Suman Mandal
Building your own machine learning powered "practical" captcha solver
The objective of this talk is to share the journey of building CAPTerminator, a tool that allows anyone to utilize guided machine learning to bypass most modern-day captcha. We will discuss some common CAPTCHA solutions used today, that include not only RECAPTCHA but many other proprietary, custom, and open-source ones. During the presentation, we will analyze current captcha bypass techniques such as abusing logical/implementation flaws, utilizing image processing OCRs & captcha solving farms along with machine learning alternatives present today.
Suman is an ethical hacker as well as a seasoned developer with special expertise in Machine Learning and IOT. With over 7 years of experience in IT & Information security, he has been primarily involved in pentest and red teams responsible for bypassing firewalls, penetrating into networks, and servers, carrying out source code reviews, and VAPT of web apps, mobile apps & corporate networks. As a developer, Suman has architected and developed corporate and open source products for automating several areas of the VAPT space.
As a Machine Learning developer for the past 3 years, Suman has assisted several government agencies in Machine Learning and IOT-based projects with the likes of advanced facial recognition, mask detection and social distancing detection for COVID. He has also worked with medical organizations to develop ML models to detect premature retinopathy (Retina diseases). Currently, Suman is pursuing his Masters in Cyber Security from the Indian Institute of Technology (IIT) while he holds his OSCP and Bachelors Degree in Computer Science. In his free time, Suman, loves to hunt for bugs and has several critical bugs in Amazon, Dell, Western Union, Uber, Paytm, Jio, Indeed, Spotify, and Tesla among others.
Most machine learning-based captcha bypasses today require an attacker to have some knowledge of AI-based automation and even then, the solutions are more of a PoC that generate their own captchas and showcase bypassing them. Moreover, these solutions cannot be readily used for automated VAPT or Bruteforcing. CAPTerminator on the other hand can be used by ANYONE to build custom datasets using guided machine learning against specific real CAPTCHAs on their pentest targets and then inherently integrate it with Burp Suite for carrying out further automated exploitation. We will explain how CAPTerminator works with Tenserflow/YOLO to not only facilitate in creating Burp consumable datasets for Image-based CAPTCHAs but also the common alternate i.e sound-based captchas. Finally, we will share our case studies as well as demos where CAPTerminator was successful against CAPTCHA solutions being used some famous web applications.
As part this talk, we will release the tool as open source on github along with a guide for pentesters on how to create custom datasets for CAPTCHA of their choice and integrate it with their Burp Suite instance.