From 6ad8afb8b3eae33e979938a4d68ae8042d1c80da Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Thu, 2 Mar 2017 16:47:55 -0600 Subject: [PATCH 01/10] Add API to send a text message (SMS) to mobile devices --- .../modules/auxiliary/client/sms/send_text.md | 121 ++++++++++++++++++ lib/msf/core/auxiliary/mixins.rb | 2 + lib/msf/core/auxiliary/sms.rb | 64 +++++++++ lib/rex/proto.rb | 1 + lib/rex/proto/sms.rb | 4 + lib/rex/proto/sms/client.rb | 77 +++++++++++ lib/rex/proto/sms/exception.rb | 10 ++ lib/rex/proto/sms/model.rb | 26 ++++ lib/rex/proto/sms/model/smtp.rb | 62 +++++++++ modules/auxiliary/client/sms/send_text.rb | 34 +++++ spec/lib/rex/proto/sms/client_spec.rb | 53 ++++++++ spec/lib/rex/proto/sms/model/smtp_spec.rb | 57 +++++++++ 12 files changed, 511 insertions(+) create mode 100644 documentation/modules/auxiliary/client/sms/send_text.md create mode 100644 lib/msf/core/auxiliary/sms.rb create mode 100644 lib/rex/proto/sms.rb create mode 100644 lib/rex/proto/sms/client.rb create mode 100644 lib/rex/proto/sms/exception.rb create mode 100644 lib/rex/proto/sms/model.rb create mode 100644 lib/rex/proto/sms/model/smtp.rb create mode 100644 modules/auxiliary/client/sms/send_text.rb create mode 100644 spec/lib/rex/proto/sms/client_spec.rb create mode 100644 spec/lib/rex/proto/sms/model/smtp_spec.rb diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md new file mode 100644 index 0000000000..7f1fb23e99 --- /dev/null +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -0,0 +1,121 @@ +The auxiliary/client/sms/send_text module allows you to send a malicious text/link to a collection +of phone numbers of the same carrier. + +In order to use this module, you must set up your own SMTP server to deliver messages. Popular +mail services such as Gmail, Yahoo, Live should work fine. + +## Module Options + +**CELLNUMBERS** + +The phone number (or numbers) you want to send the text to. If you wish to target against multiple +phone numbers, ideally you want to create the list in a text file (one number per line), and then +load the CELLNUMBERS option like this: + +``` +set CELLNUMBER file:///tmp/att_phone_numbers.txt +``` + +Remember that these phone numbers must be the same carrier. + +**SMSCARRIER** + +The carrier that the targeted numbers use. See **Supported Carrier Gateways** to learn more about +supported carriers. + +**SMSMESSAGE** + +The text message you want to send. + +**SMTPADDRESS** + +The mail server address you wish to use to send the text messages. + +**SMTPPORT** + +The mail server port. By default, this is 25. + +**SMTPUSERNAME** + +The username you use to log into the SMTP server. + +**SMTPPASSWORD** + +The password you use to log into the SMTP server. + +**SMTPFROM** + +The FROM field of SMTP. + +## Supported Carrier Gateways + +The module supports the following carriers: + +* AllTel +* AT&T Wireless +* Boost Mobile +* Cricket Wireless +* Sprint +* T-Mobile +* Verizon +* Virgin Mobile + +## Finding the Carrier for a Phone Number + +Since you need to manually choose the carrier gateway for the phone numbers, you need to figure out +how to identify the carrier of a phone number. There are many services that can do this, such as: + +http://freecarrierlookup.com/ + +## Gmail SMTP Example + +Gmail is a popular mail server, so we will use this as a demonstration. + +Assuming you are already using two-factor authentication, you need to create an [application password](https://support.google.com/accounts/answer/185833?hl=en). + +After creating the application password, configure auxiliary/client/sms/send_text this way: + +* ```set cellnumbers [PHONE NUMBER]``` +* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]``` +* ```set smsmessage "[TEXT MESSAGE]"``` +* ```set smtpaddress smtp.gmail.com``` +* ```set smtpport 587``` +* ```set smtpusername [USERNAME FOR