SMS Client - Metasploit


This page contains detailed information about how to use the auxiliary/client/sms/send_text metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: SMS Client
Module: auxiliary/client/sms/send_text
Source code: modules/auxiliary/client/sms/send_text.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module sends a text message to multiple phones of the same carrier. You can use it to send a malicious link to phones. Please note that you do not use this module to send a media file (attachment). In order to send a media file, please use auxiliary/client/mms/send_mms instead.

Module Ranking and Traits

Module Ranking:

  • normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

msf > use auxiliary/client/sms/send_text
msf auxiliary(send_text) > show targets
    ... a list of targets ...
msf auxiliary(send_text) > set TARGET target-id
msf auxiliary(send_text) > show options
    ... show and set options ...
msf auxiliary(send_text) > exploit

Required Options

  • SMTPADDRESS: The SMTP server to use to send the text messages

  • SMTPUSERNAME: The SMTP account to use to send the text messages

  • SMTPPASSWORD: The SMTP password to use to send the text messages

  • SMSCARRIER: The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)

  • CELLNUMBERS: The phone numbers to send to

  • SMSMESSAGE: The text message to send

Knowledge Base

Vulnerable Application

The auxiliary/client/sms/send_text module allows you to send a malicious text/link to a collection of phone numbers of the same carrier.

In order to use this module, you must set up your own SMTP server to deliver messages. Popular mail services such as Gmail, Yahoo, Live should work fine.

Options

CELLNUMBERS

The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against multiple phone numbers, ideally you want to create the list in a text file (one number per line), and then load the CELLNUMBERS option like this:

set CELLNUMBERS file:///tmp/att_phone_numbers.txt

Remember that these phone numbers must be the same carrier.

SMSCARRIER

The carrier that the targeted numbers use. See Supported Carrier Gateways to learn more about supported carriers.

SMSSUBJECT

The text subject.

SMSMESSAGE

The text message you want to send. For example, this will send a text with a link to google:

set SMSMESSAGE "Hi, please go: google.com"

The link should automatically be parsed on the phone and clickable.

SMTPADDRESS

The mail server address you wish to use to send the text messages.

SMTPPORT

The mail server port. By default, this is 25.

SMTPUSERNAME

The username you use to log into the SMTP server.

SMTPPASSWORD

The password you use to log into the SMTP server.

SMTPFROM

The FROM field of SMTP. In some cases, it may be used as SMTPUSER.

Supported Carrier Gateways

The module supports the following carriers:

  • AllTel
  • AT&T Wireless
  • Boost Mobile
  • Cricket Wireless
  • Google Fi
  • T-Mobile
  • Verizon
  • Virgin Mobile

Note: During development, we could not find a valid gateway for Sprint, therefore it is currently not supported.

Finding the Carrier for a Phone Number

Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out how to identify the carrier of a phone number. There are many services that can do this, such as:

http://freecarrierlookup.com/

Note: If the phone is using Google Fi, then it may appear as a different carrier.

Gmail SMTP Example

Gmail is a popular mail server, so we will use this as a demonstration.

Assuming you are already using two-factor authentication, you need to create an application password.

After creating the application password, configure auxiliary/client/sms/send_text this way:

  • set cellnumbers [PHONE NUMBER]
  • set smscarrier [CHOOSE A SUPPORTED CARRIER]
  • set smsmessage "[TEXT MESSAGE]"
  • set smtpaddress smtp.gmail.com
  • set smtpport 587
  • set smtpusername [USERNAME FOR GMAIL] (you don't need @gmail.com at the end)
  • set smtppassword [APPLICATION PASSWORD]

And you should be ready to go.

Yahoo SMTP Example

Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail), so we will demonstrate as well.

Before using the module, you must do this to your Yahoo account:

  1. Sign in to Yahoo Mail.
  2. Go to your "Account security" settings.
  3. Turn on Allow apps that use less secure sign in.

After configuring your Yahoo account, configure auxiliary/client/sms/send_text this way:

  • set cellnumbers [PHONE NUMBER]
  • set smscarrier [CHOOSE A SUPPORTED CARRIER]
  • set smsmessage "[TEXT MESSAGE]"
  • set smtpaddress smtp.mail.yahoo.com
  • set smtpport 25
  • set smtpusername [USERNAME FOR YAHOO]@yahoo.com
  • set smtppassword [YAHOO LOGIN PASSWORD]

And you're good to go.

Scenarios

After setting up your mail server and the module, your output should look similar to this:

msf auxiliary(send_text) > run

[*] Sending text (16 bytes) to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed

Go back to menu.

Msfconsole Usage

Here is how the client/sms/send_text auxiliary module looks in the msfconsole:

msf6 > use auxiliary/client/sms/send_text

msf6 auxiliary(client/sms/send_text) > show info

       Name: SMS Client
     Module: auxiliary/client/sms/send_text
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  sinn3r <[email protected]>

Check supported:
  No

Basic options:
  Name          Current Setting  Required  Description
  ----          ---------------  --------  -----------
  CELLNUMBERS                    yes       The phone numbers to send to
  SMSCARRIER                     yes       The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)
  SMSMESSAGE                     yes       The text message to send
  SMSSUBJECT                     no        The text subject
  SMTPADDRESS                    yes       The SMTP server to use to send the text messages
  SMTPFROM                       no        The FROM field for SMTP
  SMTPPASSWORD                   yes       The SMTP password to use to send the text messages
  SMTPPORT      25               yes       The SMTP port to use to send the text messages
  SMTPUSERNAME                   yes       The SMTP account to use to send the text messages

Description:
  This module sends a text message to multiple phones of the same 
  carrier. You can use it to send a malicious link to phones. Please 
  note that you do not use this module to send a media file 
  (attachment). In order to send a media file, please use 
  auxiliary/client/mms/send_mms instead.

Module Options

This is a complete list of options available in the client/sms/send_text auxiliary module:

msf6 auxiliary(client/sms/send_text) > show options

Module options (auxiliary/client/sms/send_text):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   CELLNUMBERS                    yes       The phone numbers to send to
   SMSCARRIER                     yes       The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)
   SMSMESSAGE                     yes       The text message to send
   SMSSUBJECT                     no        The text subject
   SMTPADDRESS                    yes       The SMTP server to use to send the text messages
   SMTPFROM                       no        The FROM field for SMTP
   SMTPPASSWORD                   yes       The SMTP password to use to send the text messages
   SMTPPORT      25               yes       The SMTP port to use to send the text messages
   SMTPUSERNAME                   yes       The SMTP account to use to send the text messages

Advanced Options

Here is a complete list of advanced options supported by the client/sms/send_text auxiliary module:

msf6 auxiliary(client/sms/send_text) > show advanced

Module advanced options (auxiliary/client/sms/send_text):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   HeloDdomain                     no        The domain to use for HELO
   SmtpLoginType  login            yes       The SMTP login type (Accepted: plain, login, cram_md5)
   VERBOSE        false            no        Enable detailed status messages
   WORKSPACE                       no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the client/sms/send_text module can do:

msf6 auxiliary(client/sms/send_text) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the client/sms/send_text auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(client/sms/send_text) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Go back to menu.

See Also

Check also the following modules related to this module:

Authors

  • sinn3r

Version

This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.