The Hacks of Mr. Robot: How to Send a Spoofed SMS Text Message

As most of you know, Mr. Robot is probably the best hacker TV show ever! This is a great show about a cyber security engineer who is being enticed to hack the very corporation he’s being paid to protect. This show is so good, I began a series to demonstrate how to do the hacks he uses in the show.

The Spoofed Text Message in Episode 5

In episode 5, when Elliot is able to social engineer his way into the Steel Mountain’s state of the art, “impenetrable” storage facility, a manager gets suspicious and begins to escort him out of the building before he can implant the Raspberry Pi (which we made in the last guide).

He intends to place the RP inside the network to manipulate the HVAC system to raise the temperature in the storage facility and destroy the tapes that contain the records of 70% of the world’s consumer debt, including student loans. At the very moment that she is about to escort him to the elevator and out of the facility, she receives a text message from her husband that is urgent and distracts here. The text message did not actually come from her husband, but rather from one of Elliot’s f/society comrades.

 

In this tutorial, I will show you how Elliot’s comrades at f/society were able to send the Steel Mountain manager an urgent, spoofed text message that appeared to come from her husband indicating that he was at the hospital and had a serious health issue.

On the show, Elliot’s f/society comrades use Kali to send the spoofed SMS, but this feature has been discontinued in recent versions of Kali. Luckily, though, it is still in BackTrack, so for this tutorial, we will be reverting to our trusty BackTrack installation (one more example that the newest is not always the best).

Step 1: Fire Up BackTrack & Start Social Engineering Toolkit (SET)

Let’s begin by firing up Backtrack 5 and then navigating to Applications -> Exploitation Tools -> Social Engineering Tools -> Social Engineering Toolkit (SET), then select “set” as I have done in the screenshot below.

This will start the SET opening screen as seen below. SET is capable of numerous social engineering attacks. We have previously used SET to spear phish in BackTrack, but the one we want this time is “SMS Spoofing Attack Vector.” To begin this attack, Select #7.

In the following screen we are asked whether we want “Perform a SMS Spoofing Attack” or “Create a Social Engineering Template.” Select #1. Once you have made that selection, you will be queried whether you want to spoof a single number or a mass attack. Select #1 for a single number.

Step 2: Set Up a Spoofed Text Message

Here, I want to send a spoofed text message from Mary (my best friend’s girlfriend) to John (my best friend) where she breaks up with him. This should rattle him a bit and give me a few chuckles as he is madly in love with her.

First, enter his phone number where it asks you “Send sms to.” Then select #2 to craft a One-Time Use SMS. Finally, enter her phone number. Make certain both numbers are preceded by the “+”.

Step 3: Craft the Text Message

In our final step, we need to type the message we want sent to John from his girlfriend, Mary.

“I’m so sorry John. I have met another man and he is the love of my life. I hope we can remain friends”

When you are finished typing, exit by hitting Control + C.

Step 4: Send the Message!

This will bring you to the final screen. In this screen, we will need to select the intermediary for the spoofed SMS message. You have four options here. The first is free, and as they say, it is buggy (when I ran it, SET crashed). Then, there are two for-pay options and, finally, the Android emulator.

I chose the third option, SMSGANG. They charge 3 euros for 5 messages, or about $0.65 in U.S. dollars per message. When you pay (they accept credit cards and PayPal) they send you a PIN code. After selecting #3, it will ask you for a “pincode.” Enter the one SMSGANG emailed you and then your text message is sent!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s