Carrie Roberts Pwning Slack With _Shudder_ Powershell

we're going to talk about extracting all the information that we find on slack once we have credentials really it's not a vulnerability and slack it's just using slack to our advantage as an attacker and also they'll talk about blue team stuff hi I'm Kerry Roberts I used to be a web app developer until I miserably failed the pen test which I didn't know what that was at the time and and so I knew nothing about security and I was told to fix these big vulnerabilities and I felt really stupid because I didn't know what anything about anything they were talking about so I'm kind of all I nothing person so I was at a point where

I'm like okay either I'm not gonna be a developer or I got it just embrace the security thing so I decided to embrace security started taking some training from sans and got some education so now I'm in the InfoSec field it's exciting and I love I live local here and I love to ride motorcycles four-wheelers in the mountains so I'm Tony hamburger I am very background I currently live in Bentonville Arkansas working for the incident response team at Walmart as you can see I have very background in networking security data loss prevention HIPAA compliance been with the Walmart IR team for almost a year now before that was on the data loss prevention team okay so this is a little disclaimer

that we're not endorsing product and we're also not officially representing Walmart even though we both work for a Walmart so slack some people may not know what slack is this interface where we can chat with people so here we have like Carrie talking to Martin just sending messages back and forth you can also send files on the left you have a list of channels that you can talk in so kind of topics there's public channels that anybody can talk to who is part of the they call it workspace so if you can log in your you can talk on the public channels there's private channels have the little walk by them that's you only can talk there if

you're invited so you might create a channel invite your friends to chat with you they're not everybody who has the login can read the private channels and then there's direct messages where it's kind of one-on-one although you can do it to multiple people but it's not really a channel it's just like hey how about the four of us talk you usually more temporary than the channel and one thing to note is up here in the URL you see this channel ID CCE four four that's unique per channel so if you these different channels on the left you get a different channel ID and I just point that out because that comes in handy when we learn more about this grip

that we can use to extract information from channels so slack is really popular last year they noted that they have six million daily users and that was a year ago there's over fifty thousand teams pain for to use the slack service although you can also use it for free and forty three percent of the largest 100 companies in the nation use slack so it's widely used and more than half of those are outside the United States so how many of you use slack at work girl it's just freaking number so sometimes I talk to companies and they say you know we're not worried about what people put in slack because we have a policy against putting sensitive inside but

yeah what we did we left because the policy here you know it's just so easy to share information on slack that's it's easy that you I can drop that file in you know full of passwords or to type you know somebody say hey Joe what's the password for this Wi-Fi our system so there is a lot of sensitive information in there even if your work has a policy and against that an attacker might be interested in extracting so slack provides an API which is like a way for for you to program programmatically interface with it so we can use the API to do everything that the web does for you when you're just browsing through

channels you're doing point-and-click but you can do that with you could write a program to go see what all channels do I have access to what are all the messages download the file so you can do that through an API and here's an example I have circled the channel histories it it fetches all the messages from a channel so we can make that API call in order to use the API you have to be authenticated so you need a token and the token usually starts out like X 0 X s or maybe X 0 X P there's a few different tokens and then a dash and some other numbers so if you have that token you can use the API and extract

information from that slack workspace to get the token you can you can login to the web interface and the first request it does to get your messages will ready turn your token so there's an example down there of a token and you just get that when you busy slack so if you were going to watch your network traffic you can see here token you can also go in and like sign up for a token inside your profile but she could also just grab it after you log in so I released this PowerShell script called slack extract and that's what we're gonna talk we're talking about today we're going to use that to extract all the information a

user has access to so we get their token and we say we want all the files this user can read and all the messages we extract from it so if you go to Europe that URL there at github CLR to abate psycextra you don't see this script then you can use it for your own purposes and it has a little readme there which is shown here there's three basic steps you just enter PowerShell so you start command ates enter PowerShell with that command PowerShell exec bypass you import the module and then to see how to use it it's kind of a self documenting script you can just say get help with invoke psych extract that's the name of the

function and if you do full it'll give all the examples all the parameter options you can use and so that's the best way to get started so the basic usage for the script you have to give it at least three things the first is your slack URL so in the examples today I'm using slack extract a slack calm it's a psych workspace that I signed up for just for this demo your place it might be like company name that's like an output folder name so where you want all this data to go into when you download it by default it goes into your documents directory into a folder called slack extract and then inside of that

