Finding Social Security Numbers in packet captures with grep and ngrep

[begood]

I’ve been spending a lot of time lately working with packet captures. I’ve been stringing together a long list of silly one-liners to make a very rough pcap vulnerability scanner of sorts. This is one of those one-liners.

One of the main things I first hunt for in network traffic is sensitive data leaving the network. Depending on the client, this could range anywhere from Social Security Numbers to Player Tracking Numbers on gaming networks. I usually use grep and ngrep for some initial recon. Here, we break open our pcap file with ngrep and feed it to grep. Then, grep looks for the typical SSN regex xxx-xx-xxxx where x= any number 0-9.

$ ngrep -I inet.pcap | grep '[0-9]\{3\}-[0-9]\{2\}-[0-9]\{4\}'

GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-29-rm-eng_thumbnail.jpg

http://www.blogcdn.com/www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-4

GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-12-rm-eng_thumbnail.jpg

http://www.blogcdn.com/www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-4

GET /www.engadget.com/media/2010/03/cisco-valet-2010-03-3019-43-01-rm-eng_thumbnail.jpp

CO%20Update%288-57-423458293.emlRe%20Company%20Meeting

l.com/exchange/john.doe/Deleted%20Items/CP%20Update%288-57-423458293.eml

As you can see in the example above – there are some (all) false positives. This particular pcap is hitting on dates and .eml names because they follow the regex we are looking for. On larger pcaps with alot of Internet traffic, I usually pipe the output to a text file and get to work stripping out all the GET requests and things we just arent interested in for the task at hand.

I’ve also used the Spider tool from Cornell University with much success.

Finding Social Security Numbers in packet captures with grep and ngrep Security Aegis