-
Notifications
You must be signed in to change notification settings - Fork 294
Feature List
| Area | What | Command | Description | Demo |
|---|---|---|---|---|
| [CORE] | CLI interface | python needle.py |
||
| [CORE] | Use resource file | python -r <path to file> |
Executes commands from a resource file | |
| [CORE] | Session manager | SSH, USB over SSH | ||
| [CORE] | Device auto-configuration | set SETUP_DEVICE True |
On launch, Needle checks if all the tools needed are already on the device, otherwise it will install them | |
| [CORE] | Modular approach |
show modules, use <module_name>, show [options\source\info\globals]
|
Show details of a particular module, once selected | |
| [CORE] | Background jobs |
jobs, kill <num>
|
List running jobs and kill them | |
| [CORE] | Search | search <query> |
Search available modules | |
| [CORE] | Local command | <cmd> |
Execute a command on the local workstation | |
| [CORE] | Drop shell | shell |
Drop a shell on the remote device | |
| [CORE] | Do command | exec_command <cmd> |
Execute a single command on the remote device | |
| [CORE] | Push/pull | <push\pull> <src> <dst> |
Push/pull files on the device | |
| [BINARY] | Class Dump | use binary/class_dump |
Dump the class interfaces | |
| [BINARY] | Compilation Checks | use binary/compilation_checks |
Check for protections (PIE, ARC, stack canaries, binary encryption) | |
| [BINARY] | Install IPA | use binary/install |
Automatically upload and install an IPA on the device | |
| [BINARY] | App Metadata | use binary/metadata |
Display the app's metadata (UUID, app name/version, bundle name/id, bundle/data/binary directory, binary path/name, entitlements, url handlers, architectures, platform/sdk/os version), ATS settings, app extensions | |
| [BINARY] | Pull IPA | use binary/pull_ipa |
Decrypt and pull the application's IPA from the device | |
| [BINARY] | Shared Libraries | use binary/shared_libraries |
List the shared libraries used by the application | |
| [BINARY] | Strings | use binary/strings |
Find strings in the (decrypted) application binary, then try to extract URIs and ViewControllers | |
| [BINARY] | Universal Links | use binary/universal_links |
Display an applications universal links. Can also determine if apple-app-site-association is signed or not | |
| [COMMS] | Delete Installed Certificates | use comms/certs/delete_ca |
Delete one (or more) certificates installed on device | |
| [COMMS] | Export Installed Certificates | use comms/certs/export_ca |
Export one (or more) certificates installed on device | |
| [COMMS] | Import Installed Certificates | use comms/certs/import_ca |
Import a certificate from a file in PEM format | |
| [COMMS] | Install Burp Proxy CA Certificate | use comms/certs/install_ca_burp |
Install the CA Certificate of Burp on the device | |
| [COMMS] | Install MitmProxy CA Certificate | use comms/certs/install_ca_mitm |
Install the CA Certificate of MitmProxy on the device |
[COMMS] | List Installed Certificates | use comms/certs/list_ca | List the certificates installed on device |
[COMMS] | Intercepting Proxy | use comms/proxy/proxy_regular | Intercept the traffic generated by the device |
[DYNAMIC] | Jailbreak Detection | use dynamic/detection/jailbreak_detection | Verify that the app cannot be run on a jailbroken device |
[DYNAMIC] | URI Handler | use dynamic/ipc/open_uri | Test IPC attacks by launching URI Handlers |
[DYNAMIC] | Heap Dump | use dynamic/memory/heap_dump | Dump memory regions of the app and look for strings |
[DYNAMIC] | Monitor File changes | use dynamic/monitor/files | Monitor the app data folder and keep track of modified files |
[DYNAMIC] | Monitor OS Pasteboard | use dynamic/monitor/pasteboard | Monitor the OS Pasteboard and dump its content |
[DYNAMIC] | Syslog Monitor | use dynamic/monitor/syslog | Monitor the syslog in background and dump its content |
[DYNAMIC] | Syslog Watch | use dynamic/watch/syslog | Watch the syslog in realtime |
[HOOKING] | Cycript shell | use hooking/cycript/cycript_shell | Spawn a Cycript shell attached to the target app |
[HOOKING] | Cycript TouchID | use hooking/cycript/cycript_touchid | Circumvent Touch ID when implemented using LocalAuthentication framework |
[HOOKING] | Frida launcher | use hooking/frida/frida_launcher | Run Frida scripts (JS payloads) |
[HOOKING] | Frida shell | use hooking/frida/frida_shell | Spawn a Frida shell attached to the target app |
[HOOKING] | Frida trace | use hooking/frida/frida_trace | Trace the specified functions using frida-trace |
[HOOKING] | Dump UI | use hooking/frida/script_dump-ui | Print the view hierarchy |
[HOOKING] | Enumerate All Methods | use hooking/frida/script_enum-all-methods | Enumerate all methods from all classes in the application |
[HOOKING] | Enumerate Classes | use hooking/frida/script_enum-classes | Enumerate available classes |
[HOOKING] | Enumerate Methods | use hooking/frida/script_find-class-enum-methods | Find the target class specified and enumerate its methods |
[STATIC] | Code Checks | use static/code_checks | Static analysis of the apps's source code. Aims to find usage of potentially insecure functions. Can be applied to a whole folder or, if SECONDARY_FOLDER is specified, only to the diffs computed among the 2 versions of the same codebase. |
[STORAGE] | Keyboard Autocomplete Caching | use storage/caching/keyboard_autocomplete | Dump the content of the keyboard's autocomplete databases in order to help identify if sensitive information input into the application could be cached |
[STORAGE] | Screenshot Caching | use storage/caching/screenshot | Test if a screenshot of the application's main window is cached when the application's process is moved to the background |
[STORAGE] | Binary Cookies Files | use storage/data/files_binarycookies | List Binary Cookies files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with BinaryCookieReader |
[STORAGE] | Cache.db Files | use storage/data/files_cachedb | List Cache.db files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3 |
[STORAGE] | Plist Files | use storage/data/files_plist | List plist files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to inspect them with Plutil |
[STORAGE] | SQL Files | use storage/data/files_sql | List SQL files contained in the app folders, alongside with their Data Protection Class. Plus, offers the chance to pull and inspect them with SQLite3 |
[STORAGE] | Dump Keychain | use storage/data/keychain_dump | Dump the keychain |
[VARIOUS] | Clean Storage | use various/clean_storage | Clean device storage from leftovers artefacts of other tools (e.g., Frida) |
[VARIOUS] | Hosts File | use various/hosts | Show the content of the device's /etc/hosts file, and offer the chance to edit it |
[VARIOUS] | List Installed Applications | use various/list_apps | Provide a list of the bundle IDs of all the apps installed on the device |