Dmitry Gutsko. SAP Attack Methodology

  • 11,349 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
11,349
On Slideshare
0
From Embeds
0
Number of Embeds
38

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SAP Attack MethodologyDmitry GutskoSecurity expertPositive TechnologiesPHDays III
  • 2. Agenda
  • 3. SAP: Typical three-tier architecture
  • 4. SAP: Attack vectors
  • 5. Where to begin?― Scan ports• 32xx• 33xx• 36xx― Gather information about the system• Find available clients• Check for default passwords• Identify a database server― Tools:• MaxPatrol (PenTest)• sapyto• console bruter by PT
  • 6. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  • 7. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  • 8. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  • 9. Default passwordsUser account DefaultpasswordStatisticsSAP* 06071992PASS0%25%DDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%12,5%EARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%
  • 10. Default passwordsUser account DefaultpasswordСтатистика использованияSAP* 06071992PASS0%25%(сбер,ГазDDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%(Ом,сбер12,5%(ГазEARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%(Газ, сбер
  • 11. Additional information(RFC_SYSTEM_INFO)
  • 12. Direct access to Oracledatabase― Remote_OS_Authentication:• User authentication by OS login― SAPSR3 user password is stored in tableOPS$<SID>ADM.SAPUSER― Password could be recovered
  • 13. Direct access to Oracledatabase― Механизм Remote_OS_Authentication• Аутентификация по имени пользователя в ОС― Пароль пользователя SAPSR3 хранится в таблицеOPS$<SID>ADM.SAPUSER― Пароль возможно расшифровать
  • 14. Password Hijacking viaa Network― Protocols: DIAG, RFC, HTTP― Tools: Wireshark, SAP DIAGplugin for Wireshark,Cain&Abel, SapCap
  • 15. DIAG protocol
  • 16. RFC protocol
  • 17. Hacking Passwords― Algorithms: A, B, D, E, F, G, H, I (CODVN field)― Tables: USR02, USH02, USRPWDHISTORY― Tools: John the Ripper― Profile parameters:login/password_downwards_compatibility,login/password_charset
  • 18. Cryptographic algorithmsBCODEfieldPASSCODEfieldPWDSALTHEDHASHfieldA 8, upper, ASCII, username salt XB MD5, 8, upper, ASCII, username salt XD MD5, 8, upper, UTF-8, usernamesaltXE MD5, 8 , upper, UTF-8, usernamesaltXF SHA1, 40, UTF-8, username salt XG X XH SHA1,40, UTF-8, random salt XI X X X
  • 19. USR02 tableBNAME, BCODE, PASSCODE Fields
  • 20. John the Ripper
  • 21. Client Bypass― Use transaction ST04― Use transaction SM49/SM69― Create your own ABAP program
  • 22. Transaction ST04
  • 23. Transaction ST04
  • 24. Transaction ST04
  • 25. Transaction SM49/SM69
  • 26. Transaction SM49/SM69
  • 27. ABAP program― Source code:― Report results:
  • 28. Access to other SAPs― Decrypt authentication data of RFC connection (0-day)• RSECTAB, RFCDES tables
  • 29. Access to other SAPs
  • 30. Access to other SAPs
  • 31. Access to other SAPs
  • 32. Access to other SAPsNo data is shown by SE16
  • 33. Access to other SAPs
  • 34. Access to other SAPs
  • 35. Access to other SAPs
  • 36. Access to other SAPs
  • 37. Hiding the Evidence of High Privileges(profile SAP_ALL)― Report RSUSR002 (transaction SUIM)• Use Reference User• Create a new profile ~ SAP_ALL,Profile1 + Profile2 + Profile3 ~ SAP_ALL• Create user ………… (0 day)• Change ABAP code of report RSUSR002• Update table UST04
  • 38. Reference User
  • 39. Reference User
  • 40. Reference UserNo user TEST1
  • 41. Create a new profile
  • 42. Create a new profile
  • 43. Create a new profileSAP_0 = SAP_ALL
  • 44. Create a new profileNo user TEST4
  • 45. User ………… (0 day)― ABAP code of RSUSR002 report:
  • 46. User ………… (0 day)― ABAP code of RSUSR002 report:
  • 47. User ………… (0 day)― ABAP code of RSUSR002 report:No user …………
  • 48. Modification of RSUSR002 ABAP code― Insert a new string:DELETE userlist WHERE bname = ‘<USERNAME>’
  • 49. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  • 50. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  • 51. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:No user TEST0
  • 52. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  • 53. Thank you for your attention!Dmitry Gutskodgutsko@ptsecurity.ru