CIntruder: pentesting tool to bypass captchas

Introduction

Captcha Intruder is an automatic pentesting tool to bypass captchas.

Installation

Code runs on many platforms. It requires Python and the following libraries:

- python-pycurl - Python bindings to libcurl
- python-libxml2 - Python bindings for the GNOME XML library
- python-imaging - Python Imaging Library

On Debian-based systems (ex: Ubuntu), run:

sudo apt-get install python-pycurl python-libxml2 python-imaging

Usage

cintruder [OPTIONS]

Options:

--version show program's version number and exit
-h, --help show this help message and exit
-v, --verbose active verbose mode output results
--proxy=PROXY use proxy server (tor: http://localhost:8118)
--track=TRACK download a number of captchas from url (to: 'inputs/')
--train=TRAIN apply common OCR techniques to captcha
--crack=CRACK brute force using local dictionary (from: 'iconset/')
--xml export result to xml format

Advanced OCR (training):

--set-id=SETIDS set colour's id manually (use -v for details)
--editor launch an editor to apply image filters

Modules (training):

--list list available modules (from: 'core/mods/')
--mod=NAME train using a specific OCR exploiting module

Handlering (cracking):

--tool=COMMAND replace suggested word on commands of another tool. use
'CINT' marker like flag (ex: 'txtCaptcha=CINT')

CIntruderNet ('http://cintruder.sf.net/cinet'):

--send-net send resolved captcha to CIntruderNet
--view-net visit distributed online dictionary website

Examples

If you have interesting examples of usage about CIntruder, please send an email to the mailing list.

-------------------

* Simple crack from file:

$ python cintruder --crack "captcha.gif"
-------------------
* Simple crack from URL:

$ python cintruder --crack "http://host.com/path/captcha.gif"
-------------------
* Simple crack, exporting results to xml file

$ python cintruder --crack "captcha.gif" --xml "test.xml"
-------------------
* Simple crack, with proxy TOR and verbose output

$ python cintruder --crack "http://host.com/path/captcha.gif" --proxy="http://127.0.0.1:8118" -v
-------------------
* Train captcha(s) from url, with proxy TOR and verbose output

$ python cintruder --train "http://host.com/path/captcha.gif" --proxy "http://127.0.0.1:8118" -v
-------------------
* Track 50 captcha(s) from url with proxy TOR

$ python cintruder --track "http://host.com/path/captcha.gif" "50" --proxy "http://127.0.0.1:8118"
-------------------
* List available modules (from core/mods/)

$ python cintruder --list
-------------------
* Launch an OCR module to train a specific local captcha

$ python cintruder --train "inputs/easycaptcha.gif" --mod easy
-------------------
* Launch an OCR module to crack a specific online captcha, with verbose output

$ python cintruder --crack "http://host.com/path/captcha.gif" --mod easy -v
-------------------
* Replace suggested word by CIntruder after cracking, on input commands of another tool (ex: XSSer)

$ python cintruder --crack "http://host.com/path/captcha.gif" --tool "xsser -u http://host.com/path/param1=foo¶m2=bar&txtCaptcha=CINT"
-------------------
* Send online captcha cracked to distributed online dictionary (CInet)

$ python cintruder --crack "http://host.com/path/captcha.gif" --send-net
-------------------
* Visit distributed online dictionary (CInet) website (http://cintruder.sf.net/cinet)

$ python cintruder --view-net

Videos

If you have interesting videos about CIntruder, please send an email to the mailing list.

-------------------

Version of CIntruder (v0.1):

- CIntruder: Cracking captcha from url



- CIntruder: Presentation on THSF 2012 (english)

Changelog

================= April 27, 2012: =================

- Code cleaning
- Rebuiled input parameter options
- Created OCR modularity (core/mods)
- Added --list modules option
- Added --mod selector option
- Builded module example (easy captcha)
- Added handlering with other tools
- Added connectivity with Ostatus
- Created distributed online dictionary
- Added launcher to view CIntruderNet
- Updated docs

================= April 1, 2012: =================

- Created OCR techniques
- Created Brute forcing techniques
- Builded main core
- Builded options parser
- Created Curl handlers
- Created 'track' option
- Created 'train' option
- Created 'crack' option
- Added proxy option
- Added XML exporting option
- Added verbose outputs results
- Added colour's id calibration
- Added noise advanced option

Documentation

If you have interesting documentation about CIntruder, please send an email to the mailing list.

-------------------

Mailing list

CIntruder has one mailing list hosted on SourceForge.

The cintruder-users@lists.sourceforge.net mailing list is the preferred way to ask questions, report bugs, suggest new features and discuss with other users.

The mailing list is archived online. To subscribe use the online web form.

License

CIntruder is released under the terms of the General Public License v3 and is copyrighted by psy

Author

GPG Public ID Key: 0xB8AC3776

Community

Contribute

If you want to contribute to CIntruder development, reporting a bug, providing a patch, commenting on the code base or simply need to find help to run CIntruder, first ask on the CIntruder mailing list. If nobody gets back to you, then drop me an e-mail.

Please, add one link to this site when you report some Captcha vulnerabilities founded by CIntruder.

Support

CIntruder is actively looking for new sponsors and funding.

If you or your organization has an interest in keeping CIntruder, please contact directly or send your ideas to the mailing list.

To donate some bitcoins use this hash: 1Q63KtiLGzXiYA8XkWFPnWo7nKPWFr3nrc


Get CIntruder at SourceForge.net. Fast, secure and Free Open Source software downloads