Security Research

5 October 2023

Impersonating Slack Users - Red Team Tradecraft

by FalconSpy


So you want to impersonate someone on Slack? Maybe claim that you’ve hacked the next Uber?


To do this some assumptions are made for those looking to follow suit. One major assumption is that you have a C2 agent on the intended victim(s) or were able to steal their Slack cookies.


In order for the impersonation to work properly the following items are needed in somewhat particular order:

Grabbing the HAR File

Assuming you’ve grabbed the proper version of the Ripcord client already, we need to grab a HAR (HTTP Archive) file for Slack from our browser. Ripcord actually instructs you on how to do this via the 3 major browsers:

You can grab just about any old HAR file. Make a new workspace if you need to or grab one you already belong to since we will be making modifications to the HAR file we just downloaded.

Slack Cookies Stolen

This part assumes you have stolen the cookies from your C2 agent or via some other means.

We are looking for a particular key:value pair within the cookies in order to make this all come together.

The following key:value pair is what you want to look for with d being the key and the value below:


Depending on how you acquired the cookie you made need to do some URL Encoding as the cookie should end with %3D%3D which equates to == decoded.

Grabbing API Token

For this you need to know the workspace for the victim. In the example workspace created for the purpose of this, the workspace used was democompany-zhx6205.slack.com.

Using curl, you can then grab the API token once you know the proper key value pair for the cookie and the workspace.

curl -L --cookie "d=xoxd-Al%REDACTED" https://democompany-zhx6205.slack.com | grep -ioE "(xox[a-zA-Z]-[a-zA-Z0-9-]+)"

Assuming you’ve done everything correctly the API token will start with xoxc-.


Curl for API token

Assembling Our Access

Remember that HAR file we grabbed from earlier? Choose your favorite text editor or string substitution command as we will need it.

Within that HAR file will contain the WorkSpace, Cookie (xoxd-..), and API token (xoxc-..)

  1. Replace the workspace with your intended victim’s workspace.
  2. Replace the existing cookie with the victims cookie
  3. Replace the existing API token with the victims token.

Open up Ripcord and go to Accounts -> Add Account -> Add Slack Account

Add Account

Select the Import from Browser option

Import From Browser

Drop/Browse for the HAR file you modified


Regardless of where you copied the original HAR from you’ll see some of the old information in there:

Unless you modified the HAR file to make sure all the information was updated with your victim’s info you can just ignore this.

Simply right click your new Slack account within Ripcord and hit connect. Enjoy your access to that individual’s Slack account.

Slack view

Slack View

Ripcord View

Ripcord View



tags: slack - impersonation