Skip to content

Feature List

Marco Lancini edited this page Feb 1, 2017 · 42 revisions
Area What Command Description Demo
[CORE] CLI interface python needle.py
[CORE] Use resource file python -r <path to file> Executes commands from a resource file
[CORE] Session manager SSH, USB over SSH
[CORE] Device auto-configuration set SETUP_DEVICE True On launch, Needle checks if all the tools needed are already on the device, otherwise it will install them
[CORE] Modular approach show modules, use <module_name>, show [options\source\info\globals] Show details of a particular module, once selected
[CORE] Background jobs jobs, kill <num> List running jobs and kill them
[CORE] Search search <query> Search available modules
[CORE] Local command <cmd> Execute a command on the local workstation
[CORE] Drop shell shell Drop a shell on the remote device
[CORE] Do command exec_command <cmd> Execute a single command on the remote device
[CORE] Push/pull <push\pull> <src> <dst> Push/pull files on the device
[BINARY] Checksums use binary/checksums Compute different checksums of the application binary: MD5, SHA1, SHA224, SHA256, SHA384, SHA512
[BINARY] Class Dump use binary/class_dump Dump the class interfaces
[BINARY] Compilation Checks use binary/compilation_checks Check for protections (PIE, ARC, stack canaries, binary encryption)
[BINARY] Install IPA use binary/install Automatically upload and install an IPA on the device
[BINARY] App Metadata use binary/metadata Display the app's metadata (UUID, app name/version, bundle name/id, bundle/data/binary directory, binary path/name, entitlements, url handlers, architectures, platform/sdk/os version), ATS settings, app extensions
[BINARY] Provisioning Profile use binary/provisioning_profile Inspect the provisioning profile of the application
[BINARY] Pull IPA use binary/pull_ipa Decrypt and pull the application's IPA from the device
[BINARY] Shared Libraries use binary/shared_libraries List the shared libraries used by the application
[BINARY] Strings use binary/strings Find strings in the (decrypted) application binary and resources, then try to extract URIs and ViewControllers
[BINARY] Universal Links use binary/universal_links Display an applications universal links. Can also determine if apple-app-site-association is signed or not
[COMMS] Delete Installed Certificates use comms/certs/delete_ca Delete one (or more) certificates installed on device
[COMMS] Export Installed Certificates use comms/certs/export_ca Export one (or more) certificates installed on device
[COMMS] Import Installed Certificates use comms/certs/import_ca Import a certificate from a file in PEM format
[COMMS] Install Burp Proxy CA Certificate use comms/certs/install_ca_burp Install the CA Certificate of Burp on the device
[COMMS] Install MitmProxy CA Certificate use comms/certs/install_ca_mitm Install the CA Certificate of MitmProxy on the device
[COMMS] List Installed Certificates use comms/certs/list_ca List the certificates installed on device
[COMMS] View Server Certificate use comms/certs/view_cert View details of TLS certificate presented by a specified site
[COMMS] Intercepting Proxy use comms/proxy/proxy_regular Intercept the traffic generated by the device
[DYNAMIC] Jailbreak Detection use dynamic/detection/jailbreak_detection Verify that the app cannot be run on a jailbroken device
[DYNAMIC] URI Handler use dynamic/ipc/open_uri Test IPC attacks by launching URI Handlers
[DYNAMIC] Heap Dump use dynamic/memory/heap_dump Dump memory regions of the app and look for strings
[DYNAMIC] Monitor File changes use dynamic/monitor/files Monitor the app data folder and keep track of modified files
[DYNAMIC] Monitor OS Pasteboard use dynamic/monitor/pasteboard Monitor the OS Pasteboard and dump its content
[DYNAMIC] Syslog Monitor use dynamic/monitor/syslog Monitor the syslog in background and dump its content
[DYNAMIC] Syslog Watch use dynamic/watch/syslog Watch the syslog in realtime
[HOOKING] Cycript shell use hooking/cycript/cycript_shell Spawn a Cycript shell attached to the target app
[HOOKING] Cycript TouchID use hooking/cycript/cycript_touchid Circumvent Touch ID when implemented using LocalAuthentication framework
[HOOKING] Frida launcher use hooking/frida/frida_launcher Run Frida scripts (JS payloads)
[HOOKING] Frida shell use hooking/frida/frida_shell Spawn a Frida shell attached to the target app
[HOOKING] Frida trace use hooking/frida/frida_trace Trace the specified functions using frida-trace
[HOOKING] Anti Hooking Check use hooking/frida/script_anti-hooking-check Display an Alert in the target application. Can be used as simple proof that there are no anti-hooking checks in place
[HOOKING] iCloud Backups use hooking/frida/script_documents-backup-attr List files within the "Documents" directory not excluded from iCloud Backups
[HOOKING] Keychain Dumper use hooking/frida/script_dump-keychain Retrieve all the keychain items belonging to the target application
[HOOKING] Dump UI use hooking/frida/script_dump-ui Print the view hierarchy
[HOOKING] Enumerate All Methods use hooking/frida/script_enum-all-methods Enumerate all methods from all classes in the application
[HOOKING] Enumerate Classes use hooking/frida/script_enum-classes Enumerate available classes
[HOOKING] Enumerate Methods use hooking/frida/script_find-class-enum-methods Find the target class specified and enumerate its methods
[HOOKING] TLS Pinning Bypass hooking/frida/script_pinning_bypass Disable TLS Certificate Pinning for the target application
[HOOKING] List Tweaks use hooking/theos/list_tweaks List all the Tweaks installed using Needle
[HOOKING] Theos Tweak use hooking/theos/theos_tweak Automate management of THEOS Tweaks
[STATIC] Code Checks use static/code_checks Static analysis of the apps's source code. Aims to find usage of potentially insecure functions. Can be applied to a whole folder or, if SECONDARY_FOLDER is specified, only to the diffs computed among the 2 versions of the same codebase.
[STORAGE] Keyboard Autocomplete Caching use storage/caching/keyboard_autocomplete Dump the content of the keyboard's autocomplete databases in order to help identify if sensitive information input into the application could be cached
[STORAGE] Screenshot Caching use storage/caching/screenshot Test if a screenshot of the application's main window is cached when the application's process is moved to the background
[STORAGE] Application Container use storage/data/container Print and clone the Bundle and Data folder of the target application
[STORAGE] Binary Cookies Files use storage/data/files_binarycookies List Binary Cookies files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with BinaryCookieReader
[STORAGE] Cache.db Files use storage/data/files_cachedb List Cache.db files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3
[STORAGE] Plist Files use storage/data/files_plist List plist files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to inspect them with Plutil
[STORAGE] SQL Files use storage/data/files_sql List SQL files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3
[STORAGE] Dump Keychain use storage/data/keychain_dump Dump the keychain
[VARIOUS] Clean Storage use various/clean_storage Clean device storage from leftovers artefacts of other tools (e.g., Frida)
[VARIOUS] Hosts File use various/hosts Show the content of the device's /etc/hosts file, and offer the chance to edit it
[VARIOUS] List Installed Applications use various/list_apps Provide a list of the bundle IDs of all the apps installed on the device