whatever name you give it so today for the examples we'll call that my extraction so we'll see a folder created with that name and the last thing we give it is our authentication so again this is a hack of slack but we're actually doing this as an authenticated user the only hack would be as we stole those credentials from someone else which is typically what I would do on a red team with let's to borrow this from somebody so for the authentication we can either give it what I call the D cookie because slack has a cookie and the name of the cookie is the letter D so it's the D cookie and it's your session cookie you

can think of it it's the temporary password that your browser keeps for you so you only have to log in once and then every subsequent request your browser is handing over this temporary password or this D cookie which says yeah this person's really logged in don't make them enter their password every time so you can give them the D cookie you can give the script the D cookie and it will exchange that for the token or you can just give it the token itself if you've gotten that some other way so how do we get there this is just this is just an example exchanging the D cookie for the token so all we have to do if we have

the D cookie and we'll talk about how to get that next is make a request to work to face like complex messages and in response you get that xox token back and and that's we can use either one of those pieces of identification for this group so how do we get the D cookie the easiest way depending on what level of access you have to that user system or your own system is to just look in the browser and say you know ask the browser to tell you what's the the D cookie for slack calm and I've got a demo video of that next there's also ways to do it like from a command line

interface maybe you don't have graphical access to your victim you only have command line access here's some examples of using PowerShell to extract it from Chrome or from Windows and you don't have to try to write that down but those those commands are on the wiki so if you go to the github repository there's a wiki and there's a lot of information about how to get these deep cookies or these especially things

okay so we're locked in the slack here we're going up to the three dots menu and go into settings and we're going to search for cookies because we're looking for this D cookie and scroll down we see content settings and then we click on cookies and see all the cookies inside data and to make it easier to find will type in slack comm and search for it we see select icon there and here's a cookie called D we click on that and it tells us the content of this cookie is bla bla bla bla bla that's what you need to use this group so that's how if you can do that you can use this screw

okay so here's an example of so we've started up PowerShell we have import ported the module and now we can call it with invoke - slash slack extract we give it those three required parameters we give it an output folder name so my extraction we give it our slack URL and we give it either the D cookie or the API token here we're giving it the D cookie and I put a dot dot because it's so long and ugly I don't want to put the whole thing on there but that's actually a big cookie there so if we were to run that with a valid D cookie we would get a folder in our documents directory

called psych extract with and then it makes this my extraction folder and inside that folder there is here's where inside at one of these channels so remember at the beginning of the URL had a channel ID so maybe the general channel has this ID the random channel has another ID so we're inside of one of these channels you'll get a directory for every channel the user has access to so usually people have access to a lot of channels inside each channel you have a folder full of files so all the files that that that has been uploaded to that channel and I folder full of messages and those messages are written to disk JSON files so right down here you see

each one of these is a message with some details about when who hosted that message and when it was posted part of the filename is a timestamp so if you sort by a file name you'll be reading messages in order and then uh bottom right you see one example of one of the JSON messages which tells you who uploaded it when and and the message in this case was any news about the carnival next month so this makes it easy to do offline searching of the data from slack without it if you're familiar with using slack if you want to read more than the last few messages you got to scroll up and it loads it as you're

scrolling up and it can it's really slow and that's slow to read through look through and search through especially downloading files is slow that way so it also creates this meta folder which is kind of the data about the channels like what's the channel name its death so inside chant the meta folder we've got the channels meta and so that's information about channel so you get one JSON file for each channel and that has information like the name of the channel the topic the purpose whether it's public private what it used to be called when it was created and at the end it rolls this all up into a excel file a CSV file so that you could open this up

in Excel and you have a big list of all the channels and their topics and you could search look through for ones that sound maybe you want to go to those channels and search for sensitive information I said that you run this and it downloads all files and messages but actually there's some default limits but you can change that to be bigger but by default it'll download up to 10,000 messages per channel and up to 2,000 files per channel because you can fill up your hard drive pretty quick running this on big slack instances so if you just run out without really thinking about setting default - you will have those defaults but if you really want to

download more than that for any channel you can there's a an option to specify a different limit and we'll talk about downloading agent profiles and logs later so when I gain access to a user on slack when I'm doing my testing I'm interested in finding out who else works for this company so it's a really typical scenario for me if I'm testing a company is I go to LinkedIn and get a list of everybody who says they work for this company so maybe that's I her out there's like 300 people that claim to work for this company and then I turn that into like first initial with last name user name and I tried a login to slack

