Slack Jack: Bot Exploitation for Penetration Testers
Slack Jack – Slack Bot Token Abuse
Slack Jack is a penetration testing tool designed for ethical hacking and security testing purposes. It allows you to hijack a Slack bot using its token (e.g., xoxb or xoxp) and perform various enumeration and exploitation activities, depending on the bot’s assigned permissions.
Convincing a user to interact with a malicious link or payload can often be the most challenging part of gaining initial access. By impersonating a trusted bot, Slack Jack opens up numerous possibilities for social engineering attacks. For example, combining this tool with Evilginx could be an effective way to capture credentials.
This tool provides a command-line interface (CLI) that enables users to interact with Slack’s API endpoints, facilitating actions like sending messages, managing bot activities, and more.
Feature
- Get Channel List: Retrieve and display the list of Slack channels accessible to the bot.
- Send Message to Channel: Use the Slack bot token to send messages to specified channels.
- Send Predefined payloads to Channel: Deploy built-in payloads to target channels using the Slack bot token.
- Print Sent Messages: Display a history of messages sent by the bot.
- Save Sent Messages: Export sent messages to a JSON file, with the filename based on the bot user’s name and the current date.
- Join Channel: Join a channel using its Channel ID, provided the bot has the necessary permissions.
- Print Chat History: Extract and display a specified number of messages from a channel, if the bot has permission to access the chat history.
