Let's talk about CAPTCHA - humans vs. robots/encoding vs. decoding

genzy · #1 (**permalink**) 04-06-2007, 02:05 AM

This is a place to talk about CAPTCHA.

[Encoding]
CAPTCHA - Wikipedia, the free encyclopedia
http://en.wikipedia.org/wiki/Captcha

http://www.captcha.net/

Quote:

CAPTCHA: Telling Humans and Computers Apart Automatically

A CAPTCHA is a program that can generate and grade tests that humans can pass but current computer programs cannot. For example, humans can read distorted text as the one shown below, but current computer programs can't:
CAPTCHA example

The term CAPTCHA (for Completely Automated Turing Test To Tell Computers and Humans Apart) was coined in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University. At the time, they developed the first CAPTCHA to be used by Yahoo.

(Highly recommended to read) Escape from CAPTCHA by Matt May
http://www.w3.org/2004/Talks/0319-cs.../Overview.html

(Highly recommended to read)
Inaccessibility of CAPTCHA
Alternatives to Visual Turing Tests on the Web
W3C Working Group Note 23 November 2005
http://www.w3.org/TR/turingtest/

Spam-bot tests flunk the blind
http://news.com.com/2100-1032-1022814.html

[Decoding]
PWNtcha - captcha decoder
http://sam.zoy.org/pwntcha/

Quote:

PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.

phpBB CATCHA is easily decoded by PWNtcha.

vBulletin CATCHA is easily decoded by PWNtcha.

Decoding EZ-Gimpy
http://www.cs.sfu.ca/~mori/research/...igh_level.html

Quote:

High Level Description
1. EZ-Gimpy
Our algorithm for breaking EZ-Gimpy consists of 3 main steps:
1. Locate possible letters at various locations
2. Construct graph of consistent letters
3. Look for plausible words in the graph

Using AI to beat CAPTCHA and post comment spam
http://www.brains-n-brawn.com/defaul...vDir=aicaptcha

Breaking CAPTCHAs Without Using OCR
*** Through the Session ID
http://www.puremango.co.uk/cm_breaking_captcha_115.php

Quote:

Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here:
http://www.puremango.co.uk/cm_php_ca...script_113.php

This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software.

Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.

I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.

manual steps:
connect to captcha page
record session ID and captcha plaintext

automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;

name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually

the other user data can change on each request

you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.

This is -easy- to fix, here's the vulnerable pseudocode:

if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then
process_form();
endif:

fixed psuedocode:

if form_submitted and captcha_stored!="" and
captcha_sent=captcha_stored then
captcha_stored="";
process_form();
endif:

- it's a one line fix!

http://linus.com/2003/05/cool-new-captcha-hack.html

Quote:

Cool new CAPTCHA hack

The CAPTCHA Project at CMU defines CAPTCHAs as a program that can generate and grade tests that most humans can pass but current computer programs cannot. CAPTCHAs are used to protect things from programmatic abuse (think spam). Not a bad idea, but I just got a note from Bryce Jasmer describing a cool new way to defeat them:

I just heard a story about some system that someone has created in order to pass the turing tests and create thousands of spam launching email addresses at hotmail.com, yahoo.com, etc.

You create a website with a bunch of porn on it. You serve up an image at the same time you try to try to create a yahoo email account. You snag the touring test image, put it on your page of porn and have the user type in the results in order to see the next porn image. You take the result and feed it back to yahoo, and you have your automatically created account.

Spammers hack captcha to post blog spam comments?
http://blog.tmcnet.com/blog/tom-keat...m-comments.asp

genzy · #2 (**permalink**) 04-06-2007, 08:34 PM

Defeating audio (voice) captchas

For more details, refer to Jochem van der Vorm - captchas
SecuriTeam™ - Defeating Voice Captchas
Source code: http://vorm.net/downloads/devoicecaptcha.c

Quote:

Introduction

For some years semi turing tests under the name of "captchas" can be found on the web, to prevent
bots from filling in forms. When I first saw the visual variant I thought recognizing the characters with a
computer algoritm should be easy. A bit of surfing and searching on the internet learned me
that I was right, most were broken already. Reinventing the wheel is not very useful, so I left the
topic alone.