with those user names so I'm I'm trying to guess a password for one of those 300 users so maybe they're using like fall 2018 because that's common for people that use season in the air combinations so I'll guess a few passwords for those 300 users and eventually get in and as soon as I get into slack I'm interested in that whole all the users is if I had a bigger user nameless than what I got from LinkedIn then my chance is like maybe if I guess if fall 2018 was good for one and three hundred people and now I have three thousand about live usernames and I try that again you know I'm probably going to get ten

there's ten times the users so I'll probably get into ten years or accounts so when I get access to slack I want to extract the user profiles because that tells me every user in that slack workspace so now I have a very good long valid list of mutant for my password Jessie so one option we can do with invoke psychic strike is we give it that we give it the - extract user slag and in this case we limit the users to a thousand that's just to show you how to change those default limits and then the dot-dot-dot is really the fact that we still need to provide the URL the output folder and D cookie or

token but I didn't want to tak that there so for that we end up with with inside the matter directory we have a user's folder and inside the user folder again as a JSON file for every user and it's named according to their user ID this unique alphanumeric here and each one of those Jason's if you look on the left it it has a lot of details about that user which I can't even read but it has like the profile image and their time zone and their name display name whether they're admin and then again at the end once it's downloaded all these user profiles it writes out this CSV file with all that stated - so

if you open that up you've got this nice list in Excel of job titles phone numbers their names their display name which often is like their Active Directory user name because that's a easy thing that they fall to in a work environment so then you have a nice user name list that's different than their external user name and helps you when you get on the internal network and and information about whether they're admins so that's useful for building a user name list and also for targeting maybe we want to fish somebody and we really don't want to fish the head of IT because he's probably not gonna fall for it or maybe we do because he will I

don't know and but that gives us some insight into who's who at the company another option you can just give the script the private only flag so that I'll only download information from private channels because you might think that people both more sensitive stuff in the private channel instead of the public and maybe you're in a hurry or I've limited disk space so you just tell it only give me the private channels or you can tell I'm only interested maybe there's you looked at your CSV file and there was three really interesting lis named channels and you're interested in what's in those channels and you can specify specifically those channel IDs you can also exclude certain channel IDs it's

common for people that set up boss so automatic scripts that post to a slack channel you know maybe when a server goes up or down and those channels get extremely boring to read and there's millions of messages just like this server disconnected the server rebooted the server did that so you can Lance out and you see it's not posting passwords anything and then you you decided I really don't want to see a million of these messages or bother downloading so you can exclude channels from your extraction and then also if you're an admin if you the credentials you have a slack admin on a paid workspace this doesn't work for free workspaces but like an enterprise

workspace you can also extract the access locks which is this - extract access logs option and you get a folder full of JSON files again and it tells you who connected at what time and from what IP and what the user agent is so as an attacker that's valuable to me because now I see where people are connecting from and you know whether it's their phone or their computer and the user agent string tells you interesting information about their system so you're going to know there is Windows or OSX or Linux and sometimes it will tell you more about the software what version of Office is being run and what browser they use okay so maybe I can't get the D cookie

because the easiest way to get the D cookies to login in your browser and to read it from your browser but maybe I've exploited somebody's system and all I have is command line access so I can't bring up the chrome menu and look through it in your typical way because I only have command line access we can also just ghost out and search for their token because either one works for this extra psych extract and here's two examples on OS X we can grep for the token from the application directory or on Windows we can use PowerShell to search for it and then we can use a token instead of the D cookie so that's

handy if you don't have graphical access to system

okay so here's a demo of that whole thing working

okay so we're logged into this slack extract workspace over here on the right and we've got a general channel which has like a picture of a carnival and this weird mask thing and then we've got a random Channel and it's got blue bird and some stickers and a pink unicorn pink rainbow uniform that's important so we're over on the Left we see I I using an option to write to the temp directory instead of the Documents folder in this case so we'll bring up the command prompt we've already imported suck extract so now we can just call it and Bob slack extract we give it the sake all of the slack extract I select I come an output

folder of my extraction and we'll when we run this on the left you'll see that folder pop up and then we're telling it to put it in the C temp directory instead of the default My Documents and then we give it our token

