The Hacks of Mr. Robot: How to Send a Spoofed SMS Text Message

How to Send a Spoofed SMS Text Message

The Hacks of Mr. Robot: How to Send a Spoofed SMS Text Message

Welcome back, my rookie hackers!

As most of you know, Mr. Robot is probably the best hacker TV show ever! This is a great show about a cyber security engineer who is being enticed to hack the very corporation he's being paid to protect. This show is so good, I began a series to demonstrate how to do the hacks he uses in the show.

The Spoofed Text Message in Episode 5

In episode 5, when Elliot is able to social engineer his way into the Steel Mountain's state of the art, "impenetrable" storage facility, a manager gets suspicious and begins to escort him out of the building before he can implant the Raspberry Pi (which we made in the last guide).

He intends to place the RP inside the network to manipulate the HVAC system to raise the temperature in the storage facility and destroy the tapes that contain the records of 70% of the world's consumer debt, including student loans. At the very moment that she is about to escort him to the elevator and out of the facility, she receives a text message from her husband that is urgent and distracts here. The text message did not actually come from her husband, but rather from one of Elliot's f/society comrades.

In this tutorial, I will show you how Elliot's comrades at f/society were able to send the Steel Mountain manager an urgent, spoofed text message that appeared to come from her husband indicating that he was at the hospital and had a serious health issue.

On the show, Elliot's f/society comrades use Kali to send the spoofed SMS, but this feature has been discontinued in recent versions of Kali. Luckily, though, it is still in BackTrack, so for this tutorial, we will be reverting to our trusty BackTrack installation (one more example that the newest is not always the best).

Step 1: Fire Up BackTrack & Start Social Engineering Toolkit (SET)

Let's begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select "set" as I have done in the screenshot below.

This will start the SET opening screen as seen below. SET is capable of numerous social engineering attacks. We have previously used SET to spear phish in BackTrack, but the one we want this time is "SMS Spoofing Attack Vector." To begin this attack, Select #7.

In the following screen we are asked whether we want "Perform a SMS Spoofing Attack" or "Create a Social Engineering Template." Select #1. Once you have made that selection, you will be queried whether you want to spoof a single number or a mass attack. Select #1 for a single number.

Step 2: Set Up a Spoofed Text Message

Here, I want to send a spoofed text message from Mary (my best friend's girlfriend) to John (my best friend) where she breaks up with him. This should rattle him a bit and give me a few chuckles as he is madly in love with her.

First, enter his phone number where it asks you "Send sms to." Then select #2 to craft a One-Time Use SMS. Finally, enter her phone number. Make certain both numbers are preceded by the "+".

Step 3: Craft the Text Message

In our final step, we need to type the message we want sent to John from his girlfriend, Mary.

"I'm so sorry John. I have met another man and he is the love of my life. I hope we can remain friends"

When you are finished typing, exit by hitting Control + C.

Step 4: Send the Message!

This will bring you to the final screen. In this screen, we will need to select the intermediary for the spoofed SMS message. You have four options here. The first is free, and as they say, it is buggy (when I ran it, SET crashed). Then, there are two for-pay options and, finally, the Android emulator.

I chose the third option, SMSGANG. They charge 3 euros for 5 messages, or about $0.65 in U.S. dollars per message. When you pay (they accept credit cards and PayPal) they send you a PIN code. After selecting #3, it will ask you for a "pincode." Enter the one SMSGANG emailed you and then your text message is sent!

Keep coming back, my rookie hackers, as we continue to show you all the hacks of Mr. Robot!

54 Comments

only problem i'm having is, we can't download backtrack anymore!

maybe a bit off-topic now, but i doubt the good folks at fsociety use Kali, simply because the theme of their OS doesn't really seem Kali-ish. i know you can change the theme of Kali, but it seems more plausible they are using Parrot OS. (which i think still has the SMS spoofing option, so it would even make more sense).

nontheless, a good article.

-Phoenix750

They were using Kali on the show.

is there no such tool in kali, can we download this tool ??

Parrot OS doesn't seem to have an sms spoofing option. Really nice gui though in my opinion.

I got backtrack from here: http://linux.softpedia.com/get/System/Operating-Systems/Linux-Distributions/BackTrack-9477.shtml

I put it in a virtual machine and it works great. By the way, they were indeed using Kali on the show because on multiple occasions, you can see root@kali before their command. I don't know why their GUI looks different, I mean Kali is open source right. Maybe they changed some things to suit fsociety's needs. That might explain why they still have SMS spoofing as an option. Just a thought.

Root343

took a closer look, you're right! it is indeed Kali

my bad.

and thanks for the backtrack image!

-Phoenix750

thanks pal! i DO need Backtrack because there are tools not on Kali (set and set-web)

What you REALLY need is skills because its just a tool as any other. Its in Python so you could even install it on windows...

with all do respect, instead of bragging why don't you share , if you are in this website means you don't know it all, in fact that is the all point of this website is to share you knowledge and learn from other...

it means A LOT to me! I'm sick of direct downloads

correction:you can download backtrack ,true it was removed from the official website but the good folks at piratebay torrents seem to have backed us up.

also, one thing i was wondering: can we just save the crafted SMS and send it with our own phone?

also, is the Android Emulator option free? guess not...

