Active Members Fi8sVrs Posted August 22, 2017 Active Members Report Posted August 22, 2017 Brief Overview EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES Encrypted Communication All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started. Getting Started To use EggShell, you must have pycrypto and Python 2.7.x installed Install using git: (macOS/Linux) git clone https://github.com/neoneggplant/EggShell cd EggShell python eggshell.py Create And Run A Payload Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary. Example: running the created payload on our target Back on our server, we can see we received a connection and an eggshell session has been started! macOS Commands ls : list contents of directorycd : change directoriesrm : delete filepwd : get current directorydownload : download filepicture : take picture through iSight cameragetpid : get process idopenurl : open url through the default browseridletime : get the amount of time since the keyboard/cursor were touchedgetpaste : get pasteboard contentsmic : record microphonebrightness : adjust screen brightnessexec : execute commandpersistence : attempts to connect back every 60 secondsrmpersistence : removes persistence iOS Commands sysinfo : get system informationls : list contents of directorycd : change directoriesrm : delete filepwd : get current directorydownload : download filefrontcam : take picture through front camerabackcam : take picture through back cameramic : record microphonegetpid : get process idvibrate : make device vibratealert : make alert show up on devicesay : make device speaklocate : get device locationrespring : respring devicesetvol : set mediaplayer volumegetvol : view mediaplayer volumeisplaying : view mediaplayer infoopenurl : open url on devicedial : dial number on devicebattery : get battery levellistapps : list bundle identifiersopen : open apppersistence : installs LaunchDaemon – tries to connect every 30 secondsrmpersistence : uninstalls LaunchDaemoninstallpro : installs eggshellpro to device EggShellPro Commands (Cydia Substrate Extension) lock : simulate lock button presswake : wake device from sleeping statehome : simulate home button pressdoublehome : simulate home button double pressplay : plays musicpause : pause musicnext : next trackprev : previous trackgetpasscode : log successfull passcode attemptsunlock : unlock with passcodekeylog : log keystrokeskeylogclear : clear keylog datalocationservice: turn on or off location services EggShell Pro EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring. Navigating/Downloading Files EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine. Taking Pictures Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam” iOS Location Tracking Even With Location Services Off EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off. We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps. iOS Getting Passcode EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device. macOS Hijacking Safari Facebook Sessions With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser. macOS Persistence To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab. Recording Audio Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data. Handling Multiple Sessions With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices. As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console Payloads In Apps Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS Immediately after running the app, our payload is run and just as expected, we have a connection Safari Exploit + EggShell Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro Original Video Thanks For Viewing lucasjackson5815@gmail.com Download: EggShell-master.zip Source: http://lucasjackson.me/index.php/eggshell/ 1 5 Quote