Dmitry Gutsko. SAP Attack Methodology
3 likes15,060 views
This document outlines methods for attacking SAP systems, including scanning for open ports, gathering information like available clients and default passwords, directly accessing the Oracle database, hijacking passwords over network protocols, cracking hashed passwords, bypassing client authentication, accessing other connected SAP systems, and hiding evidence of obtaining high privileges. The attacks range from reconnaissance like port scanning to exploiting default credentials to privilege escalation techniques like modifying reports and tables.
Dmitry Gutsko. SAP Attack Methodology
- 1. SAP Attack Methodology Dmitry Gutsko Security expert Positive Technologies PHDays III
- 2. Agenda
- 3. SAP: Typical three-tier architecture
- 6. Where to begin? β Scan ports β’ 32xx β’ 33xx β’ 36xx β Gather information about the system β’ Find available clients β’ Check for default passwords β’ Identify a database server β Tools: β’ MaxPatrol (PenTest) β’ sapyto β’ console bruter by PT
- 7. Clients SAP Application server Client 000 Client 001 Client 066 Client 800
- 8. Clients SAP Application server Client 000 Client 001 Client 066 Client 800
- 9. Clients SAP Application server Client 000 Client 001 Client 066 Client 800
- 10. Default passwords User account Default password Statistics SAP* 06071992 PASS 0% 25% DDIC 19920706 0% TMSADM PASSWORD $1Pawd2& 25% 12,5% EARLYWATCH SUPPORT 0% SAPCPIC ADMIN 25%
- 11. Default passwords User account Default password Π‘ΡΠ°ΡΠΈΡΡΠΈΠΊΠ° ΠΈΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°Π½ΠΈΡ SAP* 06071992 PASS 0% 25%(ΡΠ±Π΅Ρ,ΠΠ°Π· DDIC 19920706 0% TMSADM PASSWORD $1Pawd2& 25%(ΠΠΌ,ΡΠ±Π΅Ρ 12,5%(ΠΠ°Π· EARLYWATCH SUPPORT 0% SAPCPIC ADMIN 25%(ΠΠ°Π·, ΡΠ±Π΅Ρ
- 14. Direct access to Oracle database β Remote_OS_Authentication: β’ User authentication by OS login β SAPSR3 user password is stored in table OPS$<SID>ADM.SAPUSER β Password could be recovered
- 15. Direct access to Oracle database β ΠΠ΅Ρ Π°Π½ΠΈΠ·ΠΌ Remote_OS_Authentication β’ ΠΡΡΠ΅Π½ΡΠΈΡΠΈΠΊΠ°ΡΠΈΡ ΠΏΠΎ ΠΈΠΌΠ΅Π½ΠΈ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ Π² ΠΠ‘ β ΠΠ°ΡΠΎΠ»Ρ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ SAPSR3 Ρ ΡΠ°Π½ΠΈΡΡΡ Π² ΡΠ°Π±Π»ΠΈΡΠ΅ OPS$<SID>ADM.SAPUSER β ΠΠ°ΡΠΎΠ»Ρ Π²ΠΎΠ·ΠΌΠΎΠΆΠ½ΠΎ ΡΠ°ΡΡΠΈΡΡΠΎΠ²Π°ΡΡ
- 17. Password Hijacking via a Network β Protocols: DIAG, RFC, HTTP β Tools: Wireshark, SAP DIAG plugin for Wireshark, Cain&Abel, SapCap
- 18. DIAG protocol
- 19. RFC protocol
- 21. Hacking Passwords β Algorithms: A, B, D, E, F, G, H, I (CODVN field) β Tables: USR02, USH02, USRPWDHISTORY β Tools: John the Ripper β Profile parameters: login/password_downwards_compatibility, login/password_charset
- 22. Cryptographic algorithms BCODE field PASSCODE field PWDSALTHEDHASH field A 8, upper, ASCII, username salt X B MD5, 8, upper, ASCII, username salt X D MD5, 8, upper, UTF-8, username salt X E MD5, 8 , upper, UTF-8, username salt X F SHA1, 40, UTF-8, username salt X G X X H SHA1,40, UTF-8, random salt X I X X X
- 23. USR02 table BNAME, BCODE, PASSCODE Fields
- 24. John the Ripper
- 26. Client Bypass β Use transaction ST04 β Use transaction SM49/SM69 β Create your own ABAP program
- 27. Transaction ST04
- 28. Transaction ST04
- 29. Transaction ST04
- 32. ABAP program β Source code: β Report results:
- 34. Access to other SAPs β Decrypt authentication data of RFC connection (0-day) β’ RSECTAB, RFCDES tables
- 35. Access to other SAPs
- 36. Access to other SAPs
- 37. Access to other SAPs
- 38. Access to other SAPs No data is shown by SE16
- 39. Access to other SAPs
- 40. Access to other SAPs
- 41. Access to other SAPs
- 42. Access to other SAPs
- 44. Hiding the Evidence of High Privileges (profile SAP_ALL) β Report RSUSR002 (transaction SUIM) β’ Use Reference User β’ Create a new profile ~ SAP_ALL, Profile1 + Profile2 + Profile3 ~ SAP_ALL β’ Create user β¦β¦β¦β¦ (0 day) β’ Change ABAP code of report RSUSR002 β’ Update table UST04
- 45. Reference User
- 46. Reference User
- 47. Reference User No user TEST1
- 48. Create a new profile
- 49. Create a new profile
- 50. Create a new profile SAP_0 = SAP_ALL
- 51. Create a new profile No user TEST4
- 52. User β¦β¦β¦β¦ (0 day) β ABAP code of RSUSR002 report:
- 53. User β¦β¦β¦β¦ (0 day) β ABAP code of RSUSR002 report:
- 54. User β¦β¦β¦β¦ (0 day) β ABAP code of RSUSR002 report: No user β¦β¦β¦β¦
- 55. Modification of RSUSR002 ABAP code β Insert a new string: DELETE userlist WHERE bname = β<USERNAME>β
- 56. Deletion of Profile Assignment from UST04 table Assignig profile SAP_ALL:
- 57. Deletion of Profile Assignment from UST04 table Assignig profile SAP_ALL:
- 58. Deletion of Profile Assignment from UST04 table Assignig profile SAP_ALL: No user TEST0
- 59. Deletion of Profile Assignment from UST04 table Assignig profile SAP_ALL:
- 60. Thank you for your attention! Dmitry Gutsko dgutsko@ptsecurity.ru