In this digital era where security plays an important role in ensuring and giving confidence to companies and customers, Penetration Testing is an important part of the overall testing of a system. It becomes crucial if the business is dedicated to financial, e-commerce or any other sector where private information as credit card numbers play a central role in the system’s core process.
To achieve PCI certification and meet the standards, there are many useful tools that can help us. One of them is the French software PANBuster.
PANBuster is a really effective free tool available for Windows, Linux and IOS at http://www.xmco.fr/panbuster.html. You’ll be able to find vulnerability issues where the software security may be compromised in two really easy steps.
As we know, credit card numbers must never be stored without strong encryption and proper key management. The tool will identify clear-text PAN (Primary Account Number) with minimum false-positive detections.
Step 1: unzip PANBuster
Once you’ve unzipped PANBuster, look for an executable (.exe) file into the folder XMCO_PANBsuter-v1.0_Win32.
Step 2: execute PANBuster
Execute panbuster.exe selecting the location where you want to look for CC (Credit Card Numbers), then check the results.
As we can see in the second image, the tool is able to:
- Identify card brands (such as VISA, Mastercard, American Express, JCB, Discover or China Union.) in cache or files.
- Parse compressed files in memory (.ZIP, .GZ, .TGZ…).
- Detect PAN in MySQL datafile, MSSQL (backup files only), PostgreSQL, Oracle (Dump).
By accessing this information, you will be able to know if there are card numbers without encryption casted in the system or cache. This means that the software being analyzed allows to storage this data without meeting the standards of security required to protect the user.
As we can see, PANBuster is very effective. This tool has a low false-positives rate, so we can trust in the results. It’s a highly recommended tool, so when it comes the time of scanning phases on the penetration testing I would encourage you to give it a try.