As most of you know, Mr. Robot is probably the best hacker TV show ever! This is a great show about a cyber security engineer who is being enticed to hack the very corporation he’s being paid to protect. This show is so good, I began a series to demonstrate how to do the hacks he uses in the show.
The Spoofed Text Message in Episode 5
In episode 5, when Elliot is able to social engineer his way into the Steel Mountain’s state of the art, “impenetrable” storage facility, a manager gets suspicious and begins to escort him out of the building before he can implant the Raspberry Pi (which we made in the last guide).
He intends to place the RP inside the network to manipulate the HVAC system to raise the temperature in the storage facility and destroy the tapes that contain the records of 70% of the world’s consumer debt, including student loans. At the very moment that she is about to escort him to the elevator and out of the facility, she receives a text message from her husband that is urgent and distracts here. The text message did not actually come from her husband, but rather from one of Elliot’s f/society comrades.
In this tutorial, I will show you how Elliot’s comrades at f/society were able to send the Steel Mountain manager an urgent, spoofed text message that appeared to come from her husband indicating that he was at the hospital and had a serious health issue.
Step 1: Fire Up BackTrack & Start Social Engineering Toolkit (SET)
Let’s begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select “set” as I have done in the screenshot below.
This will start the SET opening screen as seen below. SET is capable of numerous social engineering attacks. We have previously used SET to spear phish in BackTrack, but the one we want this time is “SMS Spoofing Attack Vector.” To begin this attack, Select #7.
In the following screen we are asked whether we want “Perform a SMS Spoofing Attack” or “Create a Social Engineering Template.” Select #1. Once you have made that selection, you will be queried whether you want to spoof a single number or a mass attack. Select #1 for a single number.
Step 2: Set Up a Spoofed Text Message
Here, I want to send a spoofed text message from Mary (my best friend’s girlfriend) to John (my best friend) where she breaks up with him. This should rattle him a bit and give me a few chuckles as he is madly in love with her.
First, enter his phone number where it asks you “Send sms to.” Then select #2 to craft a One-Time Use SMS. Finally, enter her phone number. Make certain both numbers are preceded by the “+”.
Step 3: Craft the Text Message
In our final step, we need to type the message we want sent to John from his girlfriend, Mary.
“I’m so sorry John. I have met another man and he is the love of my life. I hope we can remain friends”
Step 4: Send the Message!
This will bring you to the final screen. In this screen, we will need to select the intermediary for the spoofed SMS message. You have four options here. The first is free, and as they say, it is buggy (when I ran it, SET crashed). Then, there are two for-pay options and, finally, the Android emulator.
I chose the third option, SMSGANG. They charge 3 euros for 5 messages, or about $0.65 in U.S. dollars per message. When you pay (they accept credit cards and PayPal) they send you a PIN code. After selecting #3, it will ask you for a “pincode.” Enter the one SMSGANG emailed you and then your text message is sent!