GMAIL]``` (you don't need ```@gmail.com``` at the end) +* ```set smtppassword [APPLICATION PASSWORD]``` + +And you should be ready to go. + +## Yahoo SMTP Example + +Yahoo is also a fairly popular mail server (although much slower to deliver comparing to Gmail), +so we will demonstrate as well. + +Before using the module, you must do this to your Yahoo account: + +1. Sign in to Yahoo Mail. +2. [Go to your "Account security" settings.](https://login.yahoo.com/account/security#less-secure-apps) +3. Turn on Allow apps that use less secure sign in. + +After configuring your Yahoo account, configure auxiliary/client/sms/send_text this way: + +* ```set cellnumbers [PHONE NUMBER]``` +* ```set smscarrier [CHOOSE A SUPPORTED CARRIER]``` +* ```set smsmessage "[TEXT MESSAGE]"``` +* ```set smtpaddress smtp.mail.yahoo.com``` +* ```set smtpport 25``` +* ```set smtpusername [USERNAME FOR YAHOO]@yahoo.com``` +* ```set smtppassword [YAHOO LOGIN PASSWORD]``` + +And you're good to go. + +## Demonstration + +After setting up your mail server and the module, your output should look similar to this: + +``` +msf auxiliary(send_text) > run + +[*] Sending text (16 bytes) to 1 number(s)... +[*] Done. +[*] Auxiliary module execution completed +``` diff --git a/lib/msf/core/auxiliary/mixins.rb b/lib/msf/core/auxiliary/mixins.rb index 46372750ea..ee34547d0c 100644 --- a/lib/msf/core/auxiliary/mixins.rb +++ b/lib/msf/core/auxiliary/mixins.rb @@ -28,3 +28,5 @@ require 'msf/core/auxiliary/iax2' require 'msf/core/auxiliary/ntp' require 'msf/core/auxiliary/pii' require 'msf/core/auxiliary/redis' + +require 'msf/core/auxiliary/sms' diff --git a/lib/msf/core/auxiliary/sms.rb b/lib/msf/core/auxiliary/sms.rb new file mode 100644 index 0000000000..7c15ac319c --- /dev/null +++ b/lib/msf/core/auxiliary/sms.rb @@ -0,0 +1,64 @@ +# -*- coding: binary -*- + +### +# +# The Msf::Auxiliary::Sms mixin allows you to send a text message to +# multiple phones of the same carrier. A valid SMTP server is needed. +# +## + +module Msf + module Auxiliary::Sms + + def initialize(info={}) + super + + register_options( + [ + OptString.new('SMTPFROM', [false, 'The FROM field for SMTP', '']), + OptString.new('SMTPADDRESS', [ true, 'The SMTP server to use to send the text messages']), + OptPort.new('SMTPPORT', [true, 'The SMTP port to use to send the text messages', 25]), + OptString.new('SMTPUSERNAME', [true, 'The SMTP account to use to send the text messages']), + OptString.new('SMTPPASSWORD', [true, 'The SMTP password to use to send the text messages']), + OptEnum.new('SMSCARRIER', [true, 'The targeted SMS service provider', nil,Rex::Proto::Sms::Model::GATEWAYS.keys.collect { |k| k.to_s }]), + OptString.new('CELLNUMBERS', [true, 'The phone numbers to send to']), + OptString.new('SMSMESSAGE', [true, 'The text message to send']) + ], Auxiliary::Sms) + + register_advanced_options( + [ + OptEnum.new('SmtpLoginType', [true, 'The SMTP login type', 'login', ['plain', 'login', 'cram_md5']]), + OptString.new('HeloDdomain', [false, 'The domain to use for HELO', '']) + ], Auxiliary::Sms) + end + + + # Sends a text message to multiple numbers of the same service provider (carrier). + # + # @example This sends a text via Gmail + # smtp = Rex::Proto::Sms::Model::Smtp.new(address: 'smtp.gmail.com', port: 587, username: user, password: pass) + # sms = Rex::Proto::Sms::Client.new(carrier: :verizon, smtp_server: smtp) + # numbers = ['1112223333'] + # sms.send_text_to_phones(numbers, 'Hello from Gmail') + # + # @param phone_numbers [Array] An array of numbers of try (of the same carrier) + # @param message [String] The text to send. + # + # @return [void] + def send_text(phone_numbers, message) + smtp = Rex::Proto::Sms::Model::Smtp.new( + address: datastore['SMTPADDRESS'], + port: datastore['SMTPPORT'], + username: datastore['SMTPUSERNAME'], + password: