Search the Community
Showing results for tags 'eggshell'.
Brief Overview EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES Encrypted Communication All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started. Getting Started To use EggShell, you must have pycrypto and Python 2.7.x installed Install using git: (macOS/Linux) git clone https://github.com/neoneggplant/EggShell cd EggShell python eggshell.py Create And Run A Payload Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary. Example: running the created payload on our target Back on our server, we can see we received a connection and an eggshell session has been started! macOS Commands ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file picture : take picture through iSight camera getpid : get process id openurl : open url through the default browser idletime : get the amount of time since the keyboard/cursor were touched getpaste : get pasteboard contents mic : record microphone brightness : adjust screen brightness exec : execute command persistence : attempts to connect back every 60 seconds rmpersistence : removes persistence iOS Commands sysinfo : get system information ls : list contents of directory cd : change directories rm : delete file pwd : get current directory download : download file frontcam : take picture through front camera backcam : take picture through back camera mic : record microphone getpid : get process id vibrate : make device vibrate alert : make alert show up on device say : make device speak locate : get device location respring : respring device setvol : set mediaplayer volume getvol : view mediaplayer volume isplaying : view mediaplayer info openurl : open url on device dial : dial number on device battery : get battery level listapps : list bundle identifiers open : open app persistence : installs LaunchDaemon – tries to connect every 30 seconds rmpersistence : uninstalls LaunchDaemon installpro : installs eggshellpro to device EggShellPro Commands (Cydia Substrate Extension) lock : simulate lock button press wake : wake device from sleeping state home : simulate home button press doublehome : simulate home button double press play : plays music pause : pause music next : next track prev : previous track getpasscode : log successfull passcode attempts unlock : unlock with passcode keylog : log keystrokes keylogclear : clear keylog data locationservice: turn on or off location services EggShell Pro EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring. Navigating/Downloading Files EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine. Taking Pictures Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam” iOS Location Tracking Even With Location Services Off EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off. We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps. iOS Getting Passcode EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device. macOS Hijacking Safari Facebook Sessions With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser. macOS Persistence To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab. Recording Audio Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data. Handling Multiple Sessions With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices. As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console Payloads In Apps Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS Immediately after running the app, our payload is run and just as expected, we have a connection Safari Exploit + EggShell Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro Original Video Thanks For Viewing firstname.lastname@example.org Download: EggShell-master.zip Source: http://lucasjackson.me/index.php/eggshell/