Full Report
A few years ago, I tried my hand at the, now retired, CAPTCHA Forest CTF, which was part of the nullcon HackIM 2019. I wanted to solve it using computer vision and machine learning. This started me on a path of discovery and incremental improvements that finally resulted in capchan, a generic CAPTCHA to text tool.
Analysis Summary
This analysis focuses on the tools and techniques derived from the description of developing an automated tool based on CTF challenges involving CAPTCHA solving, specifically resulting in the development of `capchan`.
# Tool/Technique: capchan
## Overview
`capchan` is a generic CAPTCHA solving tool developed by the author, utilizing computer vision and machine learning (specifically Convolutional Neural Networks or CNNs) to automate the process of solving image-based CAPTCHAs provided in hexadecimal format over a network connection. The development stemmed from attempts to solve the CAPTCHA Forest CTF which required solving a Bill Cipher substitution cipher CAPTCHA 200 consecutive times.
## Technical Details
- Type: Tool (Custom Application/Script)
- Platform: Assumed to be Linux/Unix-like environments capable of running Python scripts and interacting with `netcat`.
- Capabilities: Image retrieval, hexadecimal decoding, image preprocessing (splitting, grayscale conversion), template matching via pixel data comparison, and training/utilizing a Machine Learning model for classification.
- First Seen: Developed around the time of the nullcon HackIM 2019 CTF (early 2019 context).
## MITRE ATT&CK Mapping
Since this is a tool developed for CTF purposes rather than an established offensive tool, direct, confirmed mappings are difficult. However, its simulated capabilities map to Automated Collection and Defense Evasion related to authentication processes.
- **TA0001 - Initial Access** (If used against a live access control mechanism)
- T1078.004 - Valid Accounts: Cloud Accounts (Less direct, but relates to bypassing authentication)
- **TA0011 - Command and Control** (Related to interaction over network)
- T1071 - Application Layer Protocol (Communication via netcat)
- **TA0007 - Credential Access** (If used to bypass credential checks)
- T1560 - Archive Collected Data (Data processing for analysis)
- **TA0005 - Defense Evasion** (Automating interaction that might otherwise be monitored)
- T1499 - Automated Proof Generation (Simulated successful proof of solution)
## Functionality
### Core Capabilities
1. **Remote Interaction:** Connects to a remote service using `netcat` to receive CAPTCHA images encoded in hexadecimal.
2. **Data Transformation:** Decodes the hexadecimal payload into image files (PNG).
3. **Image Segmentation:** Splits the received image containing four symbols into four separate images, each containing a single symbol for independent analysis.
4. **Offline Data Collection:** Gathers a dataset of known symbols corresponding to their alphabetic/numeric values by analyzing pixel data against character mappings offline.
5. **Automated Submission:** Compiles the four decoded characters and submits the solution back over the existing `netcat` session, looping 200 times.
### Advanced Features
1. **Pixel-Based Matching (Template Creation):** Initially achieved automation by analyzing and comparing raw pixel data of pre-collected offline symbols against live symbols, effectively creating a hardcoded 'checksum' based on image structure.
2. **Machine Learning Integration:** Implemented a Convolutional Neural Network (CNN) for classification.
* **Data Preparation:** Uses `ImageDataGenerator` with `rescale=1.0 / 255` and creates grayscale batches for training.
* **Model Output Mapping:** Exports a `.cmapp` file alongside the trained `.h5` model to map the integer class output back to the correct character/folder name used during training.
3. **Font Analysis:** Includes capability (or future goal) to analyze images retrospectively to determine the exact font used in the CAPTCHA, allowing for simulation in training data generation.
## Indicators of Compromise
Since `capchan` is described as a proof-of-concept tool built for a controlled CTF environment, inherent malicious IoCs are low unless utilized in a real attack scenario.
- File Hashes: N/A (Tool source code available on GitHub)
- File Names: `.cmapp` (Custom mapping file)
- Registry Keys: N/A
- Network Indicators: Interaction exclusively via standard input/output over `netcat` sessions established to CTF challenge hosts. (No C2 identified)
- Behavioral Indicators: Rapid-fire submission of calculated answers over a persistent socket connection.
## Associated Threat Actors
No known cyber threat groups are associated with the public tool `capchan`. It was developed by a security researcher for a Capture The Flag challenge environment.
## Detection Methods
Detection focuses on the *behavior* of heavy automated interaction rather than specific file signatures, as the tool is custom.
- Signature-based detection: Low, unless specific library imports (TensorFlow/Keras elements used) are flagged in a monitored environment.
- Behavioral detection: High sensitivity to automated, continuous input/output loops over TCP connections (like `netcat` sessions) that resolve authentication challenges without human pacing.
- YARA rules: N/A
## Mitigation Strategies
Mitigation centers on preventing automated system interaction and protecting authentication mechanisms.
- Prevention measures: Implementing strict rate limiting on authentication attempts.
- Hardening recommendations: Employing modern, dynamic CAPTCHA solutions that incorporate distortion, noise, or context-aware puzzles that machine vision struggles to generalize from static training sets.
## Related Tools/Techniques
- Image Classification/OCR Libraries (e.g., Tesseract, general CNN frameworks).
- Custom scripts utilizing `netcat` for direct protocol interaction.
- Techniques involving template matching based on pixel data (pre-ML approach).