papermtn / slack-watchman Goto Github PK
View Code? Open in Web Editor NEWSlack enumeration and exposed secrets detection tool
License: GNU General Public License v3.0
Slack enumeration and exposed secrets detection tool
License: GNU General Public License v3.0
Version 3.0.7
Running sudo slack-watchman --pii --timeframe a
Importing rules...
40 rules loaded
Searching PII/Personal Data
Searching for posts containing Drivers Licence Numbers (UK)
'NoneType' object has no attribute 'get'
Running sudo slack-watchman --financial --timeframe a
Importing rules...
40 rules loaded
Searching financial data
Searching for posts containing IBAN Numbers
'NoneType' object has no attribute 'get
Running sudo slack-watchman --tokens --timeframe a
Importing rules...
40 rules loaded
Searching tokens
Searching for posts containing Client Secrets
'NoneType' object has no attribute 'get'
Any Ideas on how to fix?
Hi,
Can you provide an example of how to call an example rule.
I created a rule, changed the category.
then ran slack-watchman --custom <catname> --timeframe a
recieved: slack-watchman: error: unrecognized arguments:
Thanks
Can you please add this ruleset regexes from truggleHog?
https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json
I think it would be better if we could add a custom pattern (like how gf works), and selection for regex by comma-separated argument, for ex --find aws,gcp
instead of -a
or -g
.
An error occurs when searching for external channels.
Hey There,
The following does not output to a .csv file to see results, only the number found.
--pii
--tokens
--financial
Can you assist please??
Thanks!
Hi,
Is is possible to get a report on the apps installed (any details that go with that) and their permissions?
Reason being some apps may have overly permissive permissions and it would be good to know which ones.
Other things I can think:
User details - some PII in user details such as phone numbers/skype etc.
Anyway, loving this app. Its currently helping me loads with a task Ive been given.
When the Slack app associated with the token does not have a required scope attached to it Slack Watchman fails.
I have installed slack-watchman. As soon as i run slack-watchman --timeframe a --all watchman starts but gives error.
Version: 2.3.1
Searching workspace: ****
Workspace URL: https://*****.com/
Getting everything...
+++++++++++++++++++++
Getting users
+++++++++++++++++++++
Getting channels
+++++++++++++++++++++
Getting admin users
+++++++++++++++++++++
'encoding' is an invalid keyword argument for this function
Please let me now how can we fix this.
Python version used - Python 2.7.16
When exporting results to JSON, any message that itself has quote marks in results in broken JSON. For example:
{"timestamp": "2023-06-14 15:02:29,374", "level": "WORKSPACE", "message": "{"name": "Slack Team", "domain": "slack-team", "url": "https://slack-team.slack.com/", "email_domain": "", "is_verified": true, "discoverable": "open"}"}
What I'm hopeful for: that messages that are printed out to JSON escape quote marks before they're logged.
When posting files I noticed that posted_by
is left blank:
{"localtime": "2020-09-19 23:40:05,824", "level": "NOTIFY", "source": "Slack Watchman", "workspace": "DevCorner", "scope": "files", "detection.type": "Executable Files", "severity": "30", "detection": {"created": 1600372359, "file_id": "F01B9QV2EKT", "file_type": "binary", "mimetype": "application/octet-stream", "name": "balenaEtcher-1.5.102.dmg", "permalink": "https://slackoverloadgroup.slack.com/files/U019SN08GQP/F01B9QV2EKT/balenaetcher-1.5.102.dmg", "posted_by": "", "preview": null, "timestamp": "2020-09-16 19:27:39"}}
I am not sure if that is intentional since all file based rules seem to behave the same way. The username should be catched as with other detection rules.
When logging to STDOUT
I noticed the JSON formatting is broken, at least according to logstash.
Example...
