SAP hands on lab_en


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

SAP hands on lab_en

  1. 1. Hands-on LabSAP security analysis Alexey Yudin Positive Technologies
  2. 2. LABS Service discovery. Get information. Remote password brute force. Authentication data capture (RFC/DIAG). Authorization bypass. VBA+RFC. Privileges analysis. Access to user password hashes. “Offline” password brute force. Get data from another mandant. Access to OS files. Run OS commands.
  4. 4. Tools Nmap RFCSDK/NWRFCSDK Vbs/Python SAP Frontend 7.20
  5. 5. Scenario Scan ports Get service information Mandant discovery Account brute force (RFC) Account brute force (GUI)
  6. 6. Port scanning Search for SAP systems • SAP DIAG - 32xx-3299 TCP • SAP RFC - 33xx-3399 TCP • ICM HTTP - 80xx TCP • Message Server HTTP -81xx • HTTP – 5xxxx OS • SSH/Telnet/Rlogin – 22/23/512-514 DBMS • Oracle 1521-1530
  7. 7. Automation. SAP RFCSDK. SAP RFCSDK is a library used for application development that communicate with a SAP system via SAP RFC protocol. It includes a utility for testing RFC - Startrfc.exe. It helps to integrate the system with PHP, Perl, VB, С++, Python.
  8. 8. StartRFC.exe
  9. 9. StartRFC.exe. Get information.
  10. 10. StartRFC.exe. Mandant discovery and password bruteforce. Mandant discovery Account brute force
  11. 11. Default accounts SAP* - 06071992 SAP* - PASS DDIC – 19920706 SAPCPIC – ADMIN EARLYWATCH - SUPPORT TMSADM – PASSWORD
  12. 12. SAPGUI Scripting By default, scripting enabled in SAP Frontend. Knowledge of VBS is enough for password brute force. Enable sapgui_userscripting on server side for SAP automation. You can use VBS/JScript.
  13. 13. SAPGUI Scripting. VBS An example how to brute force passwords via DIAG You can use function OpenConnectionByConnectionString Add credentials to appropriate fields - findById Check script results (error/no error) Display the result
  14. 14. VBS example
  15. 15. Usage of Python An example how to get data from SAP structures An example how to get data from SAP tables You need RFC SDK, С/C++ compiler, NWRFC for Python Check the results (error/no error) Display the results in console or print to a file
  16. 16. Python example
  17. 17. DATA CAPTURE
  18. 18. Tools Wireshark SAP DIAG plugin for Wireshark Microsoft Excel + VBA
  19. 19. Password capture Password capture with DIAG protocol • Wireshark plugin SAP DIAG Decompress (2011) ( • SApCap (2011) ( • Cain&Abel (2011) ( Password capture with RFC protocol • Attacking SAP by Mariano Nuñez Di Croce ( 07/Nunez-Di-Croce/Presentation/bh-eu-07- nunez_di_croce-apr19.pdf)
  20. 20. DIAG password capture
  21. 21. RFC data capture Passwords are sent in encoding form Obfuscation algorithm – XOR The key for password recovery 31 3e c3 60 e1 06 4e 3f 6b 48 c8 12 f5 fc 20 3c 89 61 2f f1 ef 2e af f3 bd ec 7e 25 b6 a0 71 83 a3 ea 7f ec 09 8a 40 21
  22. 22. RFC password capture
  23. 23. Usage of VBA An example how to get data from SAP structures An example how to get data from SAP tables You need SAP GUI or.ocx components for import Check the results (error/no error) Show the results in Excel format
  24. 24. VBA example
  26. 26. Tools SAP Frontend Perl John the Ripper. Сommunity Enhanced
  27. 27. Privilege analysis You find an account. Try to log in If login is successful, analyze its privileges (at the first time, run transaction SA38/SE38/SE16/SE17/ST04) Check your rights and privileges via RSUSR002
  28. 28. RSUSR002
  29. 29. Collect password hashes Tables with hashes: USR02,USH02,USRPWDHISTORY How to get data: • SE16/SE16N/SE17 • ST04/SQL Command Editor • RFC • Database Level… • OS Level/get data from a OS file Tools: SAPGUI, MIL Read Table, VBS, SQLplus ….