come on

okay so we have here slack extraction up on the left and my extraction we get a folder for every channel and inside the folder we see a folder for files and messages we got all the messages for that channel there this is small for space and inside files we will see those files pop up as it downloads it downloads all messages from all channels first and files last so there we saw the pink unicorn show up we can go over to the random channel here we're downloading those images from the random channel they're at higher resolution so it takes a minute but there's a carnival and the image so now we have a like many

gigabytes of information that's probably sensitive to the company that in my case that I'm testing and we're also gonna extract users so I added in seed over here on the right I added a - extract - users and now I've got a users directory and I can open up the all users and I see that spreadsheet pull up here's all the users of this workspace and their title if if they've entered that for the profile they're really user they're images so that's that's candy so now I have an offline copy of this data I can look through and see if any like files are called password txt or anything or I can search through the

text and look for the word password or you know for Amazon s3 keys or anything that might be sensitive in that environment so if you go to the week that wiki on my github page there's two helpful pages there one is the authorization page and that goes through all that we talked about here some commands you can run to get the D cookie or the token and that video is also there how to extract it be cookie from the browser so you'll be able to use this script and then also there's some helpful information on how to grip through the results and I say grip through their results because you're running this on a Windows system which

doesn't have grep but you might have grep there you know you might have installed the little boot - app or something and half prep but the problem is the script writes in default powershell output formatting which is utf-16 so if you grab for a word that you know is in there because you can see it this just doesn't really turn it and makes you really frustrating but hmm so I give some helpful hints wikipage of how to basically use PowerShell to do grep for you because it understands that format or you could change the script output in ascii if you wanted instead but here's useful searches you might want to do and examples of how to grip

with powershell so if you wanted to extract all the user names you could use this powershell where you recursively go through the director here in and select name from the users directory or you can extract email addresses you can distract job titles and names and write just the names to a file so i like that one because now I can take that list of names and go back and password to dragon on some external portal and have more success with a bigger username list and then so the advantages of using slack extract are we quickly get all the data on our system so if we lose access we still have all that data also is there's

a potential that the network defenders you know have queued up some keywords if they see people searching for password through the like web interface is that goes through slack itself but they see people searching for they sensitive words they might alert so as a red teamer I want to avoid searching for things that might alert and if I do that offline they won't see what I'm looking for and again if I lose access I still have all those files and trying to look through files online is really slow and painful because you have to slowly scroll back through and right click and download each file but now we have all this class hold down and and we can do quicker and

more powerful searches with grabber power to powershell creping now is where i turn the time over to Tony he's going to talk about so now you know that these kind of tools exist for attackers to quickly pull a lot of sensitive information from your network so it'd be good as defenders if we knew how to watch for this detect it so that we would know and the account was compromised and that's what Tony so now that we know that all of this stuff can be pulled out it's like we had to come up with a way to figure out how to detect what's going on we of course sat down with Kari she taught us the script inside now we all

looked at it went through it really carefully that's something I really encourage you to do go look at the scripts go look at the API methods there there are two basic types of audits or logging api's that you're hitting you have your standard API so that a user is going to be using and then you have your audit log api's which you'll have to have a paid Enterprise Grid didn't use most of that the audit log api's can give you access to areas that you're just not going to have as a free slack account it's just not going to be in there to use it you do have to be an app owner or an admin so the general user

can't use the audit log after start scraping through your slack because of course then you're looking at it inside of trust issues so once you decide you've got the data what are you going to do it that are you gonna build a custom learning module or you gonna pipe it into your scene you really have to decide what is best for your organization look best for your presentation so as I said you have the audit log API on the standard API we can do as admins of a payment account you can use the standard API to do the calls like the one Kerry was talking about the event audits or the event logs which says for this one a user logged in and

it gives me a the first time it was seen and the last time scene and that's the first time the combination of the user-agent the IP address the user sometimes of other metadata has been used in combination to log in as well as the most recent time that combination has been used so that can be good but our audit logs give a better more accurate information they break things down into an action and act or an entity and context format so in this case because this is a log in or a log out of it our actor and entity are gonna be the same exact information if for example were striped me out all the

files it's actually gonna have an actor the entity is gonna be the file information so you're looking at the file ID inside of slack the file name other descriptors about and what type of file it is so this is a real basic breakdown of what we've got we have your audit log API so really require an owner or an admin account on the paid enterprise grids it's designed for monitoring not real interaction so you're not gonna be pushing stuff to slack but these accounts there are these tokens because you are doing all of this with token passing it separates logs your login event is gonna be separate from your log out okay it's not going to

