Dear list,
I have released a new Captcha Intruder (CINtruder) code. It includes a
complete Web User Interface (GUI) and some advanced features for:
update, manage dictionaries, etc.
http://cintruder.03c8.net
If you're not already familiar with CINtruder, please read the
DESCRIPTION section below.
[ DOWNLOAD ]
You can download the new Captcha Intruder here:
git clone https://github.com/epsylon/cintruder
http://cintruder.03c8.net/cintruder/cintruder-v0.3.zip
+ https://03c8.net/torrents/cintruder-v0.3.zip.torrent
http://cintruder.03c8.net/cintruder/cintruder-v0.3.tar.gz
+ https://03c8.net/torrents/cintruder-v0.3.tar.gz.torrent
[ DESCRIPTION ]
Captcha Intruder is a free software[0] automatic pentesting tool to
bypass captchas.
It uses Optical Character Recognition (OCR)[1] techniques to process
images into computer language and brute-forcing methods to compare them
with a dictionary. To do that it only requires a few libraries:
python-pycurl - Python bindings to libcurl
python-libxml2 - Python bindings for the GNOME XML library
python-imaging - Python Imaging Library
sudo apt-get install python-pycurl python-libxml2 python-imaging
Here are some of CINtruder's features:
+ Proxy Socks (for example, to connect to the TOR network)
+ Spoofed HTTP header values
+ Web User Interface (GUI)
+ Automatic update
+ Download captchas from url (tracking)
+ Apply different OCR algorithms (training + cracking)
+ Cracking captchas: local + remote
+ List/Set existing OCR specific modules (example provided)
+ Export results to XML
+ Replace suggested word on commands of another tool
+ [...]
With Captcha Intruder a security researcher can solves a captcha on a
form and pass that "cracked" parameter immediately to another tool.
For example, if you want to launch a sqlmap to search for SQLi and there
is a captcha, you can handler both tools like this (using flag: CINT):
$ ./cintruder --crack "http://host.com/path/captcha_url"; --tool "sqlmap
-u http://host.com/path/param1=foo?txtCaptcha=CINT";
[ SCREENSHOTS ] [http://cintruder.03c8.net/#media]
Banner:
http://cintruder.03c8.net/cintruder/cintruder-banner.png
GUI-Training:
http://cintruder.03c8.net/cintruder/cintruder-gui2.png
GUI-Cracking:
http://cintruder.03c8.net/cintruder/cintruder-gui3.png
[ EXAMPLES ] [http://cintruder.03c8.net/#examples]
* View help:
./cintruder --help
* Update to latest version:
./cintruder --update
* Launch web interface (GUI):
./cintruder --gui
* Simple crack from url, with proxy TOR and verbose output:
./cintruder --crack "http://host.com/path/captcha_url";
--proxy="http://127.0.0.1:8118"; -v
* Replace suggested word by CIntruder after cracking a remote url on
commands of another tool (ex: "XSSer"):
$ ./cintruder --crack "http://host.com/path/captcha_url"; --tool "xsser
-u http://host.com/path/param1=foo?txtCaptcha=CINT";
[ DONATIONS ]
This initiative depends on donations in order to be able to pay the
server infrastructure.
BTC: 19aXfJtoYJUoXEZtjNwsah2JKN9CK5Pcjw
[ REFERENCES ]
[0] http://cintruder.03c8.net/#license
[1] https://en.wikipedia.org/wiki/Optical_character_recognition
----
EOF: [Fyodor] -> ;-)
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/