voicemailautomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, “Compromising online accounts by cracking voicemail systems”.

For details and demos please check: https://www.martinvigo.com/voicemailcracker



vociemailcracker uses Twilio, a VOIP service that allows you to programmatically manage phone calls. voicemailcrackerlaunches hundreds of phone calls at the same time to interact with voicemail systems and bruteforce the PIN.


Bruteforcing the entire 4-digit keyspace costs less that $40. If you want to ensure a 50% chance of guessing the PIN correctly (according to Data Genetics research), it would cost you only $5. If we want to take a different approach, you can check a thousand different voicemails for the default PIN for only $13.


voicemailcracker comes with specific payloads for every major US carrier and automates everything. You only need to provide the victim’s phone number, the carrier, an the callerID provided by Twilio, that’s all.


vociemailcracker uses Data Genetics research to optimize bruteforcing. It will favor common PINs, default PINs and patterns. It also tries multiple PINs at the same time to reduce the number of calls needed.


Instead of call flooding, we can use OSINT techniques to find out when the victim has the phone disconnected. It is very common for people to share their plans on Twitter like when they are flying, in the movie theater or going to a remote trip. The phone may also be set to Do Not Disturb overnight.

DEF CON 26 talk


You will need a funded Twilio account, setup TwiML bins and configure localtunnel.me to accept Webhooks. Check the “Twilio setup” section in the script and add the missing information

account_sid = "" # Obtain from Twilio
auth_token = "" # Obtain from Twilio
twimlPayloadChangeGreeting = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response>
twimlPayloadChangeGetNewestMessage = "" # <?xml version="1.0" encoding="UTF-8"?><Response><Pause length="10"/><Hangup/></Response>
status_callback_url = "" # Obtain from localtunnel.me


python voicemailcracker.py message --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000
python voicemailcracker.py greeting --victimnumber 5555555555 --carrier tmobile --callerid 4444444444 --backdoornumber 3333333333 --pin 0000 --payload 1234


Martin Vigo - @martin_vigo - martinvigo.com

Share this post


Welcome to Cyber-Security.tk my personal blog to share my knowledge
Cyber Security, Ethical Hacking, Web & Network Auditing, Reverse Engineering and Cryptography
This website don't use analytics tracking and is ads-free. JavaScript is enabled .


Contact Form : Connect with Us

    Ricochet : ricochet:3ka6l4q255cakeirgxupsl5i4lw3qpk5gmngtv5amax64hckuovgozyd

2023 © 0x1 | Cyber Security Consulting - Copyright All Rights Reserved