be like the event logs that says hey I logged in and this is the last time I saw this pattern you're gonna have downloaded files uploaded files Stanford and corporate exports if you already have a corporate a corporate environment for slack you can actually export all these logs for different compliances so they have those you can actually see when that was done to see if maybe a user who shouldn't be downloading them is users joining the channel and role changes if you're watching for administrative changes hey what account got accessed and then got elevated that shouldn't happen you can access it through there your standard API met methods are gonna be accessible to any user they're

designed for user interaction so viewing messages sending messages uploading files downloading files as I said they're going to be less comprehensive so it doesn't really allow for checking good logging it's not a great method so we had to learn our source and call the API one thing we noticed is that the autoblog API uses a bearer token to pass things that means that the token actually has to be passed as a header value which I'll get to here in just a minute the token can be a little problematic to set up so just as some points make sure that you read the documentation that slacks got online and it's got some good documentation set aside a whole bunch of

extra time to work on it and be prepared to contact slack I mean have their email address already ready for support because there's a really good chance you're gonna have to reach out to them about the token it may not generate the first time first five times you do it just know you may have to contact them they may have to give you some extra tips copy and paste is your friend and I know the seeds dumb but you may write for example user underscore logout very basic you can't really mess that up when you type it but you're gonna type it in you're gonna hit Send and it's not gonna work but if you copy it straight off

their webpage or copy it out of notepad it works just fine we haven't figured out why this is something we noticed I've spoken with other people they've seen it - four of us tried it in multiple different browsers multiple different compilers didn't matter we just can't tell you why exactly that works so calling the API this is where I was talking about the bearer token you're gonna have proxies if you have any on your network you're gonna be calling directly to slack API comm if you notice it's Carey's script you're actually calling into the organization dot slack comm or whatever your workspace is called you're hitting the API directly for all the audit log information we're gonna normally be

passing it as an application forward slash Jason and then we're gonna pass it the action is this a login is this a file download is this a walk out of it we have to pass it what event we're wanting to look at when we do this we have a 9999 limit which is the default for slack but you can actually set it lower if you're looking for very specific information and it has some other options you can pass like I only want stuff within the last seven days but if you notice we go down here we have a we have a header token and that's actually the bearer token that's where I've made a function that just passes my

bearer token to me into that variable and I actually have to pass it as a headers item if I don't it's not going to return anything this was consistent not only here in Python but also in our powershell we went through and recreated this with powershell just because some people don't like python some people like our show I'll give it to you in both so here if you notice I've got a headers item or a headers variable and I actually add that token as an extra item I can't I can't just shove everything into it didn't want to return that but added a separate item when without through hero blue - headers headers works just fine

and as you can see just from the PowerShell you'll see the results down here we give it 200 back and then we start getting the JSON format out of the content we get that with the Python also but it's gonna be piped into a variable so if we take this information either from powershell for python pipe it into a simple text document or jason document you'll see the exact same type of output we're looking at with kerry script and you're gonna see this too broken down into the actor that entity the context all of it breaks down you also have your user agent at the bottom and a lot of times you're gonna have to log in on key

so for login logout you're gonna see that external IP where they connected to from that can be a good indicator so once we have the data we had to figure out what to do with it what are we gonna do slack generally uses a structured database so of course most people think a sequel is the way to go but it's not every now and then slack will go through and they're like hey we didn't include this item that's really important for logging so we're gonna add it to the structure that's great unless you're using a structured database then you had to go rebuild the tables at new call so we went with kibana what are we gonna do with our

results we're gonna pipe it into the bomb and we're gonna look at it we're gonna use the last dessert so we took our elasticsearch and our phone and if you can see here you can see a real quick patter and we could review okay you know the weeks are busier we can see that we're happening to key off of file downloads for this specific instance because we're looking for identifiers so if we're wanting to really quickly you are our talk stalkers who downloads the most files we could fairly very quickly in kobata switch over to a visualization tab say give me all the information on the count of the users so here you can actually see the user ID which we'll get

to here in a second as well as a count of how many files each person downloaded so when we're looking at it the user ID was our key item well you have to figure out what what can we keep of what doesn't change the user ID field happened to be it and as you can see in some of our testing here we have this user ID up here that ends in ds8 and they downloaded 741 files in 30 minutes most users aren't going to be that fast effort so we went down we have some information I want to know what the username is associated with this idea because I don't know who it is so I said

