SMS Client - Metasploit
This page contains detailed information about how to use the auxiliary/client/sms/send_text metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SMS Client
Module: auxiliary/client/sms/send_text
Source code: modules/auxiliary/client/sms/send_text.rb
Disclosure date: -
Last modification time: 2017-07-24 06:26:21 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module sends a text message to multiple phones of the same carrier. You can use it to send a malicious link to phones. Please note that you do not use this module to send a media file (attachment). In order to send a media file, please use auxiliary/client/mms/send_mms instead.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
msf > use auxiliary/client/sms/send_text
msf auxiliary(send_text) > show targets
... a list of targets ...
msf auxiliary(send_text) > set TARGET target-id
msf auxiliary(send_text) > show options
... show and set options ...
msf auxiliary(send_text) > exploit
Required Options
SMTPADDRESS: The SMTP server to use to send the text messages
SMTPUSERNAME: The SMTP account to use to send the text messages
SMTPPASSWORD: The SMTP password to use to send the text messages
SMSCARRIER: The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)
CELLNUMBERS: The phone numbers to send to
SMSMESSAGE: The text message to send
Knowledge Base
Vulnerable Application
The auxiliary/client/sms/send_text
module allows you to send a malicious text/link to a collection
of phone numbers of the same carrier.
In order to use this module, you must set up your own SMTP server to deliver messages. Popular mail services such as Gmail, Yahoo, Live should work fine.
Options
CELLNUMBERS
The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against multiple phone numbers, ideally you want to create the list in a text file (one number per line), and then load the CELLNUMBERS option like this:
set CELLNUMBERS file:///tmp/att_phone_numbers.txt
Remember that these phone numbers must be the same carrier.
SMSCARRIER
The carrier that the targeted numbers use. See Supported Carrier Gateways to learn more about supported carriers.
SMSSUBJECT
The text subject.
SMSMESSAGE
The text message you want to send. For example, this will send a text with a link to google:
set SMSMESSAGE "Hi, please go: google.com"
The link should automatically be parsed on the phone and clickable.
SMTPADDRESS
The mail server address you wish to use to send the text messages.
SMTPPORT
The mail server port. By default, this is 25
.
SMTPUSERNAME
The username you use to log into the SMTP server.
SMTPPASSWORD
The password you use to log into the SMTP server.
SMTPFROM
The FROM field of SMTP. In some cases, it may be used as SMTPUSER
.
Supported Carrier Gateways
The module supports the following carriers:
- AllTel
- AT&T Wireless
- Boost Mobile
- Cricket Wireless
- Google Fi
- T-Mobile
- Verizon
- Virgin Mobile
Note: During development, we could not find a valid gateway for Sprint, therefore it is currently not supported.
Finding the Carrier for a Phone Number
Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out how to identify the carrier of a phone number. There are many services that can do this, such as:
http://freecarrierlookup.com/
Note: If the phone is using Google Fi, then it may appear as a different carrier.
Gmail SMTP Example
Gmail is a popular mail server, so we will use this as a demonstration.
Assuming you are already using two-factor authentication, you need to create an application password.
After creating the application password, configure auxiliary/client/sms/send_text this way:
set cellnumbers [PHONE NUMBER]
set smscarrier [CHOOSE A SUPPORTED CARRIER]
set smsmessage "[TEXT MESSAGE]"
set smtpaddress smtp.gmail.com
set smtpport 587
set smtpusername [USERNAME FOR GMAIL]
(you don't need@gmail.com
at the end)set smtppassword [APPLICATION PASSWORD]
And you should be ready to go.
Yahoo SMTP Example
Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail), so we will demonstrate as well.
Before using the module, you must do this to your Yahoo account:
- Sign in to Yahoo Mail.
- Go to your "Account security" settings.
- Turn on Allow apps that use less secure sign in.
After configuring your Yahoo account, configure auxiliary/client/sms/send_text this way:
set cellnumbers [PHONE NUMBER]
set smscarrier [CHOOSE A SUPPORTED CARRIER]
set smsmessage "[TEXT MESSAGE]"
set smtpaddress smtp.mail.yahoo.com
set smtpport 25
set smtpusername [USERNAME FOR YAHOO]@yahoo.com
set smtppassword [YAHOO LOGIN PASSWORD]
And you're good to go.
Scenarios
After setting up your mail server and the module, your output should look similar to this:
msf auxiliary(send_text) > run
[*] Sending text (16 bytes) to 1 number(s)...
[*] Done.
[*] Auxiliary module execution completed
Go back to menu.
