Slack Recon and Phishing with “Slackhound”
Slack is a widely used communication platform relied on by many companies. During past red team engagements our team found ourselves relying on Slack heavily during offensive operations for reconnaissance, social engineering, and lateral movement. Slack features provide answers to real-time operational questions, such as, which users are away or online, on vacation, work in specific offices, go by a preferred first name, or work on a specific team or product. Slack phishing messages carry a higher inherent trust level and result in a higher success rate because the messages appear from inside the company and from a known person. In my opinion Slack has become such a valuable tool during red team operations for enumerating people, environments, and phishing users of the organization that I decided to write a python based utility called “Slackhound” that can be used to speed up common discovery techniques, such as, enumerating employee names, email addresses, phone numbers, departments, locations, time zones, channels, away or active status, and quickly writing that data into spreadsheets for offline review. Additionally, “Slackhound” implements a function for rapidly searching for sensitive items like passwords, ssh keys, tokens, and files.
A Red Teamer’s Perspective on SaaS Applications
Other offensive security researchers have written about similar Slack uses in offensive security operations. Actual threat actors and APTs are likely using similar tactics and more. Does your CFO use messaging and send files on your Corporate Slack workspace? Then there are probably risks your company is overlooking and should be reviewed.
As companies use more SaaS and Cloud-based applications, offensive security teams can take advantage of these “in front of the corporate perimeter” apps like Slack for phishing and reconnaissance without needing to first obtain internal network access to the application. Slack is a great example because it lives outside the traditional network perimeter, it contains detailed directory-like objects about users, it’s a newer attack vector that employees haven’t been trained on for security awareness, and once an attacker obtains access to a Slack account, they can watch, learn, collect info, and directly interact with the entire company.
It’s important to know that the Slack web-based session cookies are valid for 1 year by default. So, for example, if an attacker gains access to an employee’s OKTA session or Single Sign On account credentials, etc. via phishing, social engineering, account brute-force, or other methods, an attacker could potentially persist within your organization’s Slack for an extended period of time. Also, it’s also worth noting that other security researchers have documented that an attacker only needs to download the Slack/cookies and Slack/slack-workspaces files from a compromised laptop to gain access to the app-based version of Slack.
Introducing “Slackhound”
Slackhound takes its name from the awesome Active Directory reconnaissance tool “Bloodhound”. Like Bloodhound, Slackhound can quickly dump out user objects from the Slack including account names, first/last names, departments, email addresses, phone numbers, titles, locations, and even more than LDAP objects, Slack contains pictures, emoji’s, activity status, local time zone, uploaded files, and more. Unlike a lot of Active Directory tools (especially ones written in power shell) Slackhound isn’t likely to be detected by blue teams.
Slackhound Instructions and Download
Slackhound relies on Python v3. You can download Slackhound, find instructions, and requirements here
Getting a Slack Token
Slackhound reconnaissance functions are intended to require low user level scopes and not rely on any admin privileges. However, Slack has created the potential for very granular OAUTH privilege scopes and depending on the organization’s workspace settings, access can be very granular. Typically though, any “user” token will have the required scope to use “-a” Slackhound option which will export important details, such as, all email addresses, phone numbers, team Id, user id, first/last names, and profile details.
Once you have access to a Slack account via web-browser you can locate the “user” token to perform web API operations on behalf of the user account with Slackhound following these steps.
- In Chrome, click the “three dots” in upper right-hand corner.
- Click on “More Tools” -> “Developer Tools”.
- Select “network” and “headers” views in right-side pane of developer tools.
- While logged into Slack, visit https://<workspace>.slack.com/customize/emoji
- Now either filter for “xoxs-” or “xoxp-” tokens OR look for the page result with a name of “client.boot” or “?token=”. This will contain the Slack token.
- Copy the token (starts with xoxs- or xoxp- and paste into token.txt file located in Slackhound directory.
