-
Notifications
You must be signed in to change notification settings - Fork 285
Feature List
Marco Lancini edited this page May 4, 2017
·
42 revisions
Area | What | Command | Description | Auto-Issue Detection |
---|---|---|---|---|
[CORE] | CLI interface | python needle.py |
||
[CORE] | Use resource file | python -r <path to file> |
Executes commands from a resource file | |
[CORE] | Session manager | SSH, USB over SSH | ||
[CORE] | Device auto-configuration | set SETUP_DEVICE True |
On launch, Needle checks if all the tools needed are already on the device, otherwise it will install them | |
[CORE] | Modular approach |
show modules , use <module_name> , show [options\source\info\globals]
|
Show details of a particular module, once selected | |
[CORE] | Background jobs |
jobs , kill <num>
|
List running jobs and kill them | |
[CORE] | Search | search <query> |
Search available modules | |
[CORE] | Local command | <cmd> |
Execute a command on the local workstation | |
[CORE] | Drop shell | shell |
Drop a shell on the remote device | |
[CORE] | Do command | exec_command <cmd> |
Execute a single command on the remote device | |
[CORE] | Push/pull | <push\pull> <src> <dst> |
Push/pull files on the device | |
[BINARY] | Checksums | use binary/info/checksums |
Compute different checksums of the application binary: MD5, SHA1, SHA224, SHA256, SHA384, SHA512 | |
[BINARY] | Compilation Checks | use binary/info/compilation_checks |
Check for protections (PIE, ARC, stack canaries, binary encryption) | ✅ |
[BINARY] | App Metadata | use binary/info/metadata |
Display the app's metadata (UUID, app name/version, bundle name/id, bundle/data/binary directory, binary path/name, entitlements, url handlers, architectures, platform/sdk/os version), ATS settings, app extensions | ✅ |
[BINARY] | Provisioning Profile | use binary/info/provisioning_profile |
Inspect the provisioning profile of the application | |
[BINARY] | Universal Links | use binary/info/universal_links |
Display an applications universal links. Can also determine if apple-app-site-association is signed or not | |
[BINARY] | Install IPA | use binary/installation/install |
Automatically upload and install an IPA on the device | |
[BINARY] | Pull IPA | use binary/info/pull_ipa |
Decrypt and pull the application's IPA from the device | |
[BINARY] | Class Dump | use binary/reversing/class_dump |
Dump the class interfaces | |
[BINARY] | Enumerate All Methods (Frida) | use binary/reversing/class_dump_frida_enum-all-methods |
Enumerate all methods from all classes in the application | |
[BINARY] | Enumerate Classes (Frida) | use binary/reversing/class_dump_frida_enum-classes |
Enumerate available classes | |
[BINARY] | Enumerate Methods (Frida) | use binary/reversing/class_dump_frida_find-class-enum-methods |
Find the target class specified and enumerate its methods | |
[BINARY] | Shared Libraries | use binary/reversing/shared_libraries |
List the shared libraries used by the application | |
[BINARY] | Strings | use binary/reversing/strings |
Find strings in the (decrypted) application binary and resources, then try to extract URIs and ViewControllers | ✅ |
[COMMS] | Delete Installed Certificates | use comms/certs/delete_ca |
Delete one (or more) certificates installed on device | |
[COMMS] | Export Installed Certificates | use comms/certs/export_ca |
Export one (or more) certificates installed on device | |
[COMMS] | Import Installed Certificates | use comms/certs/import_ca |
Import a certificate from a file in PEM format | |
[COMMS] | Install Burp Proxy CA Certificate | use comms/certs/install_ca_burp |
Install the CA Certificate of Burp on the device | |
[COMMS] | Install MitmProxy CA Certificate | use comms/certs/install_ca_mitm |
Install the CA Certificate of MitmProxy on the device | |
[COMMS] | List Installed Certificates | use comms/certs/list_ca |
List the certificates installed on device | |
[COMMS] | View Server Certificate | use comms/certs/view_cert |
View details of TLS certificate presented by a specified site | |
[COMMS] | TLS Pinning Bypass (Frida) | comms/proxy/pinning_bypass_frida |
Disable TLS Certificate Pinning for the target application | |
[COMMS] | Intercepting Proxy | use comms/proxy/proxy_regular |
Intercept the traffic generated by the device | |
[DEVICE] | Agent Client | use device/agent_client |
Send commands to the Needle Agent on the device | |
[DEVICE] | Clean Storage | use device/clean_storage |
Clean device storage from leftovers artefacts of other tools (e.g., Frida) | |
[DEVICE] | Dependency Installer | use device/dependency_installer |
Automatically checks if all the dependencies needed are already present on the device, otherwise it will install them | |
