Skip to content

Feature List

Marco Lancini edited this page Mar 29, 2017 · 42 revisions
Area What Command Description Demo
[CORE] CLI interface python needle.py
[CORE] Use resource file python -r <path to file> Executes commands from a resource file
[CORE] Session manager SSH, USB over SSH
[CORE] Device auto-configuration set SETUP_DEVICE True On launch, Needle checks if all the tools needed are already on the device, otherwise it will install them
[CORE] Modular approach show modules, use <module_name>, show [options\source\info\globals] Show details of a particular module, once selected
[CORE] Background jobs jobs, kill <num> List running jobs and kill them
[CORE] Search search <query> Search available modules
[CORE] Local command <cmd> Execute a command on the local workstation
[CORE] Drop shell shell Drop a shell on the remote device
[CORE] Do command exec_command <cmd> Execute a single command on the remote device
[CORE] Push/pull <push\pull> <src> <dst> Push/pull files on the device
[BINARY] Checksums use binary/info/checksums Compute different checksums of the application binary: MD5, SHA1, SHA224, SHA256, SHA384, SHA512
[BINARY] Compilation Checks use binary/info/compilation_checks Check for protections (PIE, ARC, stack canaries, binary encryption)
[BINARY] App Metadata use binary/info/metadata Display the app's metadata (UUID, app name/version, bundle name/id, bundle/data/binary directory, binary path/name, entitlements, url handlers, architectures, platform/sdk/os version), ATS settings, app extensions
[BINARY] Provisioning Profile use binary/info/provisioning_profile Inspect the provisioning profile of the application
[BINARY] Universal Links use binary/info/universal_links Display an applications universal links. Can also determine if apple-app-site-association is signed or not
[BINARY] Install IPA use binary/installation/install Automatically upload and install an IPA on the device
[BINARY] Pull IPA use binary/info/pull_ipa Decrypt and pull the application's IPA from the device
[BINARY] Class Dump use binary/reversing/class_dump Dump the class interfaces
[BINARY] Enumerate All Methods (Frida) use binary/reversing/class_dump_frida_enum-all-methods Enumerate all methods from all classes in the application
[BINARY] Enumerate Classes (Frida) use binary/reversing/class_dump_frida_enum-classes Enumerate available classes
[BINARY] Enumerate Methods (Frida) use binary/reversing/class_dump_frida_find-class-enum-methods Find the target class specified and enumerate its methods
[BINARY] Shared Libraries use binary/reversing/shared_libraries List the shared libraries used by the application
[BINARY] Strings use binary/reversing/strings Find strings in the (decrypted) application binary and resources, then try to extract URIs and ViewControllers
[COMMS] Delete Installed Certificates use comms/certs/delete_ca Delete one (or more) certificates installed on device
[COMMS] Export Installed Certificates use comms/certs/export_ca Export one (or more) certificates installed on device
[COMMS] Import Installed Certificates use comms/certs/import_ca Import a certificate from a file in PEM format
[COMMS] Install Burp Proxy CA Certificate use comms/certs/install_ca_burp Install the CA Certificate of Burp on the device
[COMMS] Install MitmProxy CA Certificate use comms/certs/install_ca_mitm Install the CA Certificate of MitmProxy on the device
[COMMS] List Installed Certificates use comms/certs/list_ca List the certificates installed on device
[COMMS] View Server Certificate use comms/certs/view_cert View details of TLS certificate presented by a specified site
[COMMS] TLS Pinning Bypass (Frida) comms/proxy/pinning_bypass_frida Disable TLS Certificate Pinning for the target application
[COMMS] Intercepting Proxy use comms/proxy/proxy_regular Intercept the traffic generated by the device
[DEVICE] Agent Client use device/agent_client Send commands to the Needle Agent on the device
[DEVICE] Clean Storage use device/clean_storage Clean device storage from leftovers artefacts of other tools (e.g., Frida)