Msfconsole Usage
Here is how the client/sms/send_text auxiliary module looks in the msfconsole:
msf6 > use auxiliary/client/sms/send_text
msf6 auxiliary(client/sms/send_text) > show info
Name: SMS Client
Module: auxiliary/client/sms/send_text
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
sinn3r <[email protected]>
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
CELLNUMBERS yes The phone numbers to send to
SMSCARRIER yes The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)
SMSMESSAGE yes The text message to send
SMSSUBJECT no The text subject
SMTPADDRESS yes The SMTP server to use to send the text messages
SMTPFROM no The FROM field for SMTP
SMTPPASSWORD yes The SMTP password to use to send the text messages
SMTPPORT 25 yes The SMTP port to use to send the text messages
SMTPUSERNAME yes The SMTP account to use to send the text messages
Description:
This module sends a text message to multiple phones of the same
carrier. You can use it to send a malicious link to phones. Please
note that you do not use this module to send a media file
(attachment). In order to send a media file, please use
auxiliary/client/mms/send_mms instead.
Module Options
This is a complete list of options available in the client/sms/send_text auxiliary module:
msf6 auxiliary(client/sms/send_text) > show options
Module options (auxiliary/client/sms/send_text):
Name Current Setting Required Description
---- --------------- -------- -----------
CELLNUMBERS yes The phone numbers to send to
SMSCARRIER yes The targeted SMS service provider (Accepted: alltel, att, boost, cricket, tmobile, verizon, virgin, google)
SMSMESSAGE yes The text message to send
SMSSUBJECT no The text subject
SMTPADDRESS yes The SMTP server to use to send the text messages
SMTPFROM no The FROM field for SMTP
SMTPPASSWORD yes The SMTP password to use to send the text messages
SMTPPORT 25 yes The SMTP port to use to send the text messages
SMTPUSERNAME yes The SMTP account to use to send the text messages
Advanced Options
Here is a complete list of advanced options supported by the client/sms/send_text auxiliary module:
msf6 auxiliary(client/sms/send_text) > show advanced
Module advanced options (auxiliary/client/sms/send_text):
Name Current Setting Required Description
---- --------------- -------- -----------
HeloDdomain no The domain to use for HELO
SmtpLoginType login yes The SMTP login type (Accepted: plain, login, cram_md5)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the client/sms/send_text module can do:
msf6 auxiliary(client/sms/send_text) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the client/sms/send_text auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(client/sms/send_text) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Related Pull Requests
- #8716 Merged Pull Request: Print_Status -> Print_Good (And OCD bits 'n bobs)
- #8338 Merged Pull Request: Fix msf/core and self.class msftidy warnings
- #8102 Merged Pull Request: Resolve #8026, Add a plugin to notify new sessions via SMS
- #8071 Merged Pull Request: Add API to send an MMS message to mobile devices
- #8047 Merged Pull Request: Add API to send a text message (SMS) to mobile devices
Go back to menu.
See Also
Check also the following modules related to this module:
- auxiliary/client/mms/send_mms
- auxiliary/client/telegram/send_message
- auxiliary/dos/smtp/sendmail_prescan
- auxiliary/scanner/rogue/rogue_send
- exploit/windows/browser/ms14_012_textrange
- exploit/windows/browser/x360_video_player_set_text_bof
- exploit/windows/fileformat/ms10_004_textbytesatom
- exploit/windows/http/hp_nnm_ovbuildpath_textfile
- post/apple_ios/gather/ios_text_gather
- encoder/x64/xor_context
- encoder/x86/context_cpuid
- encoder/x86/context_stat
- encoder/x86/context_time
- exploit/unix/webapp/foswiki_maketext
- exploit/unix/webapp/twiki_maketext
- exploit/windows/browser/ms06_013_createtextrange
- exploit/windows/browser/viscom_movieplayer_drawtext
- exploit/windows/fileformat/vlc_realtext
- exploit/linux/http/grandstream_ucm62xx_sendemail_rce
- exploit/linux/local/sock_sendpage
- exploit/solaris/lpd/sendmail_exec
- exploit/unix/smtp/morris_sendmail_debug
- exploit/unix/webapp/projectsend_upload_exec
- exploit/unix/webapp/vicidial_manager_send_cmd_exec
- auxiliary/client/hwbridge/connect
- auxiliary/client/iec104/iec104
- auxiliary/client/smtp/emailer
- exploit/multi/http/cmsms_object_injection_rce
- exploit/multi/http/cmsms_showtime2_rce
- exploit/multi/http/cmsms_upload_rename_rce
- exploit/multi/http/playsms_filename_exec
- exploit/multi/http/playsms_template_injection
- exploit/multi/http/playsms_uploadcsv_exec
- exploit/windows/brightstor/hsmserver
- exploit/windows/http/nowsms
Authors
- sinn3r
Version
This page has been produced using Metasploit Framework version 6.1.28-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.