let's take a look at that in Ulsan it's Kerry Roberts and its compliance experts and it's Tony hamburgers metric script please ignore and not Kerry Roberts so we knew it was Kerry if she changes her email if the user changes their email their ID world or their username I'm sorry we're gonna notice based off that ID so a clever adversary might go in here and name something compliance exports because that's a bot you would expect it to be a body but it's not it's an actual user ID so that's why we can look at all of the data we've seen if we see it up tick all of sudden who had this ID six months ago because that's

probably gonna be the actual user so we decided we wanted to build some custom alerting with ours before we go up tight to get into a seam let's make sure that we're triggering on the right information so we actually went in here and built with Python a very simple custom learning module we looked for what we looked up the data to start off with and said hey what can we see that we know for a fact is a flat-out false positive let's not looking to do that then we went through and said okay how can we start tuning this to see only true positives for more true positives so we've built a basic alerting rule

then we built a basic email system and all it doesn't say hey when the alert triggers email me something and I made it extremely simple all I wanted to do was see what was coming in get the alerts that way we can act on them and move so I literally only get the ID and how many files are that's it it doesn't have to be fancy just it has to be functional once I do that I can pop it into Mike the bottom workspace simple thing pop in the user ID narrow down the time field what do I have I have Kerry Roberts downloading a thousand files so I know that somebody transcript with Gary Roberts ID just

pulled down with a thousand files it was a very quick easy thing to do if you do it every five minutes if you wanted or even you're so automation when you're going through I've been talking about the different types of api's and primarily focused on the audit log API when you build an audit log API token you actually agree with slack that you will not hard code this token anywhere which is one thing we have to do we could not put it a number straight up scripts you can't work so we have to keep that in mind we also have to keep in mind that we're gonna have to regularly as a blue team rotate these

tokens because these tokens can straight from any single channel all user information we can we can collect significantly more information or you have to keep them safe one way is treat it like a password rotate it so automate what we can that that seems like a no-brainer we automated everything we could we automated the script to go out and call the api's we automated it putting it into the databases and then we automated the alerting system then that allowed us to look at the very quick and very messy sometimes alerts we were getting the late false positives I mean some of you could see like why are there 20,000 downloads oh I see why there are 20,000

downloads that's normal so we did have some hurdles with this whole process not all the API logs are called when I said that we were focused more on the files downloads that's because the message downloads weren't logged so there are some api's that aren't locked they could be called too we can't detect it slack's already aware of this and has been working on this but like Esther and I said we can't speak on behalf of anybody all we can tell you is the limited knowledge we have so optimize your data from the start when you're building a database a large database does anybody can tell you it's gonna start being harder and harder to query

break it up break it up into chunks if you're using last to search or Cubana break up your indexes it doesn't take so much CPU to start scraping through and you don't wind up doing like I did at least once or twice and killing your whole database and rebuilding all your structures DLP data loss prevention make sure you're monitoring for the loss of tokens or D cookies those leaving your network when they're not being called is pretty significant if you're seeing some of these API calls being used with a user token from inside your environment that's probably not a good thing because general users won't be using these methods just inside your environment so lock discrepancies we noticed this

and we looked at this multiple times run multiple different scripts to get it in different formats and we could look at it there are 25 times 4 log outs than logins that kind of threw us for a loop so some of the logs do have discrepancies when you're looking at it well I should have one log in for every log out that may not be true so if you're seeing a large variance get what somebody else have them see if they're seeing the same thing it may not just be your data it may be across the board then our API rate limits the limits are documented very well in slacks website they live well this type of API can only

call this many per minute at this point breaks down really nice but we run into things like the audit log API while you can query at X number of times but when we're actually implementing it and using it in reality we're not getting that many we're getting half that many so the larger data set we're having to pull for example like log outs 25 times more after you free that 25 times more data pull down that we had to put in a time limit so basically we have to put an 8 second pause between every single query on the API just to get that information to come back to us otherwise we were running into timeouts for you've queried

too many times

so that kind of wraps up the detection side of it do you guys have any questions what's the most interesting thing you found in a Slackware they had a policy against putting sensitive data into slag from the red side or from the blue side yes from the blue side we've seen everything from tokens credentials direct server IPS internal links external links information for external services