Later I found a post about voice captchas. Since there was not too much information about this on
the net and I was bored (ill at home), I decided to give it a shot. I started easy, willing to
enhance the used algoritms to those used in speech recognition (like hmm, viterbi, baum-welch,
entropy coding, etc.) when needed. This proved not to be necessary, the first feature complete
(segmentation and matching) code worked relatively well on microsofts captchas. Later I tweaked it a
bit to also work on google captchas.

On this page you can find proof of concept code to break voice captchas. Do not expect advanced
software (pattern recnognition science is so much further) or code that can be used in other
projects, I quitted the project when it worked. Initially (february 2006) I kept the code on my
harddisk, but later (may 2006) I published it (see disclosure motivation).

How does it work

This is not a complete guide, but some pointers to the source (read it luke).
As a starting point, consider the configtype struct:

typedef struct {
int samplerate;
int byterate;
int winsize;
int band_cnt;
int word_length;
int word_overlap;
int threshold_energy;
int file_offset;
char trainfile[255];
} configtype;

The program starts with reading the audio file (in the header it could read the
samplerate and byterate, but I am lazy). file_offset bytes are skipped in the
beginning of the file, because google starts with a bell. The first step is that all samples are
treated with a hamming window (arbitrary choice, most window types should do). The winsize is in
samples (eg 512 samples on 8000 Hz provides a 64 ms window). Now the blocks are transformed into the
frequency domain with a DFT After that the frequencies are put in band_cnt bins. These bins
are not equally wide, the higher the frequency, the larger the band (this has to do with human
hearing (mel/bark scale), but I doubt this is actually useful at the current incarnation of the
program).

Now the program looks at the highest frequency bin. Every block that has more energy in a window
than threshold_energy is considered a peak, and these peaks are used the segment the input
file in the different spoken words. The word_length tells the program how many windows long
a word is (so all words are considered the same length which is a current weakness of
devoicecaptcha). word_overlap helps in localizing the peaks. When the locations of the
words are know all frequency bins are written for word_length windows around the peaks.
This is called the profile of the word.

............

genzy · #3 (**permalink**) 04-06-2007, 08:38 PM

http://most3.blogspot.com/2007/05/ho...s-captcha.html

How to decode del.icio.us's captcha

Quote:

This is a uncompleted script, maybe you can help me to finish it.

I try to decode the del.icio.us's captcha with the next php script.

Code:

   1. <?php  
   2. /* @author tiekil@gmail.com */  
   3. class Code {  
   4.     protected $_srcFile;  
   5.     public function __construct($file) {  
   6.         $this->_srcFile = $file;  
   7.     }  
   8.   
   9.     public function filter() {  
  10.         $size = getimagesize($this->_srcFile);  
  11.         $im   = imagecreatefrompng($this->_srcFile);  
  12.         imagejpeg($im, $this->_srcFile . '.jpg', 100); //convert the png to jpeg  
  13.         $im   = imagecreatefromjpeg($this->_srcFile . '.jpg');  
  14.         for($x=0;$x<$size[0];$x++) {  
  15.             for($y=0;$y<$size[1];$y++) {  
  16.                 $rgb = imagecolorat($im,$x,$y);  
  17.                 $r = ($rgb >> 16) & 0xFF;  
  18.                 if ($r > 100) { // set the light color to white  
  19.                     $rgb =  imagecolorallocate($im, 255, 255, 255);  
  20.                 } else { //javascript:void(0)  
  21. Publish Post set the dark color to black  
  22.                     $rgb =  imagecolorallocate($im, 0, 0, 0);  
  23.                 }  
  24.                 imagesetpixel($im, $x, $y, $rgb);  
  25.   
  26.                 # remove the "Z" block  
  27.                 // x-1, y-1 black  
  28.                 $rgb = imagecolorat($im,$x-1,$y-1);  
  29.                 $r1  = ($rgb >> 16) & 0xFF;  
  30.                 // x-1, y white  
  31.                 $rgb = @imagecolorat($im,$x-1,$y);  
  32.                 $r2  = ($rgb >> 16) & 0xFF;  
  33.                 // x, y-1 white  
  34.                 $rgb = @imagecolorat($im,$x,$y-1);  
  35.                 $r3  = ($rgb >> 16) & 0xFF;  
  36.                 if (($r3 == 255) && ($r2 == 255) && ($r1 == 0)) {  
  37.                     $rgb = imagecolorallocate($im, 255, 255, 255);  
  38.                     if ($rgb) {  
  39.                     imagesetpixel($im, $x-1, $y-1, $rgb);  
  40.                     }  
  41.                 }  
  42.             }  
  43.         }  
  44.         # remove others  
  45.         for($x=0;$x<$size[0];$x++) {  
  46.             for($y=0;$y<$size[1];$y++) {  
  47.                 $rgb = imagecolorat($im,$x,$y);  
  48.                 $r = ($rgb >> 16) & 0xFF;  
  49.                 $rgb = imagecolorat($im,$x-1,$y);  
  50.                 $r2 = ($rgb >> 16) & 0xFF;  
  51.                 $rgb = imagecolorat($im,$x+1,$y);  
  52.                 $r3 = ($rgb >> 16) & 0xFF;  
  53.                 $rgb = imagecolorat($im,$x,$y-1);  
  54.                 $r4 = ($rgb >> 16) & 0xFF;  
  55.                 $rgb = imagecolorat($im,$x,$y+1);  
  56.                 $r5 = ($rgb >> 16) & 0xFF;  
  57.                 # clean dot  
  58.                 if (($r == 0) && ($r2 == 255) && ($r3 == 255) && ($r4 == 255)   
  59.                     && ($r5 == 255)) {  
  60.                     $rgb = imagecolorallocate($im, 255,255,255);  
  61.                     imagesetpixel($im, $x, $y, $rgb);  
  62.                 }  
  63.                 # clean bottom border  
  64.                 if (($y == $size[1]-1) && ($r == 0) && ($r2 == 255) && ($r3 == 255)  
  65.                      && ($r4 == 255)) {  
  66.                     $rgb = imagecolorallocate($im, 255,255,255);  
  67.                     imagesetpixel($im, $x, $y, $rgb);  
  68.                 }  
  69.                 # clean right border  
  70.                 if (($x == $size[0]-1) && ($r == 0) && ($r2 == 255) && ($r4 == 255)   
  71.                     && ($r5 == 255)) {  
  72.                     $rgb = imagecolorallocate($im, 255,255,255);  
  73.                     imagesetpixel($im, $x, $y, $rgb);  
  74.                 }  
  75.             }  
  76.         }  
  77.         imagejpeg($im, $this->_srcFile . '.new.jpg',100);  
  78.     }  
  79. }  
  80.   
  81. # demo  
  82. $code = new Code('1986312480.png');  
  83. $code->filter();  
  84. ?>

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Grow : Talk to the nature.	SiauKia	Websites Review and Suggestion	0	11-04-2007 02:40 PM
Google Talk: New Instant Messenger	kahsoon	Mamak Stall	2	28-08-2005 01:12 AM
Robots.txt	masrule	Other Internet Marketing Methods	4	09-06-2005 06:18 PM
link exchange: www.forum-talk.com	sportstoto3368	Other Internet Marketing Methods	0	05-07-2004 08:39 AM
Cool : www.Forum-Talk.com	sportstoto3368	Websites Review and Suggestion	0	27-06-2004 11:56 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)