Uncover credit card numbers with PANHunt

It’s always good to know where random credit card numbers live on your network, even if PCI compliance isn’t a concern for you. Any unencrypted credit card information should be purged from the network to prevent accidental disclosure. I have used grep and Nessus in the past for these audits, but both where lacking in their functionality. Fortunately, I recently stumbled across the PANhunt repo on GitHub.

What is PANhunt?

PANhunt is a Python-based script which scans text files, Office documents, Outlook files, and even ZIP archives for data resembling a credit card number. PANhunt can also be compiled into a Windows executable, making it extremely useful for these types of test.

Build PANHunt

While there appears to be a per-built EXE version in the repo, it is older than panhunt.py itself. I recommend building it using the rough steps below:

  • Install Python 2.7 on a WIndows machine if you do not already have it (not in WSL)https://www.python.org/downloads/release/python-2715/
  • Good info on setting up environment variables to support PIP, etc. https://github.com/BurntSushi/nfldb/wiki/Python-&-pip-Windows-installation
  • Install PIP (see previous link)
  • Install PyInstaller (https://www.pyinstaller.org/)
  • Install the PANHunt build requirements per the README.
  • Download the PANHunt zip from Github and unzip it somewhere
  • Build PANHunt per the README.
  • Give the newly built panhunt.exe a test run to make sure it works.

Using PANHunt

If you run PANHunt with no options, it appears to scan C:\ for all files you have permission to. The defaults also scan “text” files and “zip” files, which includes all the major Office formats. It will additionally scan email (.MSG), Outlook (.PST/.OST) and Access (.ACCDB/.MDB).

My initial run picked up on a few test files under the C:\Python27 folder but nothing valid on the build computer. For a better test, I went to getCreditCardNumbers and copied those numbers into a text file, excel file, and possibly a word file on your computer. The site generates invalid test data that conforms to the expected formats used by Amex, Mastercard, Discover, and Visa. This scan picked up all my test files accurately, but it does seem to generate a false positive on a Chrome log file.

PAN Hunt Report - 11:46:18 02/10/2018
====================================================================================================
Searched c:\users
Excluded C:\Windows,C:\Program Files,C:\Program Files (x86)
Command: panhunt -s c:\users
Uname: Windows | GOMERS-PC | 10 | 10.0.17134 | AMD64 | Intel64 Family 6 Model 44 Stepping 2, GenuineIntel
Searched 2171 files. Found 52 possible PANs.
====================================================================================================

FOUND PANs: c:\users\gomer\Desktop\cardnums.txt (401B 02/10/2018)
	 AMEX:***********3773
	 AMEX:***********3723
	 AMEX:***********0966
	 AMEX:***********7487
	 AMEX:***********2958
	 Visa:************0764
	 Visa:************9813
	 Visa:************9100
	 Visa:************0909
	 Visa:************5143
	 Mastercard:************4084
	 Mastercard:************3389
	 Mastercard:************0212
	 Mastercard:************8065
	 Mastercard:************5314

FOUND PANs: c:\users\gomer\Documents\test-cc-data.xlsx (11KB 02/10/2018)
	xl/sharedStrings.xml AMEX:***********3039
	xl/sharedStrings.xml AMEX:***********7916
	xl/sharedStrings.xml AMEX:***********9168
	xl/sharedStrings.xml AMEX:***********0795
	xl/sharedStrings.xml AMEX:***********3384
	xl/sharedStrings.xml Visa:************0527
	xl/sharedStrings.xml Visa:************1455
	xl/sharedStrings.xml Visa:************4899
	xl/sharedStrings.xml Visa:************6760
	xl/sharedStrings.xml Visa:************5262
	xl/sharedStrings.xml Mastercard:************7492
	xl/sharedStrings.xml Mastercard:************3734
	xl/sharedStrings.xml Mastercard:************8957
	xl/sharedStrings.xml Mastercard:************6043
	xl/sharedStrings.xml Mastercard:************3496

FOUND PANs: c:\users\gomer\Documents\Visa.docx (14KB 02/10/2018)
	word/document.xml AMEX:***********2914
	word/document.xml AMEX:***********5174
	word/document.xml AMEX:***********6675
	word/document.xml AMEX:***********0825
	word/document.xml AMEX:***********1297
	word/document.xml Visa:************5349
	word/document.xml Visa:************7362
	word/document.xml Visa:************7608
	word/document.xml Visa:************3546
	word/document.xml Visa:************8202
	word/document.xml Mastercard:************4025
	word/document.xml Mastercard:************2316
	word/document.xml Mastercard:************9032
	word/document.xml Mastercard:************8105
	word/document.xml Mastercard:************6284


216e98d79fe438a717b108553434e3bab8b30d5ab0e3679c7ebc5d6dc66b38b778c5943eb7a94c82287a072a2b472a68a5c8266c7d4f3b7d6d59473343f797f1

Scanning the network

With a little ingeniutiy and the right permissions, you should be able to scan your entire network for any credit card data. But there are some caveats worth mentioning:

  • Anti-malware programs will probably intercept your new EXE. Symantec gave me a couple fits before allowing it to run on my computer, and I am unsure how this would impact a network scan. I suspect it trips off the same triggers than ransomware would.
  • You are going to get more false positives scanning a whole PC. Everything from ClickToRun stream files to random log files contain credit card like information. Consider using the -s switch to limit your search path.
  • You can scan mapped network drives and UNC paths, so the entire scan can be run from one machine with the right credentials. Coupling PANHunt with PSExec might be useful as well, but you would need to pull the report back to a central location.
  • Files will need to be manually validated. I encountered a fair number of false positives due to strings of numbers which contained something PANHunt decided was a credit card number. Use your judgement on this - some files I could eliminate just by the names, but others required me to actually look at the offending file. I also recommend validating files that give you the “Invalid ZIP file” error to determine if they are password protected, corrupted, or you simply do not have access to them.
  • One last thing - Put padding down in the spot where you normally bang your head on the desk. You might need it.