datastore['SMTPPASSWORD'], + login_type: datastore['SmtpLoginType'].to_sym, + from: datastore['SMTPFROM'] + ) + + carrier = datastore['SMSCARRIER'].to_sym + sms = Rex::Proto::Sms::Client.new(carrier: carrier, smtp_server: smtp) + sms.send_text_to_phones(phone_numbers, message) + end + + end +end diff --git a/lib/rex/proto.rb b/lib/rex/proto.rb index 8696fcd5ea..2f255134aa 100644 --- a/lib/rex/proto.rb +++ b/lib/rex/proto.rb @@ -7,6 +7,7 @@ require 'rex/proto/drda' require 'rex/proto/iax2' require 'rex/proto/kerberos' require 'rex/proto/rmi' +require 'rex/proto/sms' module Rex module Proto diff --git a/lib/rex/proto/sms.rb b/lib/rex/proto/sms.rb new file mode 100644 index 0000000000..bac7a0e9d6 --- /dev/null +++ b/lib/rex/proto/sms.rb @@ -0,0 +1,4 @@ +# -*- coding: binary -*- + +require 'rex/proto/sms/exception' +require 'rex/proto/sms/model' diff --git a/lib/rex/proto/sms/client.rb b/lib/rex/proto/sms/client.rb new file mode 100644 index 0000000000..6a9cd46deb --- /dev/null +++ b/lib/rex/proto/sms/client.rb @@ -0,0 +1,77 @@ +# -*- coding: binary -*- + +module Rex + module Proto + module Sms + class Client + + # @!attribute carrier + # @return [Symbol] The service provider for the phone numbers. + attr_accessor :carrier + + # @!attribute smtp_server + # @return [Rex::Proto::Sms::Model::Smtp] The Smtp object with the Smtp settings. + attr_accessor :smtp_server + + + # Initializes the Client object. + # + # @param [Hash] opts + # @option opts [Symbol] Service provider name (see Rex::Proto::Sms::Model::GATEWAYS) + # @option opts [Rex::Proto::Sms::Model::Smtp] SMTP object + # + # @return [Rex::Proto::Sms::Client] + def initialize(opts={}) + self.carrier = opts[:carrier] + self.smtp_server = opts[:smtp_server] + + validate_carrier! + end + + + # Sends a text to multiple recipients. + # + # @param phone_numbers [Array] An array of phone numbers. + # @param message [String] The text message to send. + # + # @return [void] + def send_text_to_phones(phone_numbers, message) + carrier = Rex::Proto::Sms::Model::GATEWAYS[self.carrier] + recipients = phone_numbers.collect { |p| "#{p}@#{carrier}" } + address = self.smtp_server.address + port = self.smtp_server.port + username = self.smtp_server.username + password = self.smtp_server.password + helo_domain = self.smtp_server.helo_domain + login_type = self.smtp_server.login_type + from = self.smtp_server.from + + smtp = Net::SMTP.new(address, port) + + begin + smtp.enable_starttls_auto + smtp.start(helo_domain, username, password, login_type) do + smtp.send_message(message, from, recipients) + end + ensure + smtp.finish if smtp && smtp.started? + end + end + + + private + + + # Validates the carrier parameter. + # + # @raise [Rex::Proto::Sms::Exception] If an invalid service provider is used. + def validate_carrier! + unless Rex::Proto::Sms::Model::GATEWAYS.include?(self.carrier) + raise Rex::Proto::Sms::Exception, 'Invalid carrier.' + end + end + + end + end + end +end diff --git a/lib/rex/proto/sms/exception.rb b/lib/rex/proto/sms/exception.rb new file mode 100644 index 0000000000..241f879f20 --- /dev/null +++ b/lib/rex/proto/sms/exception.rb @@ -0,0 +1,10 @@ +# -*- coding: binary -*- + +module Rex + module Proto + module Sms + class Exception < ::RuntimeError + end + end + end +end diff --git a/lib/rex/proto/sms/model.rb b/lib/rex/proto/sms/model.rb new file mode 100644 index 0000000000..13f19a0e18 --- /dev/null +++ b/lib/rex/proto/sms/model.rb @@ -0,0 +1,26 @@ +# -*- coding: binary -*- + +module Rex + module Proto + module Sms + module Model + + GATEWAYS = { + :alltel => 'sms.alltelwireless.com', # Alltel + :att => 'txt.att.net', # AT&T Wireless + :boost => 'sms.myboostmobile.com', # Boost Mobile + :cricket => 'sms.mycricket.com', # Cricket Wireless + :sprint => 'messaging.sprintpcs.com', # Sprint + :tmobile => 