Repository files navigation

Scan a computer for the existance of Credit Card PANs. This script contains configurationsto ignore IINs, major identifiers, specific card numbers, file types and deprecated issuers.

The script will analyse and identify card numbers from 12 to 19 digits in length acrossmany different types of industries. Cards will be identified by their IIN and Luhn checkcompliance. Cards will be detected as single numbers or even as multiple groups of digits. Variousoptions are included to assist in the identification of false positives.

All options listed below can be used within configuration files. For example:

python ./pantastic.py --config_file=ignore_uatp.ini

Or to override a value in a configuration file, specify the value on thecommand line.

python ./pantastic.py --config_file=ignore_uatp.ini --dir=/

This version has been updated to support Python 3. Due to the conversion, some of the old 2.x standardlibraries have been replaced. This project now usesPDM as its dependency manager.

You will also need Python 3.9+ to run this.

Once PDM is installed, to install dependencies you can issue the command:

pdm install

This will attempt to install the required dependencies for this project.

PLEASE NOTE THAT THE PYTHON 3.x CONVERSION GETS THE PROJECT INTO A WORKINGSTATE AND IS NOT A COMPLETE RE-WRITE OF THE APPLICATION.

Download or clone this into a folder somewhere. Include it in your path if you like. Then:

python ./pantastic.py --dir=/ --ignore_paths=ignore_paths.txt --ignore_file_extensions=ignore_extensions.txt --verbose=True

This will scan the root of a PC, ignoring common file extensions and commonLinux paths which don't really store data and then send the results to thescreen.

python ./pantastic.py [--config_file=file] [--log_file=file] [--log_level=level] [--ignore_cards=list file] [--ignore_iins=list file] [--ignore_industries=list file] [--include_deprecated] [--minimum_digits=integer] [--maximum_digits=integer] [--cards_per_file=integer] [--ignore_file_extensions=list file] [--unmask_card_number] [--max_group_count=integer] [--max_group_distance=integer] [--output=file] [--verbose] --dir=locationor --file=file

--config_file[filename] A config file to use during operation. Files are in INI file format and theoptions are identical to the command line option names. Default is./pantastic.ini

--log_file[filename] Write all operations to this file. Default is./app.log

--log_level[level] Specify the level of logging to perform. Levels aredebug,info,warning,error,critical. Default isinfo

--ignore_cards[filename] A file containing a list of card numbers to ignore. Default is not toignore any cards.

--ignore_iins[filename] A file containing a list of ISO/IEC 7812 Issuer Identification Numbers (IIN)to ignore. The IIN is between 1 and 6 digits. Examples of IINs:

• 4 - Visa
• 51 - MasterCard
• 34 - American Express
• 1 - UATP
• 6011 - Discover Card

The central list of IINs is not publically available, but a list of updated IINs is availableathttps://en.wikipedia.org/wiki/Payment_card_number

--ignore_industries[filename] A file containing a list of major industry identifiers to ignore. Thislist contains just single digits from the start of each card number. These numbers are

• 0 - ISO/TC 68 and other industry assignments
• 1 - Airlines
• 2- Airlines, financial and other future industry assignments
• 3- Travel and entertainment
• 4- Banking and financial
• 5- Banking and financial
• 6- Merchandising and banking/financial
• 7- Petroleum and other future industry assignments
• 8- Healthcare, telecommunications and other future industry assignments
• 9- For assignment by national standards bodies

--include_deprecated[boolean] Include known deprecated card IIN issuers.

--ignore_paths[filename] A file containing a list of paths to ignore. Default is to scan all pathsrecursively.

--minimum_digits[integer] Only find cards with this minimum number of digits or larger. Default12

--maximum_digits[integer] Only find cards up to this maximum number of digits in length. Default19

--cards_per_file[integer] Stop processing a file once this number of cards have been found. Zero will findall card numbers in each file. Default0

--ignore_file_extensions[filename] A file containing a list of file extensions to ignore. Each extension mustbe listed including the leading period (.), for example .dll, .exe, .ttf

--unmask_card_number[boolean] Show the full card number. By default the central account numberportion of the card number is masked with 'X'. DefaultFalse

--max_group_count[integer] Specify the maximum number of digit groups to find within each file. Sometimeswhen cards are stored, they are stored in their groupings like this 4 group card number:

1234-5678-9012-3456

Some card types use more or less groupings. Specifying zero includes any number of groupingsper card. Default0

--max_group_distance[integer] Specify the maximum string distance between the first character of the firstcard group and the first character of the last card group. If cards appear in a file, thegroupings are commonly quite close together, with probably a maximum of 1 characterbetween each group. Sometimes groups are stored in fields within databases, adding more spacein the file between each group. Speficying zero will set the group distance to the length ofthe number plus 5. Default 0

--output[filename] Send the found cards to this file in a CSV format containing the filename, issuerand card number obeying the--mask_card_number option above.

--verbose[boolean] Set to true to include more detail about the current scan status. Defaults to True

--dir[directory] A directory to scan. Either --dir or --file must be specified otherwisea scan will not occur.

--file[filename] A file to scan. Either --dir or --file must be specified otherwisea scan will not occur.

Create these two files

uatp.ini

[default]dir=/homeignore_industries=ignore_uatp.txt

ignore_uatp.txt

1

Then run

python ./pantastic.py --config_file=uatp.ini

Two exclusion files are included in the project

• ignore_paths.txt
• ignore_extensions.txt

These files contain common exclusions on a Redhat type distribution of Linux. Touse these files, create a file calledpantastic.ini and fill it with the following.

[default]dir=/ignore_paths=ignore_paths.txtignore_file_extensions=ignore_extensions.txt

Then just run

python ./pantastic.py

And it'll run a PAN scan.

This is a very organic project and needs considerable tidying up. It doescomply to PEP8, but it's not particularly 'Pythonic'. It's a bit hacky inparts as it required quick additions for certain situations, like supportingUTF-16.

It's not the fastest scan in the world, but it is thorough. As they say:

"Make it work, then make it fast"

By default this is a very greedy script and will pick up a lot of valid'cards'. Although these can technically be called false positives theyare cards that comply with the two simple checks of passing Luhn andcontaining a valid IIN.

I suggest running the script in its default state tostart with and then working through why so many card numbers are beingpicked up. For example, UATP cards are so broad in specification thatany Luhn compliant number beginning with 1 and complying to the UATPcard length will run a positive result. If you are sure that you willnever see a UATP card in your organisation, then add the IIN or majorindustry number to the list of exclusions and run the script again.

Currently, this script does not deal with compressed files. It may inthe future, probably for the common .zip and .rar files. Currently it skipsover the following files with the extensions:

• .gz
• .zip
• .rar
• .7z
• .bzip
• .bz2

This was developed with Python V2, I suspect there's a little bit of workto get it into V3.

The requirements are fairly straight forward, mostly standard python stuff. Thereshouldn't be any other fancy requirements.

This has only been tested in Linux environments. Very interested to see if thisworks fine in Windows or on OSX. Haven't made any provisions with the exceptionof always using os.path.join() for file paths. Come to think of it, I use mmapto read the data, and I think a couple of the options are different in Windows. YMMV.

Add a max file size check

Actually do some testing in Windows and OSX

Add more logging for stuff other than info()

Add some kind of progress feedback that you can turn on/off for when you run thescript manually.

Add output options for XML, JSON, HTML etc. Currently only does CSV.

Actually start on compressed file support.http://stackoverflow.com/questions/5127921/can-mmap-and-gzip-collaborate

Provide PIP and other types of installs