Random things that I haven't sorted yet.

Finding Social Security Numbers in packet captures with grep and ngrep

by Nathan Drier on Apr.16, 2010, under Redspin Labs

I’ve been spending a lot of time lately working with packet captures. I’ve been stringing together a long list of silly one-liners to make a very rough pcap vulnerability scanner of sorts. This is one of those one-liners.
One of the main things I first hunt for in network traffic is sensitive data leaving the network. Depending on the client, this could range anywhere from Social Security Numbers to Player Tracking Numbers on gaming networks. I usually use grep and ngrep for some initial recon. Here, we break open our pcap file with ngrep and feed it to grep. Then, grep looks for the typical SSN regex xxx-xx-xxxx where x= any number 0-9.

$ ngrep -I inet.pcap | grep '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}'
GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-29-rm-eng_thumbnail.jpg
GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-12-rm-eng_thumbnail.jpg
GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-01-rm-eng_thumbnail.jpp

As you can see in the example above – there are some (all) false positives. This particular pcap is hitting on dates and .eml names because they follow the regex we are looking for. On larger pcaps with alot of Internet traffic, I usually pipe the output to a text file and get to work stripping out all the GET requests and things we just arent interested in for the task at hand.
I’ve also used the Spider tool from Cornell University with much success.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.