'tmomail.net', # T-Mobile + :verizon => 'vtext.com', # Verizon + :virgin => 'vmobl.com' # Virgin Mobile + } + + end + end + end +end + +require 'net/smtp' +require 'rex/proto/sms/model/smtp' +require 'rex/proto/sms/client' diff --git a/lib/rex/proto/sms/model/smtp.rb b/lib/rex/proto/sms/model/smtp.rb new file mode 100644 index 0000000000..18edc9b4b0 --- /dev/null +++ b/lib/rex/proto/sms/model/smtp.rb @@ -0,0 +1,62 @@ +module Rex + module Proto + module Sms + module Model + class Smtp + + # @!attribute address + # @return [String] SMTP address + attr_accessor :address + + # @!attribute port + # @return [Fixnum] SMTP port + attr_accessor :port + + # @!attribute username + # @return [String] SMTP account/username + attr_accessor :username + + # @!attribute password + # @return [String] SMTP password + attr_accessor :password + + # @!attribute login_type + # @return [Symbol] SMTP login type (:login, :plain, and :cram_md5) + attr_accessor :login_type + + # @!attribute from + # @return [String] Sender + attr_accessor :from + + # @!attribute helo_domain + # @return [String] The domain to use for the HELO SMTP message + attr_accessor :helo_domain + + + # Initializes the SMTP object. + # + # @param [Hash] opts + # @option opts [String] :address + # @option opts [Fixnum] :port + # @option opts [String] :username + # @option opts [String] :password + # @option opts [String] :helo_domain + # @option opts [Symbol] :login_type + # @option opts [String] :from + # + # @return [Rex::Proto::Sms::Model::Smtp] + def initialize(opts={}) + self.address = opts[:address] + self.port = opts[:port] || 25 + self.username = opts[:username] + self.password = opts[:password] + self.helo_domain = opts[:helo_domain] || 'localhost' + self.login_type = opts[:login_type] || :login + self.from = opts[:from] || '' + end + + end + end + end + end +end diff --git a/modules/auxiliary/client/sms/send_text.rb b/modules/auxiliary/client/sms/send_text.rb new file mode 100644 index 0000000000..96c3a78d64 --- /dev/null +++ b/modules/auxiliary/client/sms/send_text.rb @@ -0,0 +1,34 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Auxiliary + + include Msf::Auxiliary::Sms + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'SMS Client', + 'Description' => %q{ + This module sends a text message to multiple phones of the same carrier. + You can use it to send a malicious link to phones. + + Please note that you do not use this module to send a media file (attachment), + because that is MMS. + }, + 'Author' => [ 'sinn3r' ], + 'License' => MSF_LICENSE + )) + end + + def run + phone_numbers = datastore['CELLNUMBERS'].split + print_status("Sending text (#{datastore['SMSMESSAGE'].length} bytes) to #{phone_numbers.length} number(s)...") + res = send_text(phone_numbers, datastore['SMSMESSAGE']) + print_status("Done.") + end + +end diff --git a/spec/lib/rex/proto/sms/client_spec.rb b/spec/lib/rex/proto/sms/client_spec.rb new file mode 100644 index 0000000000..688435497f --- /dev/null +++ b/spec/lib/rex/proto/sms/client_spec.rb @@ -0,0 +1,53 @@ +# -*- coding: binary -*- +require 'spec_helper' +require 'rex/proto/sms/model' + +RSpec.describe Rex::Proto::Sms::Client do + + let(:phone_numbers) { ['1112223333'] } + + let(:message) { 'message' } + + let(:carrier) { :verizon } + + let(:smtp_server) { + Rex::Proto::Sms::Model::Smtp.new( + address: 'example.com', + port: 25, + username: 'username', + password: 'password' + ) + } + + subject do + Rex::Proto::Sms::Client.new( + carrier: carrier, + smtp_server: smtp_server + ) + end + + describe '#initialize' do + it 'sets carrier' do + expect(subject.carrier).to eq(carrier) + end + + it 'sets smtp server' do + expect(subject.smtp_server).to eq(smtp_server) + end + end + + describe '#send_text_to_phones' do + before(:each) do + smtp = Net::SMTP.new(smtp_server.address, smtp_server.port) + allow(smtp).to