0x1 Posted September 10, 2019 Share Posted September 10, 2019 (edited) VoiceMailAutomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, "Compromising online accounts by cracking voicemail systems". This is the hidden content, please Sign In or Sign Up Demo Voicemacracker demo: In this demo you will see how the tool works and how I am able to obtain the PIN of my test voicemail by trying the top 20 most common 4-digit PINs. Spoiler Compromising WhatsApp: In this demo I will show how I compromise WhatsApp by abusing the verification process over phone call. On the left, you see the victim’s WhatsApp running on an actual phone. On the right, you see that I am actually using an Android simulator to hijack the victim’s WhatsApp account. I don’t even need a real phone! Spoiler Compromising Paypal: Paypal implemented the protection in an interesting way. instead of requiring the user to press a key to hear the code, Paypal will display a 4 digit code in the UI when you initiate the password reset process and that is the code you need to enter when you receive the call. As soon as you do that, the UI will update and you will be prompted to enter a new password. This demo shows how you can use voicemailcracker to update the greeting message with DTMF tones corresponding to the code that Paypal displays and take over the account. Spoiler Fast vociemailcracker uses [Twilio](https://www.twilio.com/), a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN. Cheap Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13. Easy voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all. Efficient vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed. Undetected Instead of call flooding, we can use [OSINT techniques](https://en.wikipedia.org/wiki/Open-source_intelligence) to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight. DEF CON 26 talk Spoiler Setup You will need a funded Twilio account, setup TwiML bins and configure localtunnel.me to accept Webhooks. Check the "Twilio setup" section in the script and add the missing information This is the hidden content, please Sign In or Sign Up Usage This is the hidden content, please Sign In or Sign Up This is the hidden content, please Sign In or Sign Up Authors Martin Vigo - @martin_vigo Source & Download This is the hidden content, please Sign In or Sign Up More info This is the hidden content, please Sign In or Sign Up Edited September 10, 2019 by 0x1 Link to comment Share on other sites More sharing options...
Recommended Posts