  30. 30. SE16
  31. 31. ST04.SQL Command Editor
  32. 32. Get data using program run directly SA38/SE38 Using SE93 transaction Open table STSC and get name of program. Choose fields for the results. SA38/SE38 run the program directly.
  33. 33. ST04.SQL Command Editor
  34. 34. ST04.SQL Command Editor
  35. 35. Get data from tables via SQ01/SQ02 Create new InfoSet (table) with SQ02 transaction Run SQ01 transaction, choose the created dataset. Choose fields for the results. Run the report, get results.
  36. 36. SQ01/SQ02
  37. 37. SQ01/SQ02
  38. 38. SQ01/SQ02
  39. 39. SQ01/SQ02
  40. 40. SQ01/SQ02
  41. 41. SQ01/SQ02
  42. 42. Vulnerabilities in hash algorithms CODVN A is an out-of-date algorithm developed by SAP – password length <=8, characters in UPPERCASE CODVN B is an out-of-date algorithm based on MD5, password length <=8, remaining part of passwords is discarded, all characters are in UPPERCASE, special characters are replaced by ^
  43. 43. Vulnerabilities in hash algorithms CODVN D is an out-of-date algorithm aimed to improve B algorithm: especially password reduction and the usage of special characters. CODVN E was developed to replace passwords B and D and aimed to eliminated their problems. Versions from 4.6x to 6.x include it. • SAP Note 874738 - New password hash calculation procedure (code version E)
  44. 44. Vulnerabilities in hash algorithms CODVN F is now the most widely used hash algorithm based on SHA1, password length is up to 40 characters, strings are converted into UTF-8 before hashing, therefore you can use almost any character. Versions starting 7.00 include it.
  45. 45. Vulnerabilities in hash algorithms CODVN G = B+F – firstly you can brute force a part of password of 8 characters long via B algorithm, and then use this part to brute force the password via G algorithm. Versions starting 7.00 include it.
  46. 46. Vulnerabilities in hash algorithms CODVN H is the most secure hash algorithm based on SHA1 with variable salt length. Versions starting 7.02 include it. CODVN I = B+F+H – the same problems G The rate of password brute force • up to 700 000 passwords per second for CODVN B • up to 300 000 passwords per second for CODVN G
  47. 47. John The Ripper. Community Enhanced John the Ripper 1.7.9-jumbo-5 enables analysis of hash algorithms for SAP passwords of B and F types. Password dictionaries Openwall wordlists collection full version - paid download You can parallel tasks among several CPUs.
  48. 48. Testing of passwords Download USR02 (fields BNAME/BCODE/PASSCODE) Create files in username:username<spaces to 40 bytes>$HASHCODE format Choose a dictionary or create your own Run john the ripper
  49. 49. Results of testing
  51. 51. Directory Listing. Run AL11 transaction Using SE37 for running functional module. Using CG3Y/CG3Z transaction.
  52. 52. Directory Listing
  53. 53. Directory Listing
  54. 54. Directory Listing
  55. 55. Directory Listing
  56. 56. Run OS commands Run SM51 transaction Type grep in transaction field Type text like nnn” ? & <OS command> &
  57. 57. Run OS commands
  58. 58. Run OS commands
  59. 59. Run OS commands
  60. 60. Run OS commands Run SM49/SM69 transaction. Create your own start options. Run with necessary options. You can save the results locally.
  61. 61. Run OS commands
  62. 62. Run OS commands
  63. 63. Run OS commands
  64. 64. Run OS commands Run SA38 transaction Load RSBDCOS0 program Type OS program in the field Check the results.
  65. 65. Run OS commands
  66. 66. Run OS commands
  67. 67. Thank you for yourattention!Alexey