- Fixed a bug where an exception was raised when no suppressed signatures were passed. Fixes #66
- Fixed error when creating a Workspace object using the response from the Slack API. Validation was expecting a
bool, but in some instances, a string was being returned. Fixes #68 - Fixed bug where the incorrect error message was being passed when environment variables were not set. Fixes #67
- Ability to disable signatures by their ID in the
watchman.confconfig file.- These signatures will not be used when running Slack Watchman
- Signature IDs for each signature can be found in the Watchman Signatures repository
- App manifest JSON file for creating the Slack Watchman Slack application added in
docs/app_manifest.json - Pylint configuration and implement fixes and recommendations based on findings
- Added Pylint checks in GitHub actions
- Additional tests added:
- Unit tests for remaining non-model modules
- Integration tests for slack_client.py
- Bug where variables were not being imported from watchman.conf config file
- Timestamps are now in UTC across all logging for consistency
- Refactor some commonly used functions into a utils module
- More general code cleanup and refactoring
- Fixed a few bugs with models for User, Workspace and Messages not picking up all values
- GitHub actions for Python tests and Docker build and run testing
- Implemented unit tests for models
- Added enumeration of conversations with populated Canvases attached. These can contain sensitive information, and are worth reviewing.
- Added join domain to unauthenticated probe. This is the link to use to sign into a Workspace if you have an email with one of the approved domains.
- Added enumeration of authentication options for the Workspace you authed to.
- Shows which domains are authorised to create accounts on the workspace. If a historic domain that isn't registered anymore is still approved, you could access this workspace using an email from it.
- Also shows which OAuth providers are authorised for the workspace.
- Added new 'unauthenticated probe' mode. This mode will attempt an unauthenticated probe on the workspace and return any available authentication information, as well as any other useful information such as whether the workspace is on a paid plan.
- No authentication token is required in this mode, you can spray away to any workspace you like.
- Signatures are now downloaded, processes and stored in memory instead of writing to disk. This saves having to store them in files, and solves the issues when using Slack Watchman with read-only filesystems (raised in #51)
- Migrated to Poetry for dependency control and packaging
- Added notification for an invalid cookie being passed (Fixes #47)
- JSON output for User and Workspace information was malformed, this has now been fixed
- User output in stdout logging now includes display name and email. The accounts for cases where usernames are nonsensical.
This major version release brings multiple updates to Slack Watchman in usability, functionality and behind the scenes improvements.
Note: While efforts have been made to make sure there is some backwards compatibility, this release may have some breaking changes on previous versions. Make sure to look at the removed section
- Support for centralised signatures from the Watchman Signatures repository
- This makes it much easier to keep the signature base for all Watchman applications up to date, and to add functionality to Slack Watchman with new signatures. New signatures are downloaded, and updates to existing signatures are applied, at runtime, meaning Slack Watchman will always be using the most up to date signatures.
- Major UI overhaul
- A lot of feedback said Slack Watchman was hard to read. This version introduces new terminal optimised logging as a logging option, as well as JSON formatting. This formatting is now the default when running with no output option selected, and is a lot easier for humans to read. Also, colours!
- Cookie login
- If you have a Slack
dcookie (which can be gathered from a web browser authenticated to Slack), and you know the URL of the target Slack workspace, Slack Watchman now allows you to authenticate using cookie auth, instead of supplying a bot token.
- If you have a Slack
- Multiprocessing and other backend improvements
- Slack Watchman now makes more efficient use of API calls, and incorporates multiprocessing, to run faster than previous versions. Larger workspaces can now be enumerated much quicker.
- Docker image support
- Slack Watchman is now available as a Docker image. Simply pull from Docker Hub
docker pull papermountain/slack-watchman:latest
- Slack Watchman is now available as a Docker image. Simply pull from Docker Hub
- More useful enumeration options added
- Slack Watchman now gathers more information on a workspace. Useful if your use case is more red than blue...
- Get information on calling user
- Provides you information on the user you are authenticated as, including whether the user has 2FA configured, whether they are an admin etc.
- CSV files containing information on all users and channels in the workspace.
- Get information on calling user
- Slack Watchman now gathers more information on a workspace. Useful if your use case is more red than blue...
- Option choose between verbose or succinct logging when using JSON output. Default is succinct.
- Debug logging option
- Socket logging functionality
- I'm not sure this functionality was used, but the move to more accessible stdout and JSON logging options means that the option to log to a listening socket has been removed.
- Some CSV output
- For the same reason as above, logging results to CSV has been removed. Enumerating users and channels can still be output to CSV, but formatting a CSV file for a complex nested datastructure is a nightmare, and makes future modifications time consuming.
- Logging to file
- To keep logging as simple as possible, the file output option has also been removed. This can easily be reproduced by piping the output of running Slack Watchman to a file:
slack-watchman --timeframe w --all --output json >> sw-log.json
- To keep logging as simple as possible, the file output option has also been removed. This can easily be reproduced by piping the output of running Slack Watchman to a file:
- Local/custom signatures - Centralised signatures mean that user-created custom signatures can't be used with Slack Watchman for Enterprise Grid anymore. If you have made a signature you think would be good for sharing with the community, feel free to add it to the Watchman Signatures repository, so it can be used in all Watchman applications
- Retry added for occasional Requests HTTPSConnectionPool error
- Version added to Stdout logging
- Better exception handling and logging exceptions correctly
- Workspace field added to critical error
- Mailgun API token rule
- Mailchimp API token rule
- Twilio API token rule
- Stripe API token rule
- Heroku API token rule
- Shodan API token rule
- Cloudflare API token rule
- Exact regex string match added to output from message searches
- Check added for when the given token doesn't have the required API scope. On incorrect scope, and exception will be raised and the required scope will be output to log
- Rule to detect MasterCard Datacash credentials
- File searching now includes user who posted file via users.list API method
- Logging field name changes = 'type' -> 'detection_type', 'detection' -> 'detection_data'
- Updated output to strip quotes from query strings. This should allow better JSON parsing with more log ingestors
- File searching was missing file type output in log data in some occasions, now fixed
- Added rules to search for:
- CV files
- Files and spreadsheets containing budget and salary information
- CHANGELOG to track updates
- Small bug meant that PyPI installations weren't including the YAML rule files. This has now been fixed.
- Top level dir renamed from
watchmantoslack_watchmanto place nicer with PyPI
- Rules based searching
- Logging options: Log file, Stdout, TCP stream
- Deduplication of output
- Refactor into slack_wrapper to use a class to create an API client
- Top level dir renamed from
watchmantoslack_watchmanto place nicer with PyPI
- Custom search by CSV. This is now done by creating your own custom rule