Aman Sachdev

Aman Sachdev

Talk / Workshop

Building your own machine learning powered "practical" captcha solver

The objective of this talk is to share the journey of building CAPTerminator, a tool that allows anyone to utilize guided machine learning to bypass most modern-day captcha. We will discuss some common CAPTCHA solutions used today, that include not only RECAPTCHA but many other proprietary, custom, and open-source ones. During the presentation, we will analyze current captcha bypass techniques such as abusing logical/implementation flaws, utilizing image processing OCRs & captcha solving farms along with machine learning alternatives present today.

Most machine learning-based captcha bypasses today require an attacker to have some knowledge of AI-based automation and even then, the solutions are more of a PoC that generate their own captchas and showcase bypassing them. Moreover, these solutions cannot be readily used for automated VAPT or Bruteforcing. CAPTerminator on the other hand can be used by ANYONE to build custom datasets using guided machine learning against specific real CAPTCHAs on their pentest targets and then inherently integrate it with Burp Suite for carrying out further automated exploitation. We will explain how CAPTerminator works with Tenserflow/YOLO to not only facilitate in creating Burp consumable datasets for Image-based CAPTCHAs but also the common alternate i.e sound-based captchas. Finally, we will share our case studies as well as demos where CAPTerminator was successful against CAPTCHA solutions being used some famous web applications.

As part this talk, we will release the tool as open source on github along with a guide for pentesters on how to create custom datasets for CAPTCHA of their choice and integrate it with their Burp Suite instance.

Subscribe and get our news and updates.