Slack Watchman Save

Slack enumeration and exposed secrets detection tool

Project README

Slack Watchman

Python 2.7 and 3 compatible PyPI version License: MIT

Monitoring and enumerating Slack for exposed secrets

About Slack Watchman

Slack Watchman is an application that uses the Slack API to find potentially sensitive data exposed in a Slack workspace, and to enumerate other useful information for red, blue and purple teams.

More information about Slack Watchman can be found on my blog.

Features

Slack Watchman looks for:

  • API Keys, Tokens & Service Accounts
    • AWS, Azure, GCP, Google API, Slack (keys & webhooks), Twitter, Facebook, GitHub and more
    • Generic Private keys
    • Access Tokens, Bearer Tokens, Client Secrets, Private Tokens
  • Files
    • Certificate files
    • Potentially interesting/malicious/sensitive files (.docm, .xlsm, .zip etc.)
    • Executable files
    • Keychain files
    • Config files for popular services (Terraform, Jenkins, OpenVPN and more)
  • Personal Data
    • Leaked passwords
    • Passport numbers, Dates of birth, Social security numbers, National insurance numbers and more
  • Financial data
    • Paypal Braintree tokens, Bank card details, IBAN numbers, CUSIP numbers and more

It also enumerates the following:

  • User data
    • All users & all admins
  • Channel data
    • All channels, including externally shared channels

Time based searching

You can run Slack Watchman to look for results going back as far as:

  • 24 hours
  • 7 days
  • 30 days
  • All time

This means after one deep scan, you can schedule Slack Watchman to run regularly and only return results from your chosen timeframe.

Signatures

Slack Watchman uses custom YAML signatures to detect matches in Slack. These signatures are pulled from the central Watchman Signatures repository. Slack Watchman automatically updates its signature base at runtime to ensure its using the latest signatures to detect secrets.

Logging

Slack Watchman gives the following logging options:

  • Terminal-friendly Stdout
  • JSON to Stdout

Slack Watchman defaults to terminal-friendly stdout logging if no option is given. This is designed to be easier for humans to read.

JSON logging is also available, which is perfect for ingesting into a SIEM or other log analysis platforms.

JSON formatted logging can be easily redirected to a file as below:

slack-watchman --timeframe a --all --output json >> slack_watchman_log.json

Authentication Requirements

Slack API token

To run Slack Watchman, you will need a Slack API OAuth access token. You can do this by creating a simple Slack App.

The app needs to have the following User Token Scopes added:

channels:read
files:read
groups:read
im:read
links:read
mpim:read
remote_files:read
search:read
team:read
users:read
users:read.email

Note: User tokens act on behalf of the user who authorises them, so I would suggest you create this app and authorise it using a service account, otherwise the app will have access to your private channels and chats.

Alternatively, Slack Watchman can also authenticate to Slack using a user d cookie, which is stored in the browser of each user logged into a workspace.

To use cookie authentication, you will need to provide the d cookie, and the URL of the target workspace. Then you will need to use the --cookie flag when running Slack Watchman

More information on cookie authentication can be found on my blog

Providing tokens

Slack Watchman will first try to get the Slack token (plus the cookie token and URL if selected) from the environment variables

  • SLACK_WATCHMAN_TOKEN
  • SLACK_WATCHMAN_COOKIE
  • SLACK_WATCHMAN_URL

If this fails it will try to load the token(s) from .conf file (see below).

.conf file

Configuration options can be passed in a file named watchman.conf which must be stored in your home directory. The file should follow the YAML format, and should look like below:

slack_watchman:
  token: xoxp-xxxxxxxx
  cookie: xoxd-%2xxxxx
  url: https://xxxxx.slack.com

Slack Watchman will look for this file at runtime, and use the configuration options from here. If you are not using cookie auth, leave cookie and url blank.

If you are having issues with your .conf file, run it through a YAML linter.

An example file is in docs/example.conf

Note: Cookie and URL values are optional, and not required if not using cookie authentication.

Installation

You can install the latest stable version via pip:

python3 -m pip install slack-watchman

Or build from source yourself:

Download the release source files, then from the top level repository run:

python3 -m pip build
python3 -m pip install --force-reinstall dist/*.whl

Docker Image

Slack Watchman is also available from the Docker hub as a Docker image:

docker pull papermountain/slack-watchman:latest

You can then run Slack Watchman in a container, making sure you pass the required environment variables:

// help
docker run --rm papermountain/slack-watchman -h

// scan all
docker run --rm -e SLACK_WATCHMAN_TOKEN=xoxp... papermountain/slack-watchman --timeframe a --all --output json
docker run --rm --env-file .env papermountain/slack-watchman --timeframe a --all --output stdout

Usage

Slack Watchman will be installed as a global command, use as follows:

usage: slack-watchman [-h] --timeframe {d,w,m,a} [--output {json,stdout}] [--version] [--all] [--users] [--channels] [--pii] [--secrets]
                      [--debug] [--verbose] [--cookie]

Monitoring and enumerating Slack for exposed secrets

options:
  -h, --help            show this help message and exit
  --output {json,stdout}, -o {json,stdout}
                        Where to send results
  --version, -v         show program's version number and exit
  --all, -a             Find secrets and PII
  --users, -u           Enumerate users and output them to .csv
  --channels, -c        Enumerate channels and output them to .csv
  --pii, -p             Find personal data: DOB, passport details, drivers licence, ITIN, SSN etc.
  --secrets, -s         Find exposed secrets: credentials, tokens etc.
  --debug, -d           Turn on debug level logging
  --verbose, -V         Turn on more verbose output for JSON logging. This includes more fields, but is larger
  --cookie              Use cookie auth using Slack d cookie. REQUIRES either SLACK_WATCHMAN_COOKIE and SLACK_WATCHMAN_URL environment
                        variables set, or both values set in watchman.conf

required arguments:
  --timeframe {d,w,m,a}, -t {d,w,m,a}
                        How far back to search: d = 24 hours w = 7 days, m = 30 days, a = all time

You can run Slack Watchman to look for everything, and output to default stdout:

slack-watchman --timeframe a --all

Other Watchman apps

You may be interested in the other apps in the Watchman family:

License

The source code for this project is released under the GNU General Public Licence. This project is not associated with Slack Technologies or Salesforce.

Open Source Agenda is not affiliated with "Slack Watchman" Project. README Source: PaperMtn/slack-watchman
Stars
290
Open Issues
0
Last Commit
10 months ago
Repository
PaperMtn/slack-watchman
License
GPL-3.0
Tags
Blue Team Blueteam Cybersecurity Infosec Monitoring Purple Team Purpleteam Red Team Redteam Slack Slack Api Slack Workspaces Tools

Open Source Agenda Badge

Open Source Agenda Rating
Submit Review Review Your Favorite Project
Submit Resource Articles, Courses, Videos
Submit Article Submit a post to our blog

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?

From the blog

Dec 11, 2022

How to Choose Which Programming Language to Learn First?