Trolling Memory for Credit Cards in POS / PCI Environments |InfoSec Sans.EDU

In a recent penetration test, I was able to parlay a network oversight into access to a point of sale terminal. Given the discussions these days, the next step for me was an obvious one – memory analysis.

My first step was to drive to the store I had compromised and purchase an item.

I’m not a memory analysis guru, but the memory capture and analysis was surprisingly easy. First, dump memory:

dumpit

Yup, it’s that simple, I had the dumpit executable locally by that point (more info here https://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216)

or, if you don’t have keyboard access (dumpit requires a physical “enter” key, I/O redirection won’t work for this):

win32dd /f memdump.img

(from the SANS Forensics Cheat Sheet at https://blogs.sans.org/computer-forensics/files/2012/04/Memory-Forensics-Cheat-Sheet-v1_2.pdf )

Next, I’ll dig for my credit card number specifically:

strings memdump.img | grep [mycardnumbergoeshere] | wc -l

171

Yup, that’s 171 occurences in memory, unencrypted. So far, we’re still PCI complaint – PCI 2.0 doesn’t mention cardholder data in memory, and 3.0 only mentions it in passing. The PCI standard mainly cares about data at rest – which to most auditors means “on disk or in database”, or data in transit – which means on the wire, capturable by tcpdump or wireshark. Anything in memory, no matter how much of a target in today’s malware landscape, is not an impact on PCI compliance.

via InfoSec Handlers Diary Blog – Trolling Memory for Credit Cards in POS / PCI Environments.


No Comments so far.

Leave a Reply