Is Bruteforce useless technique for captcha protected websites? – Digitalmunition

Home Forums Is Bruteforce useless technique for captcha protected websites?

This topic contains 1 reply, has 2 voices, and was last updated by  Neratyr 3 weeks, 4 days ago.

  • Author
  • #283097


    such as instagram, twitter, facebook popping up captcha test after 3-4 wrong password attempt

  • #283098


    Seems the comments arent directly answering thus far. The literal answer is No, it is not a useless technique. It is harder than it was decades past. The full details are too long and I’d have to know how you communicate as well as your level of familiarity with all the concepts and etc.

    SO all that is to say forgive my brevity and know that I am skipping some (many) details. Basically brute forcing is considered ‘fundamental’ because, as with all fundamentals ( so to speak ) they are useful ( even critical ) even in advanced and complicated scenarios going into the future. “advanced” and “complicated” typically involve a long slew of fundamentals chained together. This is counter-intuitive and is something many folks dont think of at first ( that even as shit keeps getting crazy complicated hackers most often deal with fundamental concepts… just applied in complicated interdependent systems )

    The basic idea would be to examine whatever interface your dealing with, and try to find a way to submit / try logins without going through the captcha ( or other similar system ).

    As with many things in security, we steadily increase the level of effort required to compromise a system. Captchas do exactly that. They solve alot of problems, but like with all hacking they are but a single link in the chain. You can harden or reinforce many links of course. Its just that hackers will universally seek out the weakest links to exploit.

    Fun fact. Captchas and a few other similar tech are used to train AI. Kinda an ingenious approach IMHO.

    EDIT: To put it differently you can think of it like this. in the 90s you could read 1 page, download a small tool, enter a URL and be off to the races brute forcing. So again, at risk of really over simplifying it one could view it like this – Captchas raise the bar enough to block script kiddies, so you need to have a higher level of experience and knowledge in order to circumvent them.. so that you can then run your brute force. Of course, its an arms race. Over time we make new tools. Over time the tools are mitigated. Rinse, repeat.

    Dont forget.. we wanna aim for the weakest link in the chain so you may well find its easier to go another route. Again, one last time, this is all crazy complicated so keep in mind I’m skipping details exceptions nuance bla bla as this isnt a white-board level lecture 🙂

  • #283099


    Bruteforce of a network service is generally pretty useless these days. Really easy to detect and block.

    Also, you shouldn’t be trying to bruteforce things that aren’t yours

  • #283100


    How can you brute force a captcha? If you get it wrong it resets the captcha code. So unless I am missing something you cannot brute force them.

You must be logged in to reply to this topic.