SBM Labs

Cyber Security Collaboration Project

CAPTCHA vs Brute-Force Attack
09 Feb 2014

Brute-force is one of the most popular attacks of hacking user accounts. Recently developers has started to think about security more and implement different protection mechanisms in order to increase site security. For example, CAPTCHA. This mearure complicates the work of the hacker but only until weakness of CAPTCHA implemantation will be detected.

Let's look for the real case when attacker could brute-force user accounts. It was online shop which was protected by CAPTCHA. After 5 unsuccessfull login attempts during 10 minutes from one IP address CAPTCHA was activated for 10 minutes for this IP.

So hacker used distributed multi-threaded brute-force attack. During incident investigation it was discovered that authentication requests were sent through proxy servers. So hacker could bypass protection measures and implemet successfull attack. There are several signs of hacking below.

Content of the file config.ini:

Content of the file proxy.txt:

Content of the file accounts.txt:

CAPTCHA threshold should be determined according to baseline of user success/failed login attempts and be enabled for all IP ranges. This configuration is not very user friendly but can protect user accounts from distributed multi-threaded brute-force attack.

Pentester tools. Mozilla Firefox + Burp Suite + Tor