Jump to content
YOUR-AD-HERE
HOSTING
TOOLS
SERVICE

Locked VoiceMailAutomator


0x1

Recommended Posts

VoiceMailAutomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, "Compromising online accounts by cracking voicemail systems".

This is the hidden content, please

Demo

Voicemacracker demo:

In this demo you will see how the tool works and how I am able to obtain the PIN of my test voicemail by trying the top 20 most common 4-digit PINs.

Spoiler

 

Compromising WhatsApp:

In this demo I will show how I compromise WhatsApp by abusing the verification process over phone call. On the left, you see the victim’s WhatsApp running on an actual phone. On the right, you see that I am actually using an Android simulator to hijack the victim’s WhatsApp account. I don’t even need a real phone!

Spoiler

 

Compromising Paypal:

Paypal implemented the protection in an interesting way. instead of requiring the user to press a key to hear the code, Paypal will display a 4 digit code in the UI when you initiate the password reset process and that is the code you need to enter when you receive the call. As soon as you do that, the UI will update and you will be prompted to enter a new password. This demo shows how you can use voicemailcracker to update the greeting message with DTMF tones corresponding to the code that Paypal displays and take over the account.

Spoiler

 

Fast

vociemailcracker uses [Twilio](https://www.twilio.com/), a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN.

 
Cheap

Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13.

 

Easy

voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all.

 
Efficient

vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed.

 
Undetected

Instead of call flooding, we can use [OSINT techniques](https://en.wikipedia.org/wiki/Open-source_intelligence) to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight.

DEF CON 26 talk

Spoiler

 

Setup

You will need a funded Twilio account, setup TwiML bins and configure localtunnel.me to accept Webhooks. Check the "Twilio setup" section in the script and add the missing information

This is the hidden content, please

 Usage

This is the hidden content, please


 

This is the hidden content, please

Authors

Martin Vigo - @martin_vigo

Source & Download

This is the hidden content, please

More info

This is the hidden content, please

Edited by 0x1
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.