Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/ariary/slackspoofing

Spoof visual user identity to send message in Slack
https://github.com/ariary/slackspoofing

slack spoofing

Last synced: about 1 month ago
JSON representation

Spoof visual user identity to send message in Slack

Host: GitHub
URL: https://github.com/ariary/slackspoofing
Owner: ariary
Created: 2022-06-21T09:26:04.000Z (over 2 years ago)
Default Branch: main
Last Pushed: 2022-06-23T12:50:31.000Z (over 2 years ago)
Last Synced: 2024-11-11T03:36:25.482Z (3 months ago)
Topics: slack, spoofing
Language: Go
Homepage:
Size: 15.6 KB
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Slack Impersonation

Spoof visual user identity in Slack to send message

## Usage

***Requirements:***
* Slack app with a bot token with scope `users:read` included
* Incoming webhook (do not use app incoming webhook)

*If the different flags are not provided they will be asked as input*

### » to channel
Send a message in ***`#general`*** channel spoofing `Toto RINA` visual identity:
```shell
slack-spoofer -u "Toto RINA" -c "#general" -m 'Hi !\nToday I'm the one paying for the meal!' -t $(cat .credentials.json | jq -r .bot_token) -w $(cat .credentials.json | jq -r .webhook)
```

### » to user (direct message)
Send a direct message to ***`Elon MUSK`*** spoofing `Jeff BEZOS` visual identity:
```shell
slack-spoofer dm -u "Jeff BEZOS" -r "Elon MUSK" -m 'Please find all my secrets ' -t $(cat .credentials.json | jq -r .bot_token) -w $(cat .credentials.json | jq -r .webhook)
```

## Install
```shell
git clone https://github.com/ariary/SlackSpoofing
make before.build && make build.slack-spoofer
```
## Notes

The tricks is not revolutionary:
1. Use slack app to map username -> user avatar url
2. Send message with incoming webhook with Bot username = username and Bot avatar url = user avatar url

* ***Pentester idea:*** If you obtain an incoming webhook (leak, compromised etc) you can use it. Keep in mind that the scope is linked with the webhook creator (ie. webhook can publish in private channel where the creator is whitout needing an invitation)
* Step 1 is automated here but can be manual if you do not have the permission to create slack app (view user profile, right-click on avatar, "Copy avatar url" )
* Get user id (useful to mention them in message): `slack-spoofer getid -u "[USER]" -t $(cat .credentials.json | jq -r .bot_token) -w $(cat .credentials.json | jq -r .webhook)`
* ``send a notification to all channel users and `` to all channel online users