Security Engineer finds way to crack online banking CAPTCHA login via Python scripts

Hussam Khrais is a technical engineer for a company based in Jordan.

He is focused on network and wireless security, but he also has a deep interest in penetration testing and python scripting.

Hussam Khrais has published a research which clearly states that it is possible to crack any CAPTCHA login by using Python scripts.

He uses the Optical Character Recognition technology to translate CAPTCHA images to plain text. This allows him to crack any CAPTCHA login.

Hussam Khrais explains in his report:

Optical Character Recognition (OCR)

In short, OCR is a technology that allows you to convert scanned images of text into plain text. This enables your script to read the text and submit it into a login form just like a human action.

OCR engine has been developed into many kinds of object oriented OCR applications, such as invoice OCR and legal billing document OCR. However here it will be used in defeating CAPTCHA anti-bot systems.

Under Linux, Tesseract is the most accurate OCR, even though it lacks graphical interface (GUI) – Only CLI is needed to accomplish our purpose. Installing Tesseract is very straight forward, under Ubuntu distribution, issue:

hkhrais@Hkhrais:~$ sudo apt-get install tesseract-ocr

He then continues to explain that he uses Tesseract to handle the images which are provided by CAPTCHA:

Tesseract is not very flexible about the format of its input images. It will only accept TIFF images. According to user reports, compressed TIFF images are quite problematic, and the same goes for grey-scale and color images. So you’re better off with single-bit uncompressed TIFF images. The process to prepare them with GIMP is very simple

Hussam Khrais continues to explain that he then PARSES the CAPTCHA images, and he used real images which are generated by the POC Bank target. He explains that this attack can be automated and that there are CAPTCHA solutions which will make it VERY HARD for this method to crack the CAPTCHA code. Do remember this, that Engineers like Hussam Khrais are not easily stopped.


Founder of