• Save
Dmitry Gutsko. SAP Attack Methodology
Upcoming SlideShare
Loading in...5
×
 

Dmitry Gutsko. SAP Attack Methodology

on

  • 11,523 views

 

Statistics

Views

Total Views
11,523
Views on SlideShare
1,717
Embed Views
9,806

Actions

Likes
1
Downloads
0
Comments
0

31 Embeds 9,806

http://habrahabr.ru 7549
http://blog.ptsecurity.com 1784
http://m.habrahabr.ru 280
http://cloud.feedly.com 73
http://savepearlharbor.com 21
http://feeds.feedburner.com 18
http://lunkit.com 18
http://www.pvsm.ru 7
http://digg.com 7
http://translate.googleusercontent.com 7
http://www.newsblur.com 6
http://feedreader.com 4
http://paradiazine6.chirasu.com 3
http://sysmagazine.com 3
http://reader.aol.com 3
http://smashingreader.com 3
https://www.google.com 2
http://feedly.com 2
http://plus.url.google.com 2
https://twitter.com 2
http://8549938467002440724_ec7f6deff3f9b7b034728c6256eee005dc73df55.blogspot.com 2
http://management-research.ru 1
http://www.steampdf.com 1
http://nbqwe4tbnbqwe4rooj2q.cmle.ru 1
http://readers.microtrade.com.ua 1
http://nbqwe4tbnbqwe4rooj2q.cameleo.ru 1
http://inoreader.com 1
http://lns.pnpi.spb.ru 1
http://www.feedspot.com 1
http://127.0.0.1 1
https://www.linkedin.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Dmitry Gutsko. SAP Attack Methodology Dmitry Gutsko. SAP Attack Methodology Presentation Transcript

    • SAP Attack MethodologyDmitry GutskoSecurity expertPositive TechnologiesPHDays III
    • Agenda
    • SAP: Typical three-tier architecture
    • SAP: Attack vectors
    • Where to begin?― Scan ports• 32xx• 33xx• 36xx― Gather information about the system• Find available clients• Check for default passwords• Identify a database server― Tools:• MaxPatrol (PenTest)• sapyto• console bruter by PT
    • ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
    • ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
    • ClientsSAP Application serverClient 000 Client 001 Client 066 Client 800
    • Default passwordsUser account DefaultpasswordStatisticsSAP* 06071992PASS0%25%DDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%12,5%EARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%
    • Default passwordsUser account DefaultpasswordСтатистика использованияSAP* 06071992PASS0%25%(сбер,ГазDDIC 19920706 0%TMSADM PASSWORD$1Pawd2&25%(Ом,сбер12,5%(ГазEARLYWATCH SUPPORT 0%SAPCPIC ADMIN 25%(Газ, сбер
    • Additional information(RFC_SYSTEM_INFO)
    • Direct access to Oracledatabase― Remote_OS_Authentication:• User authentication by OS login― SAPSR3 user password is stored in tableOPS$<SID>ADM.SAPUSER― Password could be recovered
    • Direct access to Oracledatabase― Механизм Remote_OS_Authentication• Аутентификация по имени пользователя в ОС― Пароль пользователя SAPSR3 хранится в таблицеOPS$<SID>ADM.SAPUSER― Пароль возможно расшифровать
    • Password Hijacking viaa Network― Protocols: DIAG, RFC, HTTP― Tools: Wireshark, SAP DIAGplugin for Wireshark,Cain&Abel, SapCap
    • DIAG protocol
    • RFC protocol
    • Hacking Passwords― Algorithms: A, B, D, E, F, G, H, I (CODVN field)― Tables: USR02, USH02, USRPWDHISTORY― Tools: John the Ripper― Profile parameters:login/password_downwards_compatibility,login/password_charset
    • Cryptographic algorithmsBCODEfieldPASSCODEfieldPWDSALTHEDHASHfieldA 8, upper, ASCII, username salt XB MD5, 8, upper, ASCII, username salt XD MD5, 8, upper, UTF-8, usernamesaltXE MD5, 8 , upper, UTF-8, usernamesaltXF SHA1, 40, UTF-8, username salt XG X XH SHA1,40, UTF-8, random salt XI X X X
    • USR02 tableBNAME, BCODE, PASSCODE Fields
    • John the Ripper
    • Client Bypass― Use transaction ST04― Use transaction SM49/SM69― Create your own ABAP program
    • Transaction ST04
    • Transaction ST04
    • Transaction ST04
    • Transaction SM49/SM69
    • Transaction SM49/SM69
    • ABAP program― Source code:― Report results:
    • Access to other SAPs― Decrypt authentication data of RFC connection (0-day)• RSECTAB, RFCDES tables
    • Access to other SAPs
    • Access to other SAPs
    • Access to other SAPs
    • Access to other SAPsNo data is shown by SE16
    • Access to other SAPs
    • Access to other SAPs
    • Access to other SAPs
    • Access to other SAPs
    • Hiding the Evidence of High Privileges(profile SAP_ALL)― Report RSUSR002 (transaction SUIM)• Use Reference User• Create a new profile ~ SAP_ALL,Profile1 + Profile2 + Profile3 ~ SAP_ALL• Create user ………… (0 day)• Change ABAP code of report RSUSR002• Update table UST04
    • Reference User
    • Reference User
    • Reference UserNo user TEST1
    • Create a new profile
    • Create a new profile
    • Create a new profileSAP_0 = SAP_ALL
    • Create a new profileNo user TEST4
    • User ………… (0 day)― ABAP code of RSUSR002 report:
    • User ………… (0 day)― ABAP code of RSUSR002 report:
    • User ………… (0 day)― ABAP code of RSUSR002 report:No user …………
    • Modification of RSUSR002 ABAP code― Insert a new string:DELETE userlist WHERE bname = ‘<USERNAME>’
    • Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
    • Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
    • Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:No user TEST0
    • Deletion of Profile Assignment fromUST04 tableAssignig profile SAP_ALL:
    • Thank you for your attention!Dmitry Gutskodgutsko@ptsecurity.ru