The Hacks of Mr. Robot: How to Send a Spoofed SMS Text Message
Welcome back, my rookie hackers!
As most of you know, Mr. Robot is probably the best hacker TV show ever! This is a great show about a cyber security engineer who is being enticed to hack the very corporation he's being paid to protect. This show is so good, I began a series to demonstrate how to do the hacks he uses in the show.
In episode 5, when Elliot is able to social engineer his way into the Steel Mountain's state of the art, "impenetrable" storage facility, a manager gets suspicious and begins to escort him out of the building before he can implant the Raspberry Pi (which we made in the last guide).
He intends to place the RP inside the network to manipulate the HVAC system to raise the temperature in the storage facility and destroy the tapes that contain the records of 70% of the world's consumer debt, including student loans. At the very moment that she is about to escort him to the elevator and out of the facility, she receives a text message from her husband that is urgent and distracts here. The text message did not actually come from her husband, but rather from one of Elliot's f/society comrades.
In this tutorial, I will show you how Elliot's comrades at f/society were able to send the Steel Mountain manager an urgent, spoofed text message that appeared to come from her husband indicating that he was at the hospital and had a serious health issue.
On the show, Elliot's f/society comrades use Kali to send the spoofed SMS, but this feature has been discontinued in recent versions of Kali. Luckily, though, it is still in BackTrack, so for this tutorial, we will be reverting to our trusty BackTrack installation (one more example that the newest is not always the best).
Let's begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select "set" as I have done in the screenshot below.
This will start the SET opening screen as seen below. SET is capable of numerous social engineering attacks. We have previously used SET to spear phish in BackTrack, but the one we want this time is "SMS Spoofing Attack Vector." To begin this attack, Select #7.
In the following screen we are asked whether we want "Perform a SMS Spoofing Attack" or "Create a Social Engineering Template." Select #1. Once you have made that selection, you will be queried whether you want to spoof a single number or a mass attack. Select #1 for a single number.
Here, I want to send a spoofed text message from Mary (my best friend's girlfriend) to John (my best friend) where she breaks up with him. This should rattle him a bit and give me a few chuckles as he is madly in love with her.
First, enter his phone number where it asks you "Send sms to." Then select #2 to craft a One-Time Use SMS. Finally, enter her phone number. Make certain both numbers are preceded by the "+".
In our final step, we need to type the message we want sent to John from his girlfriend, Mary.
"I'm so sorry John. I have met another man and he is the love of my life. I hope we can remain friends"
When you are finished typing, exit by hitting Control + C.
This will bring you to the final screen. In this screen, we will need to select the intermediary for the spoofed SMS message. You have four options here. The first is free, and as they say, it is buggy (when I ran it, SET crashed). Then, there are two for-pay options and, finally, the Android emulator.
I chose the third option, SMSGANG. They charge 3 euros for 5 messages, or about $0.65 in U.S. dollars per message. When you pay (they accept credit cards and PayPal) they send you a PIN code. After selecting #3, it will ask you for a "pincode." Enter the one SMSGANG emailed you and then your text message is sent!
Keep coming back, my rookie hackers, as we continue to show you all the hacks of Mr. Robot!