-Phoenix750

Yeah, we have to test Emulator thing...
'cause i don't have access for buying any credits!
a free way will be good.
just last night a was thinking about getting back to backtrack!
Thanks for the article though.

I can't seem to find the SMS spoof on the Kali version of SEtoolkit, do you know where I can find it? The directories are different.

I say in the article that it is not in Kali.

SMS spoofing isn't an option in my version of Kali Linux.
How can I fix this?

This is what I see:

1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules

99) Return back to the main menu

Is there a way to enable this feature in the config files?

"Let's begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select "set" as I have done in the screenshot below."

Interesting... Do you know why SMS spoofing isn't in Kali?

not sure Android Emulator will work in real world .there are tutorials about SMS spoofing via AE but those are only in testing environment .

I found it strange to see that BackTrack was being used, there must be a way for Kali we don't know about yet.

Or maybe those in Mr. Robot's team found it funny to use BackTrack with Kali's gnome interface, or installing a legacy version of SET just for this option. I have BackTrack along with my Hirens USB, so I can run it from there whenever I want (which I haven't yet done this year).

I don't like the fact that the only options that work are paid options.

I believe that SET removed the SMS Spoof Module around May of 2014. I checked and found that the latest release of Kali to still have it included was 1.0.6, which is obtainable from the following link.

http://cdimage.kali.org/kali-1.0.6/

I have played a bit around it and had trouble installing a functional AE device on the older version when time came to install some 32 bit modules.

I did try the SMS Spoof through SMSgang, but it did not actually spoof the number I wanted it to. It did however send an SMS text but from a random number.

-Jeff

Hi, I understood that sms spoofing wasnt in kali. But isnt it possible just to download it? It seems pretty dump to go back to backtrack just for this sms spoofing.

And another quistion, why did they remove sms spoofing like JEFF said?

where can you purchase the Samsung pin code?

that's smsgang bro, not samsung.
search them. they have a website.

lol...Thanks man.

Any idea how that actually works ?
Is spoofing SMS really that simple ?

your full of shit dude.

u r correct im new to the site but i was going to say same thing

The SMS-Spoofing option was removed on May 30th, 2014, you would have to pull an old version of it from github or use Backtrack instead.

uhm.... does this thing work on Vietnam's phone numbers (+84)? i want to prank some enemy of mine HARDCORE

FYI using android emulator option sends sms to an open emulator on your system

Great artcle, OTW. One question that I wondered about the show is when he feels like he has to "clean out his computer" he takes out the RAM and microwaves it. Anyone know why that is necessary?

Yeah that was the stupid thing. But if you want to wipe. I'll do it with low-level format or break my HDD. The RAM is forget your datas when you turn it off your pc. Or pull out the cable from the connector.

Thanks!

I assume he is trying to destroy evidence of his hacks.

Hey, is it safe to pay a company with your money for a spoofed SMS? Wouldn't it reveal your identity? Maybe you could hack somebody elses Paypal account and it would help. What else could a hacker like Elliot do?

You can buy prepaid credit cards. This would probably be your best option.

If remember, about more than 8 years ago. I used Nettools app 3.1. For send fake email messages. But i really don't remember the correct program name and version. Good old times :)

i use this method , and its working for me in kali

  • thanks

Hey guys

On the same episode Elliot's associate hacked and fed wikipedia with elliots false information mind telling us how he did this:D

i think he have wiki account with more rep for his past article edits ..
and so he will create new page about elliot's with fake info .

Hello guys,
so there's no way to use SMS options in Kali with default installation

You can use a "2nd" version of SET:

  1. https://github.com/trustedsec/social-engineer-toolkit/archive/4.7.tar.gz
  2. unzip
  3. Change metasploit directory (open and edit the setconfig file and set it to usr/share)

Should now works

ps I tried to download the version suggested above but didn't work, even if the pdf manual cited the 'SMS Spoofing Attack Vector'.

ps2 You can download this version or do the same procedure with the newer ones and check if the 'option' is still there.

Hope to have helped you

Alright, so I've just downloaded the second version of SET from github from the link provided, however I'm a little confused on the steps after that. By changing the Metasploit directory, are you implying that Metasploit must be opened and used to change the directory?

What exactly does metasploit have to do with this whole process? Also, what do you mean by 'open and edit the setconfig file and set it to usr/share/'? Do you just mean to copy it to the usr/share directory? After doing this, I have no extra option for text spoofing, and no separate SET app.

Last question, when when you copy the file to the directory, are you just copying the setconfig, or the entire folder? And do you have to run a separate command to run this version of SET, or is this equivalent to a downgrade? Thanks for in advance, this is all coming from a place of ignorance, and as far as I'm concerned, installing an entirely separate operating system for the use of one tool is a silly suggestion.

Hello,
Couldn't find an answer out there so maybe you could help,
How do I specify in which country the receiving phone is in?
could you please give an example.

Thanks!

p.s.
I'm new here and very thankful I found you

SMS SPOOFING DON'T WORK ,I'M USING PARROT OS , HELP ME :(

Hello there fellow apprentice,

We would love to help you but please be more elaborative and tell us the details of the problem that you are experiencing..... A detailed question is always useful.

Hope to hear from you soon.

The_Unknown.

BackTrack 5 gives an error saying that body is used before assignment.

Kali Linux has a SET tool for this as well now. 12/11/2016

Share Your Thoughts

  • Hot
  • Latest