[DEVICE] Hosts File use device/hosts Show the content of the device's /etc/hosts file, and offer the chance to edit it
[DEVICE] List Installed Applications use device/list_apps Provide a list of the bundle IDs of all the apps installed on the device
[DYNAMIC] Jailbreak Detection use dynamic/detection/jailbreak_detection Verify that the app cannot be run on a jailbroken device
[DYNAMIC] Frida Jailbreak Detection Bypass use dynamic/detection/script_jailbreak-detection-bypass Hooks native function calls to hide common jailbreak packages and binaries. Also hooks ObjC jailbreak detection classes
[DYNAMIC] URI Handler use dynamic/ipc/open_uri Test IPC attacks by launching URI Handlers
[DYNAMIC] Heap Dump use dynamic/memory/heap_dump Dump memory regions of the app and look for strings
[DYNAMIC] Monitor File changes use dynamic/monitor/files Monitor the app data folder and keep track of modified files
[DYNAMIC] Monitor OS Pasteboard use dynamic/monitor/pasteboard Monitor the OS Pasteboard and dump its content
[DYNAMIC] Syslog Monitor use dynamic/monitor/syslog Monitor the syslog in background and dump its content
[DYNAMIC] Syslog Watch use dynamic/watch/syslog Watch the syslog in realtime
[HOOKING] Cycript shell use hooking/cycript/cycript_shell Spawn a Cycript shell attached to the target app
[HOOKING] Cycript TouchID use hooking/cycript/cycript_touchid Circumvent Touch ID when implemented using LocalAuthentication framework
[HOOKING] Frida launcher use hooking/frida/frida_launcher Run Frida scripts (JS payloads)
[HOOKING] Frida shell use hooking/frida/frida_shell Spawn a Frida shell attached to the target app
[HOOKING] Frida trace use hooking/frida/frida_trace Trace the specified functions using frida-trace
[HOOKING] Anti Hooking Check use hooking/frida/script_anti-hooking-check Display an Alert in the target application. Can be used as simple proof that there are no anti-hooking checks in place
[HOOKING] Dump UI use hooking/frida/script_dump-ui Print the view hierarchy
[HOOKING] Frida Touch Id Bypass use hooking/frida/script_touch-id-bypass Bypasses Touch Id authentication using frida instead. Can be used on devices that do not support cycript
[HOOKING] List Tweaks use hooking/theos/list_tweaks List all the Tweaks installed using Needle
[HOOKING] Theos Tweak use hooking/theos/theos_tweak Automate management of THEOS Tweaks
[STATIC] Code Checks use static/code_checks Static analysis of the apps's source code. Aims to find usage of potentially insecure functions. Can be applied to a whole folder or, if SECONDARY_FOLDER is specified, only to the diffs computed among the 2 versions of the same codebase.
[STORAGE] iCloud Content (Frida) use storage/backup/icloud_content_frida List files within the "Documents" directory not excluded from iCloud Backups
[STORAGE] Keyboard Autocomplete Caching use storage/caching/keyboard_autocomplete Dump the content of the keyboard's autocomplete databases in order to help identify if sensitive information input into the application could be cached
[STORAGE] Screenshot Caching use storage/caching/screenshot Test if a screenshot of the application's main window is cached when the application's process is moved to the background
[STORAGE] Application Container use storage/data/container Print and clone the Bundle and Data folder of the target application
[STORAGE] Binary Cookies Files use storage/data/files_binarycookies List Binary Cookies files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with BinaryCookieReader
[STORAGE] Cache.db Files use storage/data/files_cachedb List Cache.db files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3
[STORAGE] Plist Files use storage/data/files_plist List plist files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to inspect them with Plutil
[STORAGE] SQL Files use storage/data/files_sql List SQL files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3
[STORAGE] Dump Keychain use storage/data/keychain_dump Dump the keychain
[STORAGE] Dump Keychain (Frida) use storage/data/keychain_dump_frida Retrieve all the keychain items belonging to the target application