How to loot immortal Tokens from Slack mobile



There are two central problems that I faced with Slack: 1. Slack feels like I am developing in Eclipse, in a Windows VM, on an old Linux laptop. Where does all the bloat come from? It can't even have more than one channel open at a time! 2. In some cases, Slack can [force you to log out][SlackTimeout] after 12 hours, say. I understand why you would check that box as an IT admin, but I will show you that Slack is currently not enforcing this policy, and so I'd prefer to not be subject to it. 😼 ## Good Slack Clients The first problem is rather easy to solve, you simply use an alternative client. There are three options I am aware of: - Using [WeeChat][] with the [WeeSlack][] plugin. I also recommend the [WeeEdit][] plugin to post multi line messages, especially for those code blocks. Finally, I use [WeeAutosort][] because the list of slack channels in WeeChat is a little confusing otherwise. This client is certainly your best option if your top priority is to go open source, to get it for free, or to use it on the command line. And it is a really good way to use Slack, too. I like it very much. - You can use [Pidgin][] with the [slack-libpurple][SlackLibPurple] plugin. Unfortunately, I have to say that this works rather poorly and I mention it here only to be complete. I thoroughly recommend WeeChat if you are absolutely not willing to use a commercial and closed source program; it is better to use WeeChat with [WeeSlack][] in a terminal for Slack than to use the Pidgin plugin. - If you are willing to pay $20 for your happiness, you should buy [Ripcord][] (Win/Linux/Mac supported). Even though it is in Alpha, it is the best Slack (and Discord!) client I have used. It supports Slack features in a more natural way because it is built specifically to do so, where in WeeChat some things may be awkward (inline images, navigating threads, etc). It is fast, has a low memory footprint, feels snappy, and gives you tabs for channels, DM's and threads. It is my weapon of choice. [AndroidEmulator]: https://developer.android.com/studio/run/emulator [AndroidEmulatorNetworking]: https://developer.android.com/studio/run/emulator-networking [Ripcord]: https://cancel.fm/ripcord/ [MITMProxy]: https://mitmproxy.org/ [Pidgin]: https://pidgin.im/ [HAR]: https://en.wikipedia.org/wiki/HAR_(file_format) [SlackLibPurple]: https://github.com/dylex/slack-libpurple [WeeChat]: https://weechat.org/ [WeeSlack]: https://github.com/wee-slack/wee-slack [WeeSlackSecure]: https://github.com/wee-slack/wee-slack#4-add-your-slack-api-keys [SlackTimeout]: https://slack.com/intl/en-de/help/articles/115005223763-Manage-session-duration-?eu_nc=1 [SlackAPI]: https://api.slack.com/web [SlackOverflow]: https://stackoverflow.com/questions/11012976/how-do-i-get-the-apk-of-an-installed-app-without-root-access [NougatChanges]: https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html [WeeEdit]: https://raw.githubusercontent.com/keith/edit-weechat/master/edit.py [WeeAutosort]: https://raw.githubusercontent.com/de-vri-es/weechat-autosort/master/autosort.py [WeeOTR]: https://raw.githubusercontent.com/mmb/weechat-otr/master/weechat_otr.py ## Loot Slack Tokens from Mobile Now if you want to come along and get around periodic logouts in Slack with me, let's get started. So Slack be like > For added security, you can limit how long your members are signed in to Slack on their desktop (we call this a session duration). When you set a session duration, your members will have to sign back in periodically. But then Slack adds some small print like: > **Note:** Session duration only applies to the Slack on the desktop app and in a web browser. With session duration turned on, members won't be signed out of their Slack mobile apps. And well, it seemed to me that there is really [only one web API that handles all of these][SlackAPI]. And it uses tokens for authentication. And that sounded to me like I could just generate an immortal token on my mobile app and use that in any of the above clients to live happily ever after.
