• Stars
    star
    137
  • Rank 266,121 (Top 6 %)
  • Language
    PowerShell
  • Created about 6 years ago
  • Updated about 4 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A PowerShell script to download all files, messages and user profiles that a user has access to in slack.

SlackExtract

A PowerShell script to extract all messages and files from a User's slack account. Or, optionally specify a limited number of channels to download from. Check out the Wiki for additional helpful information. My friend Tony and I also presented both the offensive and defensive sides to using this script at Wild West Hackin' Fest 2018 which can be viewed here.

From Windows command line enter powershell with scripts enabled:

powershell -exec bypass

Import the Module:

Import-Module .\SlackExtract.ps1

Read Usage Instructions:

Get-Help Invoke-SlackExtract -full

Required Parameters

  1. SlackUrl (e.g. https://slackextract.slack.com)
  2. OutputFolderName (e.g. my-extraction)
  3. dCookie (e.g. wvxP...8%3D)   OR   SlackToken (e.g. xoxs-12...65)

Example 1: Extract all files and messages

This will extract all messages and files from each channel the user has access to (up to the default limits). The default output location is Document/SlackExtract. A folder will be created for each Channel as shown here.

Providing the dCookie

Invoke-SlackExtract -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -dCookie wvxPLsXuW%2BUjT2b5RiCvb%2BUBPlJEX2XWbnVpOTlQZUN1TFF6dkxrNlZJbExYTzN6TmNtdFZNTDY0Y2pVQlF6UXlannhZMkprcHRueE12TVpXaXRvRWtQZGhidlhPdEh2d0J1a0I0UjcxMlRJV2JmTndDMlh1czNlUCt0SWIyczExb0z1ZCtxL3JJRW9tenJFRDhIdmp2MWVIQytLc3Q0RWZLSEFvdTQxUFE9PSy1X4xNmoY5wXzFlw2GJL8%3D

Providing the API Token

Invoke-SlackExtract -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -SlackToken xoxs-420083410720-421837374423-440811613314-977844f625b707d5b0b268206dbc92cbc85feef3e71b08e44815a8e6e7657190

How to Obtain the dCookie and/or the API Token

See the Authorization page on the wiki for details on obtaining the dCookie or the SlackToken.

Default Limits (each can be changed with optional parameters)

Limit Parameters Default Value
MaxMessagesPerChannel 10,000
MaxFilesPerChannel 2,000
MaxUsers 100,000
MaxAccessLogs* 1000,0000

* Accessible to Admins of Paid Workspaces Only

Example 2: Extract User Profiles

Extract the profile of each user, up to the 1000 users as specified by the MaxUsers parameter. The details of each user will be written as individual json files in the meta/Users directory. An all_users.csv file is also created for easy viewing and sorting of the data in Excel as shown here.

Invoke-SlackExtract -ExtractUsers -MaxUsers 1000 -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -SlackToken xoxs-420083410720-421837374423-440811613314-977844f625b707d5b0b268206dbc92cbc85feef3e71b08e44815a8e6e7657190

Example 3: Extract Data from Only Private Channels

Invoke-SlackExtract -PrivateOnly -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -SlackToken xoxs-420083410720-421837374423-440811613314-977844f625b707d5b0b268206dbc92cbc85feef3e71b08e44815a8e6e7657190

Example 4: Extract Data from Only Specific Channels

Provide a comma separated list of Channel IDs to extract data from. The channel ID can be seen in URL bar of a web browser when connected to a Slack workspace. You can also exclude specific Channels with the ExcludeChannelIds parameter.

Invoke-SlackExtract -ChannelIds DD0081E5C,CCC2FCAE4,GD00AAMFY -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -SlackToken xoxs-420083410720-421837374423-440811613314-977844f625b707d5b0b268206dbc92cbc85feef3e71b08e44815a8e6e7657190

Example 5: Extract Access Logs

Access logs contain the IP address and User Agent of each user as they connect to the Slack workspace as shown here. To extract access logs, the user must be an admin of a paid workspace.

Invoke-SlackExtract -ExtractAccessLogs -MaxAccessLogs 200 -OutputFolderName my-extraction -SlackUrl https://slackextract.slack.com -SlackToken xoxs-420083410720-421837374423-440811613314-977844f625b707d5b0b268206dbc92cbc85feef3e71b08e44815a8e6e7657190

Searching Through the Extracted Data

The extracted data is written to files in UTF-16 format. This means that using grep to search through the data isn't going to work. Instead, you could use PowerShell to search through the extracted data. See the Analyzing Extracted Results wiki page for helpful hints on doing this with PowerShell.

More Repositories

1

DPAT

Domain Password Audit Tool for Pentesters
Python
882
star
2

GatherContacts

A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
Java
182
star
3

CookieCrimesJS

A cross-platform one-liner to steal a user's cookies from Chrome <- cool
HTML
86
star
4

Detect-SSLmitm

This PowerShell script will determine if your connection to external servers over HTTPS is being decrypted by an intercepting proxy such as the internet proxies commonly found in corporate environments. It does this by comparing the SSL intermediate certificate being used for your connection to the true/known SSL certificate for the server.
PowerShell
67
star
5

Commentator

PowerShell
50
star
6

VBAstomp

A repository of example VBA stomped documents
24
star
7

G-chimp

An automated way to send phishing emails from Google/G-suite.
JavaScript
18
star
8

PowerShellForInfoSec

PowerShell
18
star
9

DeployREMnux

DeployREMnux is a Python script that will deploy a cloud instance of the public REMnux distribution in the Amazon cloud (AWS).
Python
16
star
10

TellTail

A tool to display Windows Event logs as they happen.
C#
12
star
11

AtomicRunner

PowerShell
12
star
12

Presentations

Slides from Security Conferences Presentations
5
star
13

Gather-Usernames-From-Google-LinkedIn-Results

4
star
14

AttackEmulationTools

PowerShell
4
star
15

ChromeShot

Capture web screenshots using Chrome. No other dependencies required. Works cross platform.
HTML
4
star
16

dc8-deployment-PUBLIC

PowerShell
4
star
17

YaraRules

A collection of yara rules for detection of malicious content
3
star
18

AtomicRedTeamHooks

PowerShell
2
star
19

Invoke-SheetUnprotect

PowerShell
2
star
20

Export-ATPCustomDetections

This cross-platform PowerShell script will download all ATP detections you have access to including scheduled (custom), shared and user (personal) queries.
PowerShell
2
star
21

AtomicRedteam

PowerShell
1
star
22

clr2of8.github.io

HTML
1
star
23

community

Open-source ATT&CK procedures
1
star