}\nclose(errorChan)\n```\n#### Files\n\n### Get Channels\n\n### Get Users\n\n### Slurp Secrets\n\n### Slurp Domains\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnof0rte%2Fslack-slurp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnof0rte%2Fslack-slurp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnof0rte%2Fslack-slurp/lists"}