**TL/DR: Yea, that totally works.**
What I have *not* done is try to stuff that token into my browser cache and see if I can prevent the original Slack client from logging me out periodically. I didn't do that because I couldn't care less about the original Slack client, I can never go back to it after using [Ripcord][]. Once we have looted a token from mobile, it is _rather_ easy to use it with the alternative clients I listed above. Both [Pidgin][] and [WeeChat][]/[WeeSlack][] require a token to log in to Slack, and you can just give them the mobile token. With [Ripcord][] there's just a tiny bit of work involved, but I will get to that later. Let's do the fun part first: Looting an immortal Slack token from the Slack mobile app! I am sure there are several ways to go about this, but I chose to use SSL MITM sniffing: 1. Install Slack in an [Android emulator][AndroidEmulator]. 2. Log in to Slack. 3. Hook that emulator to a [MITMProxy][]. 4. Sniff that Slack traffic as it logs in. 5. Loot. That. Token. So yea, that works. I know that others were successful in extracting the token from the data stored by Slack on the Android device, but you need to have root for that. Here's a step by step guide for how I did it: 1. Install the emulator for sniffing **like this**:
sdkmanager emulator platform-tools tools "system-images;android-23;google_apis;x86_64"
avdmanager create avd --device "Nexus 5" -f -n C3PO -k "system-images;android-23;google_apis;x86_64"
It is important to use the android-23 API here because using a later image will make it unbearably hard for you to use [MITMProxy][]: [Starting with Android 7, user certificates are no longer trusted by apps][NougatChanges]. 2. You can now run your emulator with emulator -avd C3PO, but it will not have a PlayStore. 3. You can get a Slack APK from some website that pretends to scrape the PlayStore, but I do not like that idea. To get a gem mint original copy of the latest Slack APK, I recommend installing a **second** emulator as follows:
sdkmanager "system-images;android-29;google_apis_playstore;x86_64"
avdmanager create avd --device "Nexus 5" -f -n R2D2 -k "system-images;android-29;google_apis_playstore;x86_64"
now you can launch R2D2, which will have a PlayStore, and download Slack. 4. To get the Slack APK off of R2D2, we use some magic incantations that the [StackOverflow gods bestowed upon us][SlackOverflow]. The following lists all packages:
adb shell pm list packages -f | grep Slack
You probably won't need it, though. Most likely, you can get the path to the Slack APK with the following command:
adb shell pm path com.Slack
and then just adb pull that APK, push it to C3PO and install that sweet, fresh, original Slack. I have a little Python script that should do this for you automagically:
#!/usr/bin/env python3
import re, sys, subprocess as sp
query = subprocess.run(['adb', 'shell', 'pm', 'path', 'com.Slack'],
    capture_output=True).stdout.decode(sys.stdout.encoding)
path = re.match('^package:(.*?/base.apk)\s*$',  query).group(1)
subprocess.run(['adb', 'pull', path, 'slack.apk'])
5. Install [MITMProxy][], and [use it as a proxy for C3PO][AndroidEmulatorNetworking]. 6. Start sniffing! What you are looking for is something that looks like this:
xoxs-111111111111-222222222222-333333333333-baadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00d
More precisely, it matches the following regular expression:
xox[a-z]-\d{12}-\d{12}-\d{12}-[a-fA-F0-9]{64}
This is your undying Slack token. Be **very**, **very** careful with it. Anyone with that token can pretend to be you on whatever Slack you are logged in to. In the [WeeSlack][] README, there is a [section which also explains how to securely store this login][WeeSlackSecure] and I strongly recommend doing that. On Windows, [Ripcord][] is unable to read cached logins from other installs, so I am pretty sure some work was put into storing credentials in a secure manner, but I haven't reverse engineered it to verify that. It's probably always a good idea to slap some full disk encryption on top of everything! ## Importing to Ripcord Finally, let me explain how to import your token into [Ripcord][]. The way you do this is by adding a Slack account via browser import and once you have stored the request from your browser as a [HAR][] file, say slack.har simply replace every occurrence of something that looks like a token with the one you looted. For example, you could do this:
token=xoxs-111111111111-222222222222-333333333333-baadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00dbaadf00d
sed -e "s/xox[a-z]\(-[0-9]\{12\}\)\{3\}-[a-fA-F0-9]\{64\}/$token/g" slack.har > slack.immortal.har
And then, simply import slack.immortal.har.

2 Replies to “How to loot immortal Tokens from Slack mobile”

  1. just out of curiosity: is google_apis_playstore not supported with android-23 or why did you use two emulator instances?
    1. Yes, that is exactly the reason. The earliest Playstore supporting image that I see is system-images;android-24;google_apis_playstore;x86.

Leave a Reply

Your email address will not be published. Required fields are marked *