Dmitry Gutsko. SAP Attack Methodology

13,142 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
13,142
On SlideShare
0
From Embeds
0
Number of Embeds
10,830
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dmitry Gutsko. SAP Attack Methodology

  1. 1. SAP Attack MethodologyDmitry GutskoSecurity expertPositive TechnologiesPHDays III
  2. 2. Agenda
  3. 3. SAP: Typical three-tier architecture
  4. 4. SAP: Attack vectors
  5. 5. Where to begin?― Scan ports• 32xx• 33xx• 36xx― Gather information about the system• Find available clients• Check for default passwords• Identify a database server― Tools:• MaxPatrol (PenTest)• sapyto• console bruter by PT
  6. 6. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  7. 7. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  8. 8. ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
  9. 9. Default passwordsUser account DefaultpasswordStatisticsSAP* 06071992PASS0%25%DDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%12,5%EARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%
  10. 10. Default passwordsUser account DefaultpasswordСтатистика использованияSAP* 06071992PASS0%25%(сбер,ГазDDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%(Ом,сбер12,5%(ГазEARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%(Газ, сбер
  11. 11. Additional information(RFC_SYSTEM_INFO)
  12. 12. Direct access to Oracledatabase― Remote_OS_Authentication:• User authentication by OS login― SAPSR3 user password is stored in tableOPS$<SID>ADM.SAPUSER― Password could be recovered
  13. 13. Direct access to Oracledatabase― Механизм Remote_OS_Authentication• Аутентификация по имени пользователя в ОС― Пароль пользователя SAPSR3 хранится в таблицеOPS$<SID>ADM.SAPUSER― Пароль возможно расшифровать
  14. 14. Password Hijacking viaa Network― Protocols: DIAG, RFC, HTTP― Tools: Wireshark, SAP DIAGplugin for Wireshark,Cain&Abel, SapCap
  15. 15. DIAG protocol
  16. 16. RFC protocol
  17. 17. Hacking Passwords― Algorithms: A, B, D, E, F, G, H, I (CODVN field)― Tables: USR02, USH02, USRPWDHISTORY― Tools: John the Ripper― Profile parameters:login/password_downwards_compatibility,login/password_charset
  18. 18. Cryptographic algorithmsBCODEfieldPASSCODEfieldPWDSALTHEDHASHfieldA 8, upper, ASCII, username salt XB MD5, 8, upper, ASCII, username salt XD MD5, 8, upper, UTF-8, usernamesaltXE MD5, 8 , upper, UTF-8, usernamesaltXF SHA1, 40, UTF-8, username salt XG X XH SHA1,40, UTF-8, random salt XI X X X
  19. 19. USR02 tableBNAME, BCODE, PASSCODE Fields
  20. 20. John the Ripper
  21. 21. Client Bypass― Use transaction ST04― Use transaction SM49/SM69― Create your own ABAP program
  22. 22. Transaction ST04
  23. 23. Transaction ST04
  24. 24. Transaction ST04
  25. 25. Transaction SM49/SM69
  26. 26. Transaction SM49/SM69
  27. 27. ABAP program― Source code:― Report results:
  28. 28. Access to other SAPs― Decrypt authentication data of RFC connection (0-day)• RSECTAB, RFCDES tables
  29. 29. Access to other SAPs
  30. 30. Access to other SAPs
  31. 31. Access to other SAPs
  32. 32. Access to other SAPsNo data is shown by SE16
  33. 33. Access to other SAPs
  34. 34. Access to other SAPs
  35. 35. Access to other SAPs
  36. 36. Access to other SAPs
  37. 37. Hiding the Evidence of High Privileges(profile SAP_ALL)― Report RSUSR002 (transaction SUIM)• Use Reference User• Create a new profile ~ SAP_ALL,Profile1 + Profile2 + Profile3 ~ SAP_ALL• Create user ………… (0 day)• Change ABAP code of report RSUSR002• Update table UST04
  38. 38. Reference User
  39. 39. Reference User
  40. 40. Reference UserNo user TEST1
  41. 41. Create a new profile
  42. 42. Create a new profile
  43. 43. Create a new profileSAP_0 = SAP_ALL
  44. 44. Create a new profileNo user TEST4
  45. 45. User ………… (0 day)― ABAP code of RSUSR002 report:
  46. 46. User ………… (0 day)― ABAP code of RSUSR002 report:
  47. 47. User ………… (0 day)― ABAP code of RSUSR002 report:No user …………
  48. 48. Modification of RSUSR002 ABAP code― Insert a new string:DELETE userlist WHERE bname = ‘<USERNAME>’
  49. 49. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  50. 50. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  51. 51. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:No user TEST0
  52. 52. Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
  53. 53. Thank you for your attention!Dmitry Gutskodgutsko@ptsecurity.ru

×