shesellsseaSHELLS Posted July 7, 2012 Share Posted July 7, 2012 Hi guys just very curious as to how or if there is any tools in the backtrack distro's that allow brute-forcing dictionary attacks on HTTPS forms. Im curious as to how linux would handle the " Human Vericode Verification " after a certain number of failed passwords. If there is any scripts/tools that allow some way for this technique to be acheived please do explain. I guess what made me think of this is a recent story about some of hollywoods e-mail's being cracked with brute-forcing the email passwords, Is this attack possible for example on ymail or gmail or any other generic email providers even when they prompt for a veri-code authentication after a certain amount of wrong passwords. Quote Link to comment Share on other sites More sharing options...
digininja Posted July 7, 2012 Share Posted July 7, 2012 You can use Burp to do form based auth brute forcing, not sure if it comes with BT but it is just a jar file so easy to add. And CAPTCHA is possible to bypass with success levels being based on the type used. There was a really good paper on it published recently which shows success rates of automating the process. A lot of groups who do want to bypass it simply outsource reading them to India where labour is cheap enough to have actual humans red them. Quote Link to comment Share on other sites More sharing options...
12600 Posted July 8, 2012 Share Posted July 8, 2012 You can use Burp to do form based auth brute forcing, not sure if it comes with BT but it is just a jar file so easy to add. And CAPTCHA is possible to bypass with success levels being based on the type used. There was a really good paper on it published recently which shows success rates of automating the process. A lot of groups who do want to bypass it simply outsource reading them to India where labour is cheap enough to have actual humans red them. I just tried searching for the Bypassing Captcha Paper and found nothing on it but a bunch of info I don't want/already know. Could you provide more info, who did it, ect. Thank you.\ Quote Link to comment Share on other sites More sharing options...
digininja Posted July 8, 2012 Share Posted July 8, 2012 I read it a few weeks ago so it is gone from my list. I'll ask on Twitter tomorrow to see if anyone has a link to it. Quote Link to comment Share on other sites More sharing options...
12600 Posted July 8, 2012 Share Posted July 8, 2012 Thanks a ton. Quote Link to comment Share on other sites More sharing options...
ihackforfun Posted July 9, 2012 Share Posted July 9, 2012 (edited) I read it a few weeks ago so it is gone from my list. I'll ask on Twitter tomorrow to see if anyone has a link to it. I believe this is the link you are looking for: http://www.imperva.com/docs/HII_a_CAPTCHA_in_the_Rye.pdf If it was not, this is a good article on the subject anyway ;-) Edited July 9, 2012 by ihackforfun Quote Link to comment Share on other sites More sharing options...
digininja Posted July 9, 2012 Share Posted July 9, 2012 Thats not the one but might cover what 12600 is looking for. I asked on Twitter but haven't had any replies yet. Quote Link to comment Share on other sites More sharing options...
12600 Posted July 12, 2012 Share Posted July 12, 2012 (edited) No it doesn't. I got into an Argument with a "studio worker" [person who sits in chat rooms to redirect to webcam site (she's the one who refered to herself as a "studio worker")] in a chat room on Captcha she stated how easy it was to get around and insisted everyone posting ads in the chat room was a bot. Due to the chat room having captcha for every room, the likely hood of 25+% of them being strictly bot automation I found highly unlikely. And was just trying to look for further proof to show how hard it was that most of them were complete Bot Automation without a human first inputting the Captcha to allow entrance for their bot program to run. This was inside a Chat Client btw. I've noticed no one added info for OP. SHELLS, Back when I was cracking accounts for yahoo, bypassing captcha after getting too many failed attempts was made possible by using a Proxy Cracker. How it worked was you would scan say Yahoo for ex. for their log in servers. After gathering say 100+ you could then plug them into the proxy cracker also it would have a place to put known good proxies in and it would attempt to crack the account with the word lift cycling through and changing the Server and Proxy each time, thus never getting to the Captcha. Edited July 12, 2012 by 12600 Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted July 12, 2012 Share Posted July 12, 2012 If you would like to chat on skype 12600 about yahoo cracking... I am familiar. Fact is Yahoo Chat has tons of bots. Brute force is more and more difficult nowadays. I started programming programs (crackers, mass bot logins, etc.) on yahoo in 1999. If you'd like to chat about it to tell your "studio worker" how things really worked let me know. Quote Link to comment Share on other sites More sharing options...
digininja Posted July 12, 2012 Share Posted July 12, 2012 It all depends on how the captcha is implemented. I've seen them where the solution is included in a hidden field which makes it completely useless. I've also seen ones where you can replay a known solution by replaying the ID. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted July 12, 2012 Share Posted July 12, 2012 It all depends on how the captcha is implemented. I've seen them where the solution is included in a hidden field which makes it completely useless. I've also seen ones where you can replay a known solution by replaying the ID. Yeah, I've not really gotten into bypassing captcha, but I have seen where you get a correct pair and pass the ID with the phrase. That was a long time ago though. Quote Link to comment Share on other sites More sharing options...
digininja Posted July 12, 2012 Share Posted July 12, 2012 I had the phrase in a hidden field on a test about 3 months ago. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.