EggShell 3.0.0: iOS/macOS Remote Administration Tool

EggShell

EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python. This tool creates 1 line multi-stage payloads that give you a command line session with extra functionality. EggShell gives you the power and convenience of uploading/downloading files, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. Server communication features end to end encryption with 128 bit AES and the ability to handle multiple clients. This is a proof of concept pen test tool, intended for use on machines you own.

 

 

New In Version 3.0.0

  • More secure socket connection using SSL
  • Linux support
  • Tab completion
  • Improved overall structure and efficiency of session handling
  • Native iOS python support for 64-bit devices

Installation

git clone https://github.com/neoneggplant/EggShell && cd EggShell
easy_install pycrypto
python eggshell.py

iOS (Jailbroken)

Add Cydia source: http://lucasjackson.io/repo Install EggShell 3 Use any mobile terminal application and run the command eggshell

 

Creating Payloads

Eggshell payloads are executed on the target machine. The payload first sends over instructions for getting and sending back device details to our server and then chooses the appropriate executable to establish a secure remote control session.

bash

Selecting bash from the payload menu will give us a 1 liner that establishes an eggshell session upon execution on the target machine

 

teensy macOS (USB injection)

Teensy is a USB development board that can be programmed with the Arduino ide. It emulates usb keyboard strokes extremely fast and can inject the EggShell payload just in a few seconds.

 

Selecting teensy will give us an Arduino based payload for the teensy board.

 

After uploading to the teensy, we can use the device to plug into a macOS usb port. Once connected to a computer, it will automatically emulate the keystrokes needed to execute a payload.

 

Interacting with a session

 

After a session is established, we can execute commands on that device through the EggShell command line interface. We can show all the available commands by typing “help”

 

Tab Completion

Similar to most command line interfaces, EggShell supports tab completion. When you start typing the path to a directory or filename, we can complete the rest of the path using the tab key.

 

Multihandler

The Multihandler option lets us handle multiple sessions. We can choose to interact with different devices while listening for new connections in the background.

 

Similar to the session interface, we can type “help” to show Multihandler commands

 

 

iOS Commands:

  • sysinfo: get system information
  • cd: change directories
  • ls: list contents of the directory
  • rm: delete a file
  • pwd: get current directory
  • download: download file
  • upload: upload file
  • frontcam: take a picture with the front camera
  • backcam: take a picture with the back camera
  • mic: record microphone
  • getpid: get the process id
  • vibrate: make device vibrate
  • alert: make alert show up on device
  • say: make device speak
  • locate: get device location
  • respring: respring the device
  • setvol: set mediaplayer volume
  • getvol: view mediaplayer volume
  • isplaying: view mediaplayer info
  • openurl: open url on device
  • dial: dial number on a device
  • getsms: download sms database
  • getnotes: download notes database
  • getcontacts: download addressbook
  • battery: get battery level
  • listapps: list bundle identifiers
  • open: open app
  • persistence: installs LaunchDaemon – tries to connect every 30 seconds
  • rmpersistence: uninstalls LaunchDaemon
  • open: open app
  • installpro: installs eggshellpro to device

EggShell Pro Commands (iOS)

  • lock: simulate lock button press
  • wake: wake device from sleeping state
  • home: simulate the home button press
  • doublehome: simulate home button double press
  • play: plays music
  • pause: pause music
  • next: next track
  • prev: previous track
  • togglemute: programmatically toggles silence switch
  • ismuted: check if we are silenced or not
  • islocked: check if a device is locked
  • getpasscode: log successful passcode attempts
  • unlock: unlock with a passcode
  • keylog: log keystrokes
  • keylogclear: clear keylog data
  • locationservice: turn on or off location services

macOS Commands

  • cd: change directories
  • ls: list contents of the directory
  • rm: delete the file
  • pwd: get current directory
  • download: download file
  • upload: upload file
  • getpaste: get pasteboard contents
  • mic: record mic
  • picture: take a picture through iSight
  • screenshot: take a screenshot
  • getfacebook: retrieve facebook session cookies
  • brightness: adjust screen brightness
  • getvol: get output volume
  • setvol: set output volume
  • idletime: get the amount of time since the keyboard/cursor were touched
  • keyboard: your keyboard -> is target’s keyboard
  • imessage: send a message to the messages app
  • openurl: open url through the default browser
  • play: tell iTunes to play
  • pause: tell iTunes to pause
  • prev: tell iTunes to play previous track
  • next: tell iTunes to play next track
  • pid: get the process id
  • prompt: prompt user to type password
  • su: su login
  • persistence: attempts to connect back every 60 seconds
  • rmpersistence: removes persistence

Local Commands

  • lls: list contents of a local directory
  • lcd: change local directories
  • lpwd: get the current local directory
  • lopen: open local directory
  • clear: clears terminal

Copyright (C) neoneggplant

Source: https://github.com/neoneggplant/