In this blog I’ll be introducing dataLoc, a tool for locating payment cards in MSSQL databases without requiring the presence of keywords. dataLoc would be useful for anyone that would like to check their database for payment card numbers in unexpected places. This could include; DBAs, pen-testers, auditors, and others.
dataLoc is not an injection or attack tool. It requires a direct connection to a database along with valid user credentials. The user account requires full read access, as well as the ability to create and drop temp tables.
For those of you that are in a hurry to get started, the dataLoc source and binaries are available on GitHub:
The tool is intended to be easy to use. All you need to do to scan for payment card numbers is provide a remote host, enter a set of credentials, or enable windows auth, and click “connect”, and then “scan”.
If you’d like to do targeted scanning you can narrow the focus to a specific database, table, or even column by selecting the database from the drop down, and then clicking on the table or column you’re interested in.
General
If you decide to customize some of the more advances settings, you may want to enable the use of an INI file so your changes persist. In order to keep scan times reasonable, you may want to enable the per column timeout and set a reasonable cap of 1 to 10 minutes. Most columns are processed within a few seconds.
Scoring
The scoring system is used to generate a confidence rating for each potential finding. The lower the number, the more likely the item is to be a false positive. This tool is a simple proof of concept, so it’s highly likely you would benefit from tuning the scoring system to your environment.
Scoring is broken up into several sections.
Luhn Valid – By default a base score of 50 is assigned for all Luhn valid matches. Anything that fails Luhn validation is discarded.
Alpha Delimiters – A letter exists somewhere inside the number sequence Ex: 411a1111111111111
Card + CVV – Match is followed by 3 digits Ex: 4111111111111111 123
Phone Number – The match looks like it could be part of a phone number Ex: 1-4111111111111111
Keywords – The text visa, card, etc. exists in the cell containing the match Ex: visa 4111111111111111
Negative Keywords – Triple A membership numbers “aaa” are 16 digits and Luhn valid.
Delimiters – The number of delimiters and the types. Ex Count:4 Types:2: 411-111-111-111/1111
IIN Check – Does match contain a known IIN
Known Issues
The script is single threaded. Once you start a scan the GUI will become unresponsive until it completes it’s run.
The only way to stop a scan early is to kill the application.
dataLoc was tested exclusively on Windows 10. There may be issues with the GUI on anything older.
Feel free to submit a ticket to the GitHub repository if something doesn’t work as expected. I’d love some constructive feedback.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.