receive(:start).and_yield + allow(smtp).to receive(:send_message) { |args| @sent_message = args } + allow(Net::SMTP).to receive(:new).and_return(smtp) + end + + it 'sends a text message' do + subject.send_text_to_phones(phone_numbers, message) + expect(@sent_message).to eq(message) + end + end + +end diff --git a/spec/lib/rex/proto/sms/model/smtp_spec.rb b/spec/lib/rex/proto/sms/model/smtp_spec.rb new file mode 100644 index 0000000000..48b7a2b9bb --- /dev/null +++ b/spec/lib/rex/proto/sms/model/smtp_spec.rb @@ -0,0 +1,57 @@ +# -*- coding: binary -*- +require 'spec_helper' +require 'rex/proto/sms/model' + +RSpec.describe Rex::Proto::Sms::Model::Smtp do + + let(:address) { 'example.com' } + let(:port) { 25 } + let(:username) { 'username' } + let(:password) { 'password' } + let(:login_type) { :login } + let(:from) { 'from' } + let(:helo_domain) { 'example.com'} + + subject do + Rex::Proto::Sms::Model::Smtp.new( + address: address, + port: port, + username: username, + password: password, + login_type: login_type, + from: from, + helo_domain: helo_domain + ) + end + + describe '#initialize' do + it 'sets address' do + expect(subject.address).to eq(address) + end + + it 'sets port' do + expect(subject.port).to eq(port) + end + + it 'sets username' do + expect(subject.username).to eq(username) + end + + it 'sets password' do + expect(subject.password).to eq(password) + end + + it 'sets login_type' do + expect(subject.login_type).to eq(login_type) + end + + it 'sets from' do + expect(subject.from).to eq(from) + end + + it 'sets helo domain' do + expect(subject.helo_domain).to eq(helo_domain) + end + end + +end From c61f8ded783215ddb1d8b1a1643ca2a635e9f861 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 3 Mar 2017 11:09:04 -0600 Subject: [PATCH 02/10] Comment out Sprint It looks like the Sprint gateways won't accept our email for some reason, so we can't use it. --- lib/rex/proto/sms/model.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/rex/proto/sms/model.rb b/lib/rex/proto/sms/model.rb index 13f19a0e18..93a4f6ee14 100644 --- a/lib/rex/proto/sms/model.rb +++ b/lib/rex/proto/sms/model.rb @@ -10,7 +10,11 @@ module Rex :att => 'txt.att.net', # AT&T Wireless :boost => 'sms.myboostmobile.com', # Boost Mobile :cricket => 'sms.mycricket.com', # Cricket Wireless - :sprint => 'messaging.sprintpcs.com', # Sprint + # Sprint is commented out, because the gateways don't seem to work. + # Gateways tried for Sprint: + # messaging.sprintpcs.com + # pm.sprint.com + #:sprint => 'messaging.sprintpcs.com', # Sprint :tmobile => 'tmomail.net', # T-Mobile :verizon => 'vtext.com', # Verizon :virgin => 'vmobl.com' # Virgin Mobile From 2edb116855d1588026901657ccc85dd4c577d8c9 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 3 Mar 2017 11:12:59 -0600 Subject: [PATCH 03/10] Send texts individually If we pass all the phone numbers at once in one email, it becomes a group chat, and that allows the recipients to see each other's number, which isn't the intended behavior. --- lib/rex/proto/sms/client.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/rex/proto/sms/client.rb b/lib/rex/proto/sms/client.rb index 6a9cd46deb..be1d973efa 100644 --- a/lib/rex/proto/sms/client.rb +++ b/lib/rex/proto/sms/client.rb @@ -51,7 +51,9 @@ module Rex begin smtp.enable_starttls_auto smtp.start(helo_domain, username, password, login_type) do - smtp.send_message(message, from, recipients) + recipients.each do |r| + smtp.send_message(message, from, r) + end end ensure smtp.finish if smtp && smtp.started? From fa43928a8ed1ca0f4fb884dee2cb9defdcee0928 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 3 Mar 2017 11:27:31 -0600 Subject: [PATCH 04/10] Rm Sprint from doc --- documentation/modules/auxiliary/client/sms/send_text.