Clipcaptcha: An Open Source CAPTCHA Provider Impersonation Tool!

[Nytro]

[h=1]Clipcaptcha: An Open Source CAPTCHA Provider Impersonation Tool![/h] July 21, 2012 By Mayuresh

Our last post in connection with CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart was on the offensive side, trying to break it – Stiltwalker. Today’s post was submitted via the Submit Your Tool option by Mr. Gursev Singh Kalra – Clipcaptcha, a open source tool programmed in Python to provide extensible and signature based CAPTCHA Provider impersonation.

Again, this tool will be officially released with the Black Hat USA 2012 Arsenal. Clipcaptcha can be used to exploit certain vulnerabilities to bypass CAPTHCA provider protection. It based off Moxie Marlinspike’s sslstrip codebase. According to the author, certain vulnerabilities affect almost every CAPTCHA provider including reCAPTCHA, opencaptcha and captchator. These vulnerabilities can be exploited to completely bypass the protection offered by CAPTCHA providers. Depending on its mode of operation Clipcaptcha may approve, reject or forward the CAPTCHA verification requests. It maintains an easy to edit XML configuration file that it queries to identify CAPTCHA provider request formats and render corresponding responses.

[h=2]Clipcaptcha permitted operational modes:[/h]

1. Monitor Mode: Signature based CAPTCHA provider detection is performed and all CAPTCHA validation requests are logged to a local file. The CAPTCHA validation requests and corresponding responses are allowed to complete without any modifications.
   
2. Avalanche Mode: Success response is returned on the matching CAPTCHA provider for all validation requests. It is recommended to not run clipcaptcha in this mode as a surge in successful account creation or registrations may be detected.
   
3. Stealth Mode: Stealth is the recommended mode for running clipcaptcha. This mode relies on the fact that all CAPTCHA validation API.s need to send user supplied CAPTCHA solution to the CAPTCHA providers for validation. clipcaptcha banks on this behavior to operate stealthily and return Success status only for the requests that contain a secret string. In its current implementation, clipcaptcha parses the entire CAPTCHA validation request (initial line, headers and body) and returns success if the secret string is found or allows the request to complete without any modifications.
   
4. DoS Mode: Failure response is returned for all CAPTCHA validation requests. This leads to a Denial of Service condition on the target web application for all forms that require CAPTCHA validation.
   
5. Random Mode: Random Success and Failure responses are returned as per the matching CAPTCHA provider for all validation requests and exits only as a teaser mode.
   

Once the clipcaptcha instance starts running, all CAPTCHA validation requests will be taken care of by clipcaptcha. It also has this Signature based CAPTCHA provider detection, which dictates that CAPTCHA providers are basically HTTP based custom web services, that accept CAPTCHA validation requests in a particular format and respond with finite set of responses that allow the clients to make Boolean choices to allow or disallow the request. This allows clipcaptcha to take advantage of this finite and predictable request and response data set to implement signature based request detection and response system.

This open source tool requires Python 2.5 or newer with the Twisted Python Module. Setting up Clipcaptcha is a four step process which is effectively underlined in the document that accompany the tool. Executing it is also pretty simple:

clipcaptcha.py < mode > -l < listeningPort >

That is all and you are ready to bypass CAPTCHA providers!

[h=3]Download Clipcaptcha:[/h]Clipcaptcha v0.1 – clipcaptcha-v0.1.zip

Sursa: Clipcaptcha: A CAPTCHA Provider Impersonation Tool! — PenTestIT