MMS Client - Metasploit
This page contains detailed information about how to use the auxiliary/client/mms/send_mms metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: MMS Client
Module: auxiliary/client/mms/send_mms
Source code: modules/auxiliary/client/mms/send_mms.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module sends an MMS message to multiple phones of the same carrier. You can use it to send a malicious attachment to phones.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/client/mms/send_mms
msf auxiliary(send_mms) > show targets
... a list of targets ...
msf auxiliary(send_mms) > set TARGET target-id
msf auxiliary(send_mms) > show options
... show and set options ...
msf auxiliary(send_mms) > exploit
Required Options
SMTPADDRESS: The SMTP server to use to send the text messages
SMTPUSERNAME: The SMTP account to use to send the text messages
SMTPPASSWORD: The SMTP password to use to send the text messages
MMSCARRIER: The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)
CELLNUMBERS: The phone numbers to send to
TEXTMESSAGE: The text message to send
Knowledge Base
Vulnerable Application
The auxiliary/client/mms/send_mms
module allows you to send a malicious attachment to a
collection of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular mail services such as Gmail, Yahoo, Live should work fine.
Options
CELLNUMBERS
The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target against multiple phone numbers, ideally you want to create the list in a text file (one number per line), and then load the CELLNUMBERS option like this:
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
Remember that these phone numbers must be the same carrier.
MMSCARRIER
The carrier that the targeted numbers use. See Supported Carrier Gateways to learn more about supported carriers.
TEXTMESSAGE
The text message you want to send. For example, this will send a text with a link to google:
set TEXTMESSAGE "Hi, please go: google.com"
The link should automatically be parsed on the phone and clickable.
MMSFILE
The attachment to send in the message.
MMSFILECTYPE
The content type to use for the attachment. Commonly supported ones include:
- audio/midi
- image/jpeg
- image/gif
- image/png
- video/mp4
To find more, please try this list
SMTPADDRESS
The mail server address you wish to use to send the MMS messages.
SMTPPORT
The mail server port. By default, this is 25
.
SMTPUSERNAME
The username you use to log into the SMTP server.
SMTPPASSWORD
The password you use to log into the SMTP server.
SMTPFROM
The FROM field of SMTP. In some cases, it may be used as SMTPUSER
. Some carriers require this
in order to receive the text, such as AT&T.
MMSSUBJECT
The MMS subject. Some carriers require this in order to receive the text, such as AT&T.
Supported Carrier Gateways
The module supports the following carriers:
- AT&T
- Sprint
- T-Mobile
- Verizon
- Google Fi
Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an application password.
After creating the application password, configure auxiliary/client/mms/send_mms this way:
set cellnumbers [PHONE NUMBER]
set mmscarrier [CHOOSE A SUPPORTED CARRIER]
set textmessage "[TEXT MESSAGE]"
set smtpaddress smtp.gmail.com
set smtpport 587
set mmsfile /tmp/example.mp4
set mmsfilectype video/mp4
set smtpusername [USERNAME FOR GMAIL]
(you don't need@gmail.com
at the end)set smtppassword [APPLICATION PASSWORD]
And you should be ready to go.
Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail), so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
- Sign in to Yahoo Mail.
- Go to your "Account security" settings.
- Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/mms/send_mms this way:
set cellnumbers [PHONE NUMBER]
set mmscarrier [CHOOSE A SUPPORTED CARRIER]
set textmessage "[TEXT MESSAGE]"
set smtpaddress smtp.mail.yahoo.com
set smtpport 25
set mmsfile /tmp/example.mp4
set mmsfilectype video/mp4
set smtpusername [USERNAME FOR YAHOO]@yahoo.com
set smtppassword [YAHOO LOGIN PASSWORD]
And you're good to go.
Scenarios
After setting up your mail server and the module, your output should look similar to this:
msf auxiliary(send_mms) > run
[*] Sending mms message to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed
msf auxiliary(send_mms) >
Go back to menu.
Msfconsole Usage
Here is how the client/mms/send_mms auxiliary module looks in the msfconsole:
msf6 > use auxiliary/client/mms/send_mms
msf6 auxiliary(client/mms/send_mms) > show info
Name: MMS Client
Module: auxiliary/client/mms/send_mms
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
sinn3r <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CELLNUMBERS yes The phone numbers to send to
MMSCARRIER yes The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)
MMSFILE no The attachment to include in the text file
MMSFILECTYPE no The attachment content type
MMSSUBJECT no The Email subject
SMTPADDRESS yes The SMTP server to use to send the text messages
SMTPFROM no The FROM field for SMTP
SMTPPASSWORD yes The SMTP password to use to send the text messages
SMTPPORT 25 yes The SMTP port to use to send the text messages
SMTPUSERNAME yes The SMTP account to use to send the text messages
TEXTMESSAGE yes The text message to send
Description:
This module sends an MMS message to multiple phones of the same
carrier. You can use it to send a malicious attachment to phones.
Module Options
This is a complete list of options available in the client/mms/send_mms auxiliary module:
msf6 auxiliary(client/mms/send_mms) > show options
Module options (auxiliary/client/mms/send_mms):
Name Current Setting Required Description
---- --------------- -------- -----------
CELLNUMBERS yes The phone numbers to send to
MMSCARRIER yes The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)
MMSFILE no The attachment to include in the text file
MMSFILECTYPE no The attachment content type
MMSSUBJECT no The Email subject
SMTPADDRESS yes The SMTP server to use to send the text messages
SMTPFROM no The FROM field for SMTP
SMTPPASSWORD yes The SMTP password to use to send the text messages
SMTPPORT 25 yes The SMTP port to use to send the text messages
SMTPUSERNAME yes The SMTP account to use to send the text messages
TEXTMESSAGE yes The text message to send
Advanced Options
Here is a complete list of advanced options supported by the client/mms/send_mms auxiliary module:
msf6 auxiliary(client/mms/send_mms) > show advanced
Module advanced options (auxiliary/client/mms/send_mms):
Name Current Setting Required Description
---- --------------- -------- -----------
HeloDdomain no The domain to use for HELO
SmtpLoginType login yes The SMTP login type (Accepted: plain, login, cram_md5)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the client/mms/send_mms module can do:
msf6 auxiliary(client/mms/send_mms) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the client/mms/send_mms auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(client/mms/send_mms) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8071 Merged Pull Request: Add API to send an MMS message to mobile devices
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/client/sms/send_text
- auxiliary/client/telegram/send_message
- auxiliary/dos/smtp/sendmail_prescan
- auxiliary/scanner/rogue/rogue_send
- exploit/windows/browser/vlc_mms_bof
- exploit/windows/mmsp/ms10_025_wmss_connect_funnel
- exploit/linux/local/recvmmsg_priv_esc
- exploit/windows/misc/hp_dataprotector_encrypted_comms
- exploit/linux/http/grandstream_ucm62xx_sendemail_rce
- exploit/linux/local/sock_sendpage
- exploit/solaris/lpd/sendmail_exec
- exploit/unix/smtp/morris_sendmail_debug
- exploit/unix/webapp/projectsend_upload_exec
- exploit/unix/webapp/vicidial_manager_send_cmd_exec
- auxiliary/client/hwbridge/connect
- auxiliary/client/iec104/iec104
- auxiliary/client/smtp/emailer
Authors
- sinn3r
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.