.

Unmask Asterik

<<

odious

Newbie
Newbie

Posts: 4

Joined: Fri Apr 18, 2008 2:17 pm

Post Sat Apr 26, 2008 3:17 pm

Unmask Asterik

Question:

I compromised an ecommerce server and they have a local instance of mysql on it. I can leverage access to the sql server which is supposed to be back end (stupid designer). There is data everywhere but there seems to be a maskings on the credit card numbers. How can I find out how the data is masked so I Can use the credit card numbers? Any ideas they appear like this!

select cNums from customerData;

+------------------+
| cNums            |
+------------------+
| ************3581 |
| ************7797 |
| ************9696 |
| ************4856 |
| ************2288 |
| ************9995 |
| ************7766 |
| ************4259 |
| ************4730 |
| ************3050 |
| ************6289 |
| ************8485 |
.....

It only shows the last 4 digits but I need all of them1!
<<

Mr. Roboto

User avatar

Jr. Member
Jr. Member

Posts: 67

Joined: Thu Feb 14, 2008 9:57 am

Location: Ohio

Post Sat Apr 26, 2008 3:32 pm

Re: Unmask Asterik

odious wrote:
It only shows the last 4 digits but I need all of them1!



I bet you do!
A+, Security+, HDI Support Center Analyst, MCTS: Vista
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Apr 26, 2008 3:42 pm

Re: Unmask Asterik

Hey odious,

Interesting first post. Most legal pen tests or ethical hacks have scope in the contract or agreement that specifically states that you cannot view the data at all much less the last 4 digits.

Please remember that this is the "Ethical" Hacker Network and you posted in the Ethical Hacking Board.

Can you offer anything that might make us believe that you have permission to do this? If not, I have no choice but to lock the topic.

Don
CISSP, MCSE, CSTA, Security+ SME
<<

odious

Newbie
Newbie

Posts: 4

Joined: Fri Apr 18, 2008 2:17 pm

Post Sat Apr 26, 2008 3:50 pm

Re: Unmask Asterik

Well it's really dependent on what your definition of permission is. The ecommerce server belongs to a friends uncles brothers company who mentioned his desire to have someone look at the security of the system. We discussed a price of $18,000 and I started yesterday.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Apr 26, 2008 4:00 pm

Re: Unmask Asterik

odious wrote:Well it's really dependent on what your definition of permission is. 


LOL, yeah I guess it does, but not in an ethical pentest. We have very clear rules of engagement.
<<

odious

Newbie
Newbie

Posts: 4

Joined: Fri Apr 18, 2008 2:17 pm

Post Sat Apr 26, 2008 4:01 pm

Re: Unmask Asterik

but I don't work for you
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Sat Apr 26, 2008 4:04 pm

Re: Unmask Asterik

I am sorry, I should have said the ethical hacking community as a whole has established rules for pentesting. There are legal complications when you do a pentest and you need to protect yourself and your client.
<<

odious

Newbie
Newbie

Posts: 4

Joined: Fri Apr 18, 2008 2:17 pm

Post Sat Apr 26, 2008 4:05 pm

Re: Unmask Asterik

All this aside, we've digressed from the original topic of how I can unmask the card numbers to use them?
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Apr 26, 2008 4:28 pm

Re: Unmask Asterik

Written permission in the form of an agreement or contract.

So your friends uncles company mentioned it, and you discussed a price of $18,000, but did he actually sign a contract with you? And that contract says that you can not only, as you put it, look at the security of the system, but also get full credit card numbers?

If the uncle or the owner of the company did that, they would be in big legal trouble and lose their business. So I doubt that is the case. And if you are a professional pen tester, you should have told him that you would under no circumstance do that. Hell if for no other reason than you would never get paid if his company folded.

If you simply want to remove the asterisks from a MySQL table, maybe you should ask the same exact question using the same exact words in a MySQL Support Forum.

Topic closed.

Don
CISSP, MCSE, CSTA, Security+ SME

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software