EggShell – iOS and Mac OS X RAT (Remote Access Toolkit)

The Simplicity of EggShell

Eggshell is an Apple iOS and Macintosh OS post-exploitation surveillance penetration testing tool written in Python. It is a menu-based system that reminds me quite a bit of SET (Social Engineering Toolkit) or a simpler version of Metasploit. Basically you can play around with breaking into a Mac OS or iOS device and spying on the user.

As you might suspect, I have been messing around with EggShell in my lab. As of now I am not quite sure if this will get added to my current arsenal of tools. Although it is somewhat limited in available functions, the things it will do are performed flawlessly and without any bugs, headaches, or confusion. One high note…I enjoyed how easily I could demonstrate Mac OS X vulnerabilities with EggShell.

Basically this tool creates 1 line multi stage payloads that a command line session EggShell gives you the power and convenience of uploading/downloading files, taking pictures, and performing location tracking. It also provides persistence, escalation of privileges, password retrieval, and many additional features.

Server communication is enabled using end-to-end encryption with 128 bit AES. It also provides the ability to handle multiple clients simultaneously. You can switch between your targets as you break into to them and perform different functions as you switch.

The project’s homepage can be found at:


Installing EggShell


Step 1

If you are installing EggShell on a Mac, I recommend that you first install the Mac developer tools. If you don’t want to, try this… open up a terminal Window and type git clone.  If you see the message below you will need to install the developer tools.


Otherwise proceed.

If you hit the above message you could simply install the developer tools from the menu. However, I prefer to install them via the App Store because updates are a little easier to manage and the processes are a lot more streamlined.

Step 2

Install developer tools from the App Store:



NOTE: After Xcode is installed make sure you open the program, agree to the license, and finish the installation before moving on.

Step 3

Time to clone the project file. The git clone command should work, so go ahead and install it by typing in:


cd Documents

git clone && cd EggShell



Step 4

You will now need to install Pycrypto, which is a Python library that provides cryptographic and hashing functions. Use the sudo command easy_install pycrypto to install it.

Step 5

The installation and prep work is now done. Run the program by typing python


Using EggShell

Using the menu, you can create a bash payload – this is what will be run on the target machine. Basically a bash payload is a series of script line commands.

It is a 2-stage payload, meaning it will first connect to our eggshell server and download a shell script to provide the attacker’s server with device information.  The second step is when it connects back in to the target system one more time to download and execute the binary code on the victim’s machine.

In order for this to work there are some basic assumptions that come into play. First, it is assumed that the victim machine can communicate to the attacker machine. Secondly, you will need to have the authority to run the bash script on the victim machine.

Backing up a little…let’s create a payload by selecting that option on the menu. The default port the server runs on is TCP 4444. You may want to change this if possible, and I suggest using TCP 443.

When the server is started, you can see the bash command. The script-type of output is what the victim machine must execute.

You will need to get creative on how you are going to have the victim run the bash command. In our example it is relatively easy – we are simply typing it into the command line.

When the attack server has established the session simply type interact and the session number (in our case 1) to complete the connection to the victim machine.


Setting Persistence

When you are connected to the victim machine there are number of pretty cool things you can do. Before we get started I would first recommend modifying the persistence setting. By default it tells the victim system to try to connect back to your server every 60 seconds. The rmpersistence command turns off this function.


Stealing Facebook Cookies

The getfacebook command will get the FaceBook user and password information from the Safari Web browser’s cookie. The victim must be using Facebook on Safari in order for this to work. It is pretty cool and works well:

In order to use this feature (which I have purposefully blocked from the above screenshot) you will need to use a Cookie editor. I recommend using EditThisCookie extension for Chrome.

I am not sure how long this exploit will continue working, so have fun with it while it lasts.


Record Audio from Victim’s Microphone

Using the mic record command, we can asynchronously record audio on both iOS and macOS systems. This means we can record through the target system’s microphone while running other commands. When we are finished recording, simply use the command mic stop.  This will stop the recording of audio and download the audio data file.


One for the Family Christmas Card

The picture command will take a picture from the iSight camera and save it in the /eggshell/data directory.

When doing this PLEASE be careful. You never know what you what will capture…



Taking Control

Another command that I like is prompt. It brings up a box forcing the user to put in their password. This is basically a neat little form of social engineering attack, and looks very legitimate. If the user enters their password, it is normally the superuser or root password which provides full system access.



More Playthings

If your victim or target system is a Mac OS X client, here is a list of all the other commands that are available to you:

ls – list contents of directory
cd – change directories
rm – delete file
pwd – get current directory
download – download file
picture – take picture through iSight camera
getpid – get process id
openurl – open url through the default browser
idletime – get the amount of time since the keyboard/cursor were touched
getpaste – get pasteboard contents
mic – record microphone
brightness – adjust screen brightness
exec – execute command
persistence – attempts to connect back every 60 seconds
rmpersistence – removes persistence

The reason for the Mac OS X caveat was because I did test this on the latest version of Mac OS X, which was 10.12.6. The toolkit also works on Apple iOS devices, however, I did not perform testing on that operating system. As such I am not sure if the available commands are different for iOS.

I hope you enjoy playing around with EggShell and please hack responsibly!