asdc12-attacking captchas for fun and profit
DESCRIPTION
attacking CAPTCHAs for working out with bot to capture the sameTRANSCRIPT
![Page 1: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/1.jpg)
Attacking CAPTCHAs for
Fun and Profit
Gursev Singh Kalra
APPSEC DC | April 4, 2012
Fun and Profit
![Page 2: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/2.jpg)
Who Am I
Principal Consultant with Foundstone McAfee
Tools (TesserCap, SSLSmart, and many internal)
www.foundstone.com© 2010, McAfee, Inc.
Security Research, Web Applications, Networks, Mobile Applications…. and more
Ruby, C#, Rails
![Page 3: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/3.jpg)
Research Scope
• 200+ CAPTCHA schemes analyzed
• Scores of Websites for Implementation
Quantcast Top 1 Million
• Known OCR Engines for
www.foundstone.com© 2010, McAfee, Inc.
• Known OCR Engines for Classification
• Custom Image Preprocessing
CAPTCHA Schemes
• Register User Pages
• Recover Account/Password Pages
• Contact Us and Feedback Pages
CAPTCHA Implementations
![Page 4: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/4.jpg)
ServerClient GET /register.php1 Create a
SESSIONID for
the current
registration
request
2
<html> ... <img src=“/captcha.php”> … </html> 3
4 GET /captcha.php + SESSIONIDGenerate a
random
CAPTCHA and
5
6Return the CAPTCHA
CAPTCHAs: More Than Just the Image
www.foundstone.com© 2010, McAfee, Inc.
POST /verify.php + CAPTCHA Solution + Form Fields
7
9
CAPTCHA and
store in HTTP
Session
6Return the CAPTCHA
Verify solution8
![Page 5: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/5.jpg)
From Here On…
Breaching Attacking
CAPTCHA
www.foundstone.com© 2010, McAfee, Inc.
Breaching the Client Side Trust
Server Side Attacks
Attacking CAPTCHA Schemes
with TesserCap
Let’s Play Nice
![Page 6: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/6.jpg)
Breaching the Client Side
www.foundstone.com© 2010, McAfee, Inc.
Breaching the Client Side Trust
![Page 7: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/7.jpg)
Hidden Fields, Client Side Storage and More
www.foundstone.com© 2010, McAfee, Inc.
![Page 8: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/8.jpg)
Hidden Fields, Client Side Storage and More
www.foundstone.com© 2010, McAfee, Inc.
![Page 9: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/9.jpg)
Arithmetic CAPTCHAs
www.foundstone.com© 2010, McAfee, Inc.
![Page 10: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/10.jpg)
Server Side Attacks
www.foundstone.com© 2010, McAfee, Inc.
Server Side Attacks
![Page 11: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/11.jpg)
CAPTCHA Rainbow TablesImplementation Flaws
CAPTCHAs are not generated at runtime
Limited number of CAPTCHAs
www.foundstone.com© 2010, McAfee, Inc.
CAPTCHAs are assigned static index values to be referenced for verification and assignment
Observations
• One of the most popular implementation
• Seen On very high traffic websites
![Page 12: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/12.jpg)
CAPTCHA Rainbow TablesAttacking Static CAPTCHA Identifier
Numeric Identifier CAPTCHA Solution
0 95C7A
1 58413
2 9D3BF
www.foundstone.com© 2010, McAfee, Inc.
2 9D3BF
3 49F1C
4 ABB87
...
99999 D498A
![Page 13: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/13.jpg)
CAPTCHA Rainbow TablesAttacking Static CAPTCHA Identifier
Alphanumeric Identifier CAPTCHA Solution
uJSqsPvjxc6 95C7A
9WzrowjPEqI 58413
nm8SfvtEwpP 9D3BF
www.foundstone.com© 2010, McAfee, Inc.
nm8SfvtEwpP 9D3BF
fespW5LVqNQ 49F1C
dgLSB1CKJRJ ABB87
...