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index 7f1fb23e99..c6746b31cd 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -55,7 +55,6 @@ The module supports the following carriers: * AT&T Wireless * Boost Mobile * Cricket Wireless -* Sprint * T-Mobile * Verizon * Virgin Mobile From d9b21b16a9276ae8529577ec833cc5db07a50e5f Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 3 Mar 2017 11:36:13 -0600 Subject: [PATCH 05/10] Support Google Project Fi gateway --- documentation/modules/auxiliary/client/sms/send_text.md | 1 + lib/rex/proto/sms/model.rb | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index c6746b31cd..4d7543aedb 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -58,6 +58,7 @@ The module supports the following carriers: * T-Mobile * Verizon * Virgin Mobile +* Google Fi ## Finding the Carrier for a Phone Number diff --git a/lib/rex/proto/sms/model.rb b/lib/rex/proto/sms/model.rb index 93a4f6ee14..fe4dacfa4c 100644 --- a/lib/rex/proto/sms/model.rb +++ b/lib/rex/proto/sms/model.rb @@ -17,7 +17,8 @@ module Rex #:sprint => 'messaging.sprintpcs.com', # Sprint :tmobile => 'tmomail.net', # T-Mobile :verizon => 'vtext.com', # Verizon - :virgin => 'vmobl.com' # Virgin Mobile + :virgin => 'vmobl.com', # Virgin Mobile + :google => 'msg.fi.google.com' } end From 4d44911d5cc0563619f4e0f2c2b5abd10bd83830 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Fri, 3 Mar 2017 11:38:47 -0600 Subject: [PATCH 06/10] Do doc for google fi --- documentation/modules/auxiliary/client/sms/send_text.md | 2 ++ lib/rex/proto/sms/model.rb | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index 4d7543aedb..6101e66483 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -67,6 +67,8 @@ how to identify the carrier of a phone number. There are many services that can http://freecarrierlookup.com/ +Note: If the phone is using Google Fi, then it may appear as a different carrier. + ## Gmail SMTP Example Gmail is a popular mail server, so we will use this as a demonstration. diff --git a/lib/rex/proto/sms/model.rb b/lib/rex/proto/sms/model.rb index fe4dacfa4c..c98ecf6dca 100644 --- a/lib/rex/proto/sms/model.rb +++ b/lib/rex/proto/sms/model.rb @@ -18,7 +18,7 @@ module Rex :tmobile => 'tmomail.net', # T-Mobile :verizon => 'vtext.com', # Verizon :virgin => 'vmobl.com', # Virgin Mobile - :google => 'msg.fi.google.com' + :google => 'msg.fi.google.com' # Google Project Fi } end From 7e16fc97f5a00738f93cbe087e57b209168b1c8b Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 6 Mar 2017 10:47:46 -0600 Subject: [PATCH 07/10] Update doc --- .../modules/auxiliary/client/sms/send_text.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index 6101e66483..cae552941d 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -1,4 +1,4 @@ -The auxiliary/client/sms/send_text module allows you to send a malicious text/link to a collection +The ```auxiliary/client/sms/send_text``` module allows you to send a malicious text/link to a collection of phone numbers of the same carrier. In order to use this module, you must set up your own SMTP server to deliver messages. Popular @@ -8,9 +8,9 @@ mail services such as Gmail, Yahoo, Live should work fine. **CELLNUMBERS** -The phone number (or numbers) you want to send the text to. If you wish to target against multiple -phone numbers, ideally you want to create the list in a text file (one number per line), and then -load the CELLNUMBERS option like this: +The 10-digit phone number (or numbers) you want to send the text to. If you wish to target against +multiple phone numbers, ideally you want to create the list in a text file (one number per line), +and then load the CELLNUMBERS option like this: ``` set CELLNUMBER file:///tmp/att_phone_numbers.txt @@ -33,7 +33,7 @@ The mail server address you wish to use to send the text messages. **SMTPPORT** -The mail server port. By default, this is 25. +The mail server