{"localtime": "2020-09-17 14:05:39,943", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".dmg""}
{"localtime": "2020-09-17 14:05:40,315", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".iso""}
{"localtime": "2020-09-17 14:05:40,963", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pkg""}
{"localtime": "2020-09-17 14:05:41,478", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pptx""}
{"localtime": "2020-09-17 14:05:41,918", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".pptm""}
{"localtime": "2020-09-17 14:05:43,636", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".ppt""}
{"localtime": "2020-09-17 14:05:44,004", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".conf""}
{"localtime": "2020-09-17 14:05:44,445", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".ini""}
{"localtime": "2020-09-17 14:05:44,856", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".openvpn""}
{"localtime": "2020-09-17 14:05:45,268", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".cscfg""}
{"localtime": "2020-09-17 14:05:45,780", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".rdp""}
{"localtime": "2020-09-17 14:05:46,363", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".jks""}
{"localtime": "2020-09-17 14:05:46,804", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".psafe3""}
{"localtime": "2020-09-17 14:05:47,520", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".agilekeychain""}
{"localtime": "2020-09-17 14:05:48,135", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".keychain""}
{"localtime": "2020-09-17 14:05:48,541", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".kwallet""}
{"localtime": "2020-09-17 14:05:48,912", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: ".tblk""}
{"localtime": "2020-09-17 14:59:34,192", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: "password:"*"}
{"localtime": "2020-09-17 14:59:34,953", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: "password is"*"}
Should be escaped like this and logstash can work with it...
{"localtime": "2020-09-17 14:05:39,943", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".dmg\""}
{"localtime": "2020-09-17 14:05:40,315", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".iso\""}
{"localtime": "2020-09-17 14:05:40,963", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pkg\""}
{"localtime": "2020-09-17 14:05:41,478", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pptx\""}
{"localtime": "2020-09-17 14:05:41,918", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".pptm\""}
{"localtime": "2020-09-17 14:05:43,636", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".ppt\""}
{"localtime": "2020-09-17 14:05:44,004", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".conf\""}
{"localtime": "2020-09-17 14:05:44,445", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".ini\""}
{"localtime": "2020-09-17 14:05:44,856", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".openvpn\""}
{"localtime": "2020-09-17 14:05:45,268", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".cscfg\""}
{"localtime": "2020-09-17 14:05:45,780", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".rdp\""}
{"localtime": "2020-09-17 14:05:46,363", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".jks\""}
{"localtime": "2020-09-17 14:05:46,804", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".psafe3\""}
{"localtime": "2020-09-17 14:05:47,520", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".agilekeychain\""}
{"localtime": "2020-09-17 14:05:48,135", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".keychain\""}
{"localtime": "2020-09-17 14:05:48,541", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".kwallet\""}
{"localtime": "2020-09-17 14:05:48,912", "level": "INFO", "source": "Slack Watchman", "message": "0 files found matching: \".tblk\""}
{"localtime": "2020-09-17 14:59:34,192", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: \"password:\"*"}
{"localtime": "2020-09-17 14:59:34,953", "level": "INFO", "source": "Slack Watchman", "message": "2 messages found matching: \"password is\"*"}
According to the code it looks like the double quotes are inherited from the rules, so I do not know if there is a quick fix to this. It's probably minor, however nice if someone wants to get some stats out of it ๐
Describe the bug
Hi, I can't see any info (user, content) of the messages that are suspected. I haven't found any docs or additional options on it.
To Reproduce
docker run --rm --platform linux/x86_64 papermountain/slack-watchman --timeframe d --all --output json --cookie --debug --verbose
Expected behaviour
Information pointing to the message and its author included in the logs, as shown in a screenshot on the website.
Actual behaviour
No info about the message found in the logs.
{"timestamp": "2023-07-21 09:53:42,218", "level": "INFO", "message": "Searching for PII and Secrets"}
{"timestamp": "2023-07-21 09:53:42,219", "level": "INFO", "message": "Searching for posts containing Passwords"}
{"timestamp": "2023-07-21 09:53:43,338", "level": "INFO", "message": "1 potential matches found"}
{"timestamp": "2023-07-21 09:53:43,341", "level": "INFO", "message": "No matches found after filtering"}
{"timestamp": "2023-07-21 09:53:43,371", "level": "INFO", "message": "Searching for posts containing Twitter API Tokens"}
Desktop (please complete the following information):
Please update the latest watchman.conf file with the latest format
this project is awesome : )
It would be really nice if it was possible to get the slack token through another method than a file, such as a CLI arg or environment variable, f.ex. for running this unsupervised in a container or similar.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.