QmJF3TQazcH D498A
![Page 14: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/14.jpg)
CAPTCHA Rainbow TablesAttacking Dynamic CAPTCHA Identifiers
CAPTCHA MD5 CAPTCHA Solution
68ecb8867cd7457421c2eca3227bffbd 95C7A
84a78d24bc9637fcfb152f723b6e8e27 58413
84125db583d64c346d97a74fa9e53848 9D3BF
www.foundstone.com© 2010, McAfee, Inc.
84125db583d64c346d97a74fa9e53848 9D3BF
C6a1ed9477846568cdea62c97e389811 49F1C
E9fa81f69debe45bded7bba4743a8a23 ABB87
...
B9df819f6174d6577661e12859226366 D498A
![Page 15: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/15.jpg)
CAPTCHA Rainbow TablesDynamic Identifiers and Changing Images
www.foundstone.com© 2010, McAfee, Inc.
Write your custom solvers!
![Page 16: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/16.jpg)
ServerClient GET /captcha.php + SESSIONID1 Pick a random
CAPTCHA
Identifier from
finite set of
CAPTCHA
values
2
Chosen CAPTCHA Identifier Attack
<html> <img (CAPTCHA) + Identifier> 3
www.foundstone.com© 2010, McAfee, Inc.
POST /verify.php + SESSIONID + Solution + Identifier
45
Use the
Identifier to
retrieve
CAPTCHA
solution +
Verify solution
6
![Page 17: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/17.jpg)
ServerClient GET /captcha.php + SESSIONID1Pick a random
CAPTCHA ID
from finite set of CAPTCHA
values
2
HTTP/1.1 302 Moved Temporarily
Location: /get_captcha.php?id=captchaID 3
CAPTCHA Fixation Attack
www.foundstone.com© 2010, McAfee, Inc.
Set CAPTCHA ID or solution
in HTTP
Session
5GET /get_captcha.php?id=captchaID + SESSIONID
4
CAPTCHA 6
< CAPTCHA Verification >
![Page 18: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/18.jpg)
GET /captcha.php + SESSIONIDPick a random
CAPTCHA ID
from finite set of CAPTCHA
values
HTTP/1.1 302 Moved Temporarily
Location: /get_captcha.php?id=captchaID
ServerClient 1 2
3
CAPTCHA Fixation Attack
www.foundstone.com© 2010, McAfee, Inc.
Set CAPTCHA ID and/or
solution in
HTTP Session
GET /get_captcha.php?id=evil_ID+ SESSIONID 5
4
CAPTCHA 6
< CAPTCHA Verification >
![Page 19: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/19.jpg)
Persistent CAPTCHAs
Same CAPTCHA was returned for any number of registration attempts
www.foundstone.com© 2010, McAfee, Inc.
any number of registration attempts
CAPTCHAs can be brute-forced
![Page 20: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/20.jpg)
ServerClient GET /captcha.php + SESSIONID1
Set CAPTCHA
solution in
HTTP Session
3
CAPTCHA 4
2 Create a
random
CAPTCHA.
CAPTCHA Re-Riding Attack
www.foundstone.com© 2010, McAfee, Inc.
HTTP Session
POST /verify.php + SESSIONID + Solution5
8
Verify the
CAPTCHA
6
Several successful submits with a single solution Clear CAPTCHA
state or
SESSION
7
![Page 21: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/21.jpg)
GET /captcha.php
Set CAPTCHA
solution in
HTTP Session
CAPTCHA
ServerClient 1
34
2 Create a
random
CAPTCHA.
In Session CAPTCHA Brute-Force
www.foundstone.com© 2010, McAfee, Inc.
HTTP Session
POST /verify.php + SESSIONID + SolutionVerify the
CAPTCHA
5
8
6
Clear CAPTCHA
state or
SESSION
7CAPTCHA solution brute-force with large number of requests
![Page 22: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/22.jpg)
OCR Assisted CAPTCHA Brute-Force
rGsyg r6sy9
OCR 2OCR 1
www.foundstone.com© 2010, McAfee, Inc.
rGsyg r6sy9
r[G6]sy[g9]
r6syg
![Page 23: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/23.jpg)
Solve CAPTCHA with an OCR
Bruteforce characters over the
OCR Assisted CAPTCHA Brute-Force
www.foundstone.com© 2010, McAfee, Inc.