port. By default, this is ```25```. **SMTPUSERNAME** @@ -45,7 +45,7 @@ The password you use to log into the SMTP server. **SMTPFROM** -The FROM field of SMTP. +The FROM field of SMTP. In some cases, it may be used as ```SMTPUSER```. ## Supported Carrier Gateways @@ -55,10 +55,13 @@ The module supports the following carriers: * AT&T Wireless * Boost Mobile * Cricket Wireless +* Google Fi * T-Mobile * Verizon * Virgin Mobile -* Google Fi + +**Note:** During development, we could not find a valid gateway for Sprint, therefore it is currently +not supported. ## Finding the Carrier for a Phone Number @@ -67,7 +70,7 @@ how to identify the carrier of a phone number. There are many services that can http://freecarrierlookup.com/ -Note: If the phone is using Google Fi, then it may appear as a different carrier. +**Note:** If the phone is using Google Fi, then it may appear as a different carrier. ## Gmail SMTP Example From a466dc44c6e7c734187ddb48e31e1b3037090b36 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 6 Mar 2017 10:54:08 -0600 Subject: [PATCH 08/10] Do exception handling for sms client --- lib/rex/proto/sms/client.rb | 2 ++ modules/auxiliary/client/sms/send_text.rb | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/rex/proto/sms/client.rb b/lib/rex/proto/sms/client.rb index be1d973efa..271dafdec1 100644 --- a/lib/rex/proto/sms/client.rb +++ b/lib/rex/proto/sms/client.rb @@ -55,6 +55,8 @@ module Rex smtp.send_message(message, from, r) end end + rescue Net::SMTPAuthenticationError => e + raise Rex::Proto::Sms::Exception, e.message ensure smtp.finish if smtp && smtp.started? end diff --git a/modules/auxiliary/client/sms/send_text.rb b/modules/auxiliary/client/sms/send_text.rb index 96c3a78d64..8bc0382db4 100644 --- a/modules/auxiliary/client/sms/send_text.rb +++ b/modules/auxiliary/client/sms/send_text.rb @@ -27,8 +27,12 @@ class MetasploitModule < Msf::Auxiliary def run phone_numbers = datastore['CELLNUMBERS'].split print_status("Sending text (#{datastore['SMSMESSAGE'].length} bytes) to #{phone_numbers.length} number(s)...") - res = send_text(phone_numbers, datastore['SMSMESSAGE']) - print_status("Done.") + begin + res = send_text(phone_numbers, datastore['SMSMESSAGE']) + print_status("Done.") + rescue Rex::Proto::Sms::Exception => e + print_error(e.message) + end end end From 34bca9055eed271a4d80d8b0193cdbe54e5ce3f8 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 6 Mar 2017 11:08:51 -0600 Subject: [PATCH 09/10] Update doc --- documentation/modules/auxiliary/client/sms/send_text.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index cae552941d..ec69d2289d 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -25,7 +25,13 @@ supported carriers. **SMSMESSAGE** -The text message you want to send. +The text message you want to send. For example, this will send a text with a link to google: + +``` +set SMSMESSAGE "Hi, please go: google.com" +``` + +The link should automatically be parsed on the phone and clickable. **SMTPADDRESS** From 6c53dd523163c34ce91d6ff4a6bf652b6e3b3c9a Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Tue, 7 Mar 2017 12:50:59 -0600 Subject: [PATCH 10/10] Fix a typo --- documentation/modules/auxiliary/client/sms/send_text.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/auxiliary/client/sms/send_text.md b/documentation/modules/auxiliary/client/sms/send_text.md index ec69d2289d..dcdd5e419b 100644 --- a/documentation/modules/auxiliary/client/sms/send_text.md +++ b/documentation/modules/auxiliary/client/sms/send_text.md @@ -13,7 +13,7 @@ multiple phone numbers, ideally you want to create the list in a text file (one and then load the CELLNUMBERS option like this: ``` -set CELLNUMBER file:///tmp/att_phone_numbers.txt +set CELLNUMBERS file:///tmp/att_phone_numbers.txt ``` Remember that these phone numbers must be the same carrier.