[DEVICE] | Hosts File | use device/hosts |
Show the content of the device's /etc/hosts file, and offer the chance to edit it | |
[DEVICE] | List Installed Applications | use device/list_apps |
Provide a list of the bundle IDs of all the apps installed on the device | |
[DYNAMIC] | Jailbreak Detection | use dynamic/detection/jailbreak_detection |
Verify that the app cannot be run on a jailbroken device | ✅ |
[DYNAMIC] | Frida Jailbreak Detection Bypass | use dynamic/detection/script_jailbreak-detection-bypass |
Hooks native function calls to hide common jailbreak packages and binaries. Also hooks ObjC jailbreak detection classes | |
[DYNAMIC] | URI Handler | use dynamic/ipc/open_uri |
Test IPC attacks by launching URI Handlers | |
[DYNAMIC] | Heap Dump | use dynamic/memory/heap_dump |
Dump memory regions of the app and look for strings | ✅ |
[DYNAMIC] | Monitor File changes | use dynamic/monitor/files |
Monitor the app data folder and keep track of modified files | |
[DYNAMIC] | Monitor OS Pasteboard | use dynamic/monitor/pasteboard |
Monitor the OS Pasteboard and dump its content | ✅ |
[DYNAMIC] | Syslog Monitor | use dynamic/monitor/syslog |
Monitor the syslog in background and dump its content | ✅ |
[DYNAMIC] | Syslog Watch | use dynamic/watch/syslog |
Watch the syslog in realtime | ✅ |
[HOOKING] | Cycript shell | use hooking/cycript/cycript_shell |
Spawn a Cycript shell attached to the target app | |
[HOOKING] | Cycript TouchID | use hooking/cycript/cycript_touchid |
Circumvent Touch ID when implemented using LocalAuthentication framework | |
[HOOKING] | Frida launcher | use hooking/frida/frida_launcher |
Run Frida scripts (JS payloads) | |
[HOOKING] | Frida shell | use hooking/frida/frida_shell |
Spawn a Frida shell attached to the target app | |
[HOOKING] | Frida trace | use hooking/frida/frida_trace |
Trace the specified functions using frida-trace | |
[HOOKING] | Anti Hooking Check | use hooking/frida/script_anti-hooking-check |
Display an Alert in the target application. Can be used as simple proof that there are no anti-hooking checks in place | |
[HOOKING] | Dump UI | use hooking/frida/script_dump-ui |
Print the view hierarchy | |
[HOOKING] | Frida Touch Id Bypass | use hooking/frida/script_touch-id-bypass |
Bypasses Touch Id authentication using frida instead. Can be used on devices that do not support cycript | |
[HOOKING] | List Tweaks | use hooking/theos/list_tweaks |
List all the Tweaks installed using Needle | |
[HOOKING] | Theos Tweak | use hooking/theos/theos_tweak |
Automate management of THEOS Tweaks | |
[MDM] | MDM Effective User Settings | use mdm/effective_user_settings |
Extract and compare the configuration of the device against a supplied configuration file, and present a summary of any conflicts found between the two configurations along with recommended changes | |
[STATIC] | Code Checks | use static/code_checks |
Static analysis of the apps's source code. Aims to find usage of potentially insecure functions. Can be applied to a whole folder or, if SECONDARY_FOLDER is specified, only to the diffs computed among the 2 versions of the same codebase. | ✅ |
[STORAGE] | iCloud Content (Frida) | use storage/backup/icloud_content_frida |
List files within the "Documents" directory not excluded from iCloud Backups | ✅ |
[STORAGE] | Keyboard Autocomplete Caching | use storage/caching/keyboard_autocomplete |
Dump the content of the keyboard's autocomplete databases in order to help identify if sensitive information input into the application could be cached | ✅ |
[STORAGE] | Screenshot Caching | use storage/caching/screenshot |
Test if a screenshot of the application's main window is cached when the application's process is moved to the background | ✅ |
[STORAGE] | Application Container | use storage/data/container |
Print and clone the Bundle and Data folder of the target application | |
[STORAGE] | Binary Cookies Files | use storage/data/files_binarycookies |
List Binary Cookies files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with BinaryCookieReader | ✅ |
[STORAGE] | Cache.db Files | use storage/data/files_cachedb |
List Cache.db files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3 | ✅ |
[STORAGE] | Plist Files | use storage/data/files_plist |
List plist files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to inspect them with Plutil | ✅ |
[STORAGE] | SQL Files | use storage/data/files_sql |
List SQL files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3 | ✅ |
[STORAGE] | Dump Keychain | use storage/data/keychain_dump |
Dump the keychain | ✅ |
[STORAGE] | Dump Keychain (Frida) | use storage/data/keychain_dump_frida |
Retrieve all the keychain items belonging to the target application | ✅ |