MMS Client - Metasploit


This page contains detailed information about how to use the auxiliary/client/mms/send_mms metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: MMS Client
Module: auxiliary/client/mms/send_mms
Source code: modules/auxiliary/client/mms/send_mms.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module sends an MMS message to multiple phones of the same carrier. You can use it to send a malicious attachment to phones.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/client/mms/send_mms
msf auxiliary(send_mms) > show targets
    ... a list of targets ...
msf auxiliary(send_mms) > set TARGET target-id
msf auxiliary(send_mms) > show options
    ... show and set options ...
msf auxiliary(send_mms) > exploit

Required Options

  • SMTPADDRESS: The SMTP server to use to send the text messages

  • SMTPUSERNAME: The SMTP account to use to send the text messages

  • SMTPPASSWORD: The SMTP password to use to send the text messages

  • MMSCARRIER: The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)

  • CELLNUMBERS: The phone numbers to send to

  • TEXTMESSAGE: The text message to send

Knowledge Base

Vulnerable Application

The auxiliary/client/mms/send_mms module allows you to send a malicious attachment to a collection of phone numbers of the same carrier.

In order to use this module, you must set up your own SMTP server to deliver messages. Popular mail services such as Gmail, Yahoo, Live should work fine.

Options

CELLNUMBERS

The 10-digit phone number (or numbers) you want to send the MMS text to. If you wish to target against multiple phone numbers, ideally you want to create the list in a text file (one number per line), and then load the CELLNUMBERS option like this:

set CELLNUMBERS file:///tmp/att_phone_numbers.txt

Remember that these phone numbers must be the same carrier.

MMSCARRIER

The carrier that the targeted numbers use. See Supported Carrier Gateways to learn more about supported carriers.

TEXTMESSAGE

The text message you want to send. For example, this will send a text with a link to google:

set TEXTMESSAGE "Hi, please go: google.com"

The link should automatically be parsed on the phone and clickable.

MMSFILE

The attachment to send in the message.

MMSFILECTYPE

The content type to use for the attachment. Commonly supported ones include:

  • audio/midi
  • image/jpeg
  • image/gif
  • image/png
  • video/mp4

To find more, please try this list

SMTPADDRESS

The mail server address you wish to use to send the MMS messages.

SMTPPORT

The mail server port. By default, this is 25.

SMTPUSERNAME

The username you use to log into the SMTP server.

SMTPPASSWORD

The password you use to log into the SMTP server.

SMTPFROM

The FROM field of SMTP. In some cases, it may be used as SMTPUSER. Some carriers require this in order to receive the text, such as AT&T.

MMSSUBJECT

The MMS subject. Some carriers require this in order to receive the text, such as AT&T.

Supported Carrier Gateways

The module supports the following carriers:

  • AT&T
  • Sprint
  • T-Mobile
  • Verizon
  • Google Fi

Finding the Carrier for a Phone Number

Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out how to identify the carrier of a phone number. There are many services that can do this, such as:

http://freecarrierlookup.com/

Gmail SMTP Example

Gmail is a popular mail server, so we will use this as a demonstration.

Assuming you are already using two-factor authentication, you need to create an application password.

After creating the application password, configure auxiliary/client/mms/send_mms this way:

  • set cellnumbers [PHONE NUMBER]
  • set mmscarrier [CHOOSE A SUPPORTED CARRIER]
  • set textmessage "[TEXT MESSAGE]"
  • set smtpaddress smtp.gmail.com
  • set smtpport 587
  • set mmsfile /tmp/example.mp4
  • set mmsfilectype video/mp4
  • set smtpusername [USERNAME FOR GMAIL] (you don't need @gmail.com at the end)
  • set smtppassword [APPLICATION PASSWORD]

And you should be ready to go.

Yahoo SMTP Example

Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail), so we will demonstrate as well.

Before using the module, you must do this to your Yahoo account:

  1. Sign in to Yahoo Mail.
  2. Go to your "Account security" settings.
  3. Turn on Allow apps that use less secure sign in.

After configuring your Yahoo account, configure auxiliary/client/mms/send_mms this way:

  • set cellnumbers [PHONE NUMBER]
  • set mmscarrier [CHOOSE A SUPPORTED CARRIER]
  • set textmessage "[TEXT MESSAGE]"
  • set smtpaddress smtp.mail.yahoo.com
  • set smtpport 25
  • set mmsfile /tmp/example.mp4
  • set mmsfilectype video/mp4
  • set smtpusername [USERNAME FOR YAHOO]@yahoo.com
  • set smtppassword [YAHOO LOGIN PASSWORD]

And you're good to go.

Scenarios

After setting up your mail server and the module, your output should look similar to this:

msf auxiliary(send_mms) > run

[*] Sending mms message to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed
msf auxiliary(send_mms) >

Go back to menu.

Msfconsole Usage

Here is how the client/mms/send_mms auxiliary module looks in the msfconsole:

msf6 > use auxiliary/client/mms/send_mms

msf6 auxiliary(client/mms/send_mms) > show info

       Name: MMS Client
     Module: auxiliary/client/mms/send_mms
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  sinn3r <[email protected]>

Check supported:
  No

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  CELLNUMBERS                    yes       The phone numbers to send to
  MMSCARRIER                     yes       The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)
  MMSFILE                        no        The attachment to include in the text file
  MMSFILECTYPE                   no        The attachment content type
  MMSSUBJECT                     no        The Email subject
  SMTPADDRESS                    yes       The SMTP server to use to send the text messages
  SMTPFROM                       no        The FROM field for SMTP
  SMTPPASSWORD                   yes       The SMTP password to use to send the text messages
  SMTPPORT      25               yes       The SMTP port to use to send the text messages
  SMTPUSERNAME                   yes       The SMTP account to use to send the text messages
  TEXTMESSAGE                    yes       The text message to send

Description:
  This module sends an MMS message to multiple phones of the same 
  carrier. You can use it to send a malicious attachment to phones.

Module Options

This is a complete list of options available in the client/mms/send_mms auxiliary module:

msf6 auxiliary(client/mms/send_mms) > show options

Module options (auxiliary/client/mms/send_mms):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CELLNUMBERS                    yes       The phone numbers to send to
   MMSCARRIER                     yes       The targeted MMS service provider (Accepted: att, sprint, tmobile, verizon, google)
   MMSFILE                        no        The attachment to include in the text file
   MMSFILECTYPE                   no        The attachment content type
   MMSSUBJECT                     no        The Email subject
   SMTPADDRESS                    yes       The SMTP server to use to send the text messages
   SMTPFROM                       no        The FROM field for SMTP
   SMTPPASSWORD                   yes       The SMTP password to use to send the text messages
   SMTPPORT      25               yes       The SMTP port to use to send the text messages
   SMTPUSERNAME                   yes       The SMTP account to use to send the text messages
   TEXTMESSAGE                    yes       The text message to send

Advanced Options

Here is a complete list of advanced options supported by the client/mms/send_mms auxiliary module:

msf6 auxiliary(client/mms/send_mms) > show advanced

Module advanced options (auxiliary/client/mms/send_mms):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   HeloDdomain                     no        The domain to use for HELO
   SmtpLoginType  login            yes       The SMTP login type (Accepted: plain, login, cram_md5)
   VERBOSE        false            no        Enable detailed status messages
   WORKSPACE                       no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the client/mms/send_mms module can do:

msf6 auxiliary(client/mms/send_mms) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the client/mms/send_mms auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(client/mms/send_mms) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • sinn3r

Version

This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.