Bruteforce characters over the sample space
Continue…. Or better refresh SessionID for a new CAPTCHA!?
![Page 24: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/24.jpg)
Attacking CAPTCHAs with
www.foundstone.com© 2010, McAfee, Inc.
Attacking CAPTCHAs with TesserCap
![Page 25: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/25.jpg)
The Victims
www.foundstone.com© 2010, McAfee, Inc.
![Page 26: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/26.jpg)
The Weapon – TesserCap
www.foundstone.com© 2010, McAfee, Inc.
![Page 27: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/27.jpg)
TesserCap Introduction
8 stage Image preprocessingRetrieve
CAPTCHAPreprocessed
CAPTCHA
Tesseract-OCR Engine
HMLR
Extracted Text
www.foundstone.com© 2010, McAfee, Inc.
CAPTCHA
HMLR
![Page 28: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/28.jpg)
TesserCap Demonstrations
www.foundstone.com© 2010, McAfee, Inc.
TesserCap Demonstrations
![Page 29: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/29.jpg)
Spatial Filters
www.foundstone.com© 2010, McAfee, Inc.
This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
![Page 30: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/30.jpg)
Spatial Filters in Action
www.foundstone.com© 2010, McAfee, Inc.
This Image: Digital Image Processing, Second Edition By Gonzalez and Woods
![Page 31: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/31.jpg)
TesserCap Results
CAPTCHA Provider Accuracy
Captchas.net 40-50%
Opencaptcha.com 20-30%
Snaphost.com 60+%
www.foundstone.com© 2010, McAfee, Inc.
Captchacreator.com 10-20%
www.phpcaptcha.org 10-20%
webspamprotect.com 40+%
ReCaptcha 0%
![Page 32: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/32.jpg)
TesserCap Results
Website Accuracy Quantcast Rank
Wikipedia 20-30%7
Ebay 20-30%11
Reddit.com 20-30%68
121
www.foundstone.com© 2010, McAfee, Inc.
CNBC 50+%121
Foodnetwork.com 80-90%160
Dailymail.co.uk 30+%245
Megaupload.com 80+%1000
Pastebin.com 70-80%32,534
Cavenue.com 80+%149,645
![Page 33: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/33.jpg)
Let’s Play Nice
www.foundstone.com© 2010, McAfee, Inc.
Let’s Play Nice
a.k.a. Conclusion
![Page 34: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/34.jpg)
GET /captcha.php + *SESSIONID
Create a new
CAPTCHA with
Random Text
Set CAPTCHA
ServerClient 1
3
4
2 Create a new
**SESSIONID
A Secure CAPTCHA Implementation
www.foundstone.com© 2010, McAfee, Inc.
Set CAPTCHA
solution in
HTTP Session
CAPTCHA + **SESSIONID
POST /verify.php + SESSIONID + SolutionVerify the
CAPTCHA
45
6
9
7
Clear CAPTCHA
state or HTTP
SESSION
8
![Page 35: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/35.jpg)
A Secure CAPTCHA Implementation
No client “influence on” or “knowledge about” the CAPTCHA content
Random with a large sample space
www.foundstone.com© 2010, McAfee, Inc.
High on complexity to perform image preprocessing, segmentation and classification
The client should not have direct access to the CAPTCHA solution
No CAPTCHA reuse
![Page 36: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/36.jpg)
Queries
www.foundstone.com© 2010, McAfee, Inc.
![Page 37: ASDC12-Attacking CAPTCHAs for Fun and Profit](https://reader035.vdocuments.net/reader035/viewer/2022062307/552d1cda4a7959035a8b4631/html5/thumbnails/37.jpg)
Thank You!
www.foundstone.com© 2010, McAfee, Inc.
Thank You!
Gursev Singh Kalra (@igursev)
http://gursevkalra.blogspot.com
http://blog.opensecurityresearch.com