- That’s it. Slackhound is ready for use.
Slackhound features and purpose
Here are some of the Slackhound options I thought would be most useful to red team operations when I wrote this tool.
“-a” Dumps all user info from Slack Workspace to a CSV file named “slack_objects_dump.csv”. This is similar to dumping all user objects and properties in Active Directory except you aren’t likely to trigger any alarms.
When you open the CSV you’ll find some really important items for recon, including Slack ID, Name, Title, Time Zone, Phone Number, Email address, and data elements associated with each user such as you would find in the Slack app.
Notice profile details like email addresses and phone numbers
Also, you’ll see whether the Slack user is listed as an “admin” or “Owner” of the workspace. The field “updated” represents the time stamp of the user’s last activity.
-b Each workspace user has a unique ID. This option will fetch a specific user’s properties via Slack ID.
-c During red team engagements I find that it is really helpful to know if targets are currently online or away so that time isn’t wasted. This option will check and report if a user is online.
-d Find Slack user by email address. Once you gain access to a Slack account during an engagement, you should probably run the “-a” option immediately and get an offline export of the complete user workspace which will include all individual Slack IDs. However, if you want to find Slack users via email address you can with the -d option.
-e This option will return the location and timezone of a Slack user. I found this to be critical information during “Slack Phishing” operations because Slack direct messages might be replied to during red team off-hours if a recipient is in another time zone. If that happens and the real Slack user sees the message before the red team can mute or hide the conversation then the Slack user account being abused by the red team may be discovered and reported to the SOC/Blue Team and result in the account being “burned” and red team’s cover blown. Therefore, I recommend using this option to know the timezones and locations for targets and victim accounts.
-g Will list all Slack channels for a workspace. This can be really helpful for picking phishing targets that are NOT in a company Security or Help Desk channel. Combined with the “-i” option, the -g option can also assist with grouping targets into common projects, interest groups, or themes. For example, if a channel named “NY Mets Fans” exists then a spear phish email themed “Mets Game Outing” or similar to all members of that channel may be fruitful.
-i Get channels a Slack user ID is a member of.
-j Searches files, messages, and posts for a keyword that the Slack account has access to and puts the results into a CSV file called “slack_objects_search.csv” for offline review. Red teams must work fast and this option helps you quickly search for juicy items like “password”, “secret”, “sensitive”, “confidential”, “key”, and “token”. Results will include items like the channel it was found in, Slack ID, and username that shared the content. BONUS: The output includes the Slack permalink URL for downloading the files or archived messages.
Considerations for SOC and Blue Teams
I also believe blue teams can benefit from using Slackhound.
First, blue teams can benefit from fast CLI access to directory-like information especially since LDAP queries can be painful on Macs and not everyone uses a domain-joined Windows computer. Second, SOC, Compliance, and other security defenders can use Slackhound to sweep Slack workspaces for sensitive data unintentionally stored in Slack channels and messages.
Final Thoughts
Slack is a communications platform used by over 10,000,000 users and hundreds of companies world-wide. Security teams should take action to raise security awareness around Slack phishing and related social engineering attacks. Similar to email phishing, Slack phishes may be spoofed and have urgent or odd requests from unfamiliar requesters. Slack corporate users should be trained to contact SOC about suspicious messages just like with suspicious emails. Incident Responders need to know how to adequately respond, investigate, invalidate compromised Slack sessions and rotate account credentials. Slack Workspace Owners can enable built-in security measures, such as, Two Factor Authentication (2FA), organizationally defined retention policies, disabling accounts, hide email addresses, and block access to 3rd-party app installations. In my opinion, Slack’s world-wide prevalence is likely to make it a target of abuse and corporate security team’s should ensure employees are trained to spot and report suspicious Slack activity and responders should be prepared to protect this attack vector.
Disclaimer: Never attack or test the security unless you have the organization’s permission.
References and Slack related Offensive Security Postings
