Author Topic: How to crack the web form with Captcha ?  (Read 2923 times)

0 Members and 1 Guest are viewing this topic.

Offline ba8y

  • /dev/null
  • *
  • Posts: 15
  • Cookies: -3
    • View Profile
How to crack the web form with Captcha ?
« on: September 25, 2013, 10:40:05 am »
With Hydra and Burpsuite , we can crack web form without captcha quickly.

But now, there are many login pages with captcha,

I've tested some tools, Ex:

Tesseract OCR engine
FastOCR
cintruder


They do bad  somtimes. Ex:
Speed slowly
Captcha is not supported.



how can we crack them quickly ?


Offline Raavgo

  • Peasant
  • *
  • Posts: 88
  • Cookies: 12
  • On my way from a n00b to a PRO
    • View Profile
Re: How to crack the web form with Captcha ?
« Reply #1 on: September 25, 2013, 11:31:20 am »
What kind of captcha is it? (pattern recognition, equation solving, question to answer)
How is it checked ? (JS Captcha checked on the client?, answer sent to server and checked there?)

Don't wonder why I mentioned JS Captchas I recently saw one of those  :P

In general it is a pattern captcha and you would have to use pattern recognition software to bruteforce them, but luckily there is a way to circumvent them...

But before you can circumvent Captchas you have to understand how they work:
http://www.gohacking.com/what-is-captcha-how-it-works/

(I might even write a tutorial if I got some spare time)
I found a good tutorial from mcafee:
http://www.mcafee.com/us/resources/white-papers/foundstone/wp-bypassing-captchas.pdf


After you read that and you still have no clue how to circumvent them you can ask again and I'll try to explain it to you.
« Last Edit: September 25, 2013, 02:42:17 pm by Raavgo »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: How to crack the web form with Captcha ?
« Reply #2 on: September 25, 2013, 01:31:59 pm »
After you read that and you still have no clue how to circumvent them you can pm me and I'll try to explain it to you.
Why PM? you can discuss it right here, so other people can also benefit from it.

Offline Raavgo

  • Peasant
  • *
  • Posts: 88
  • Cookies: 12
  • On my way from a n00b to a PRO
    • View Profile
Re: How to crack the web form with Captcha ?
« Reply #3 on: September 25, 2013, 01:43:14 pm »
Why PM? you can discuss it right here, so other people can also benefit from it.


Yep you are right Kulver we should discuss it here.
I actually don't know why I wrote PM, it seems like my brain was afk  ;)

Offline ba8y

  • /dev/null
  • *
  • Posts: 15
  • Cookies: -3
    • View Profile
Re: How to crack the web form with Captcha ?
« Reply #4 on: September 25, 2013, 05:12:16 pm »

http://www.mcafee.com/us/resources/white-papers/foundstone/wp-bypassing-captchas.pdf
It's really a nice job.


Quote
CAPTCHA providers generally offer both CAPTCHA generation and validation services. To use these services, the subscribing websites either use the existing libraries and plugins or write their own. A typical user interaction with a web application that relies on a CAPTCHA provider is summarized below:

1. A user requests a page that requires CAPTCHA validation.

2. The returned page contains an embedded <img> (or <script>) tag to retrieve the CAPTCHA
image from the CAPTCHA provider.

3. Upon parsing the embedded tags, the browser retrieves a CAPTCHA from the CAPTCHA provider and displays it to the user.

4. The user fills in the form fields, enters the CAPTCHA solution, and submits the page to the web application.

5. The web application then submits the CAPTCHA solution to the CAPTCHA provider for verification.

6. The CAPTCHA provider responds to the web application with success or failure message.

7. Based on CAPTCHA provider’s response, the web application allows or denies the request.




Quote
Sample impersonation
The steps below show how to run clipcaptcha as CAPCHA provider:
• Enable forwarding mode on your machine. (echo “1” > /proc/sys/net/ipv4/ip_forward)
• Set up iptables to redirect HTTP traffic to clipcaptcha. (iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port <listeningPort>)
• Run arpspoof to redirect the traffic to your machine. (arpspoof -i <interface> -t
<targetIP> <gatewayIP>)
• Run clipcaptcha in one of its mode of operation. (clipcaptcha.py <mode> -l <listeningPort>)
Once clipcaptcha instance starts running, all CAPTCHA validation requests will be administered
by clipcaptcha.

Has someone test it ever ??

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: How to crack the web form with Captcha ?
« Reply #5 on: September 25, 2013, 06:09:13 pm »
self-advertisement: http://evilzone.org/tutorials/analysis-and-construction-of-spambots/

I referenced McAfee's paper, too.
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet