Hashdays Conference (29th Oct. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
How lve stats2 works for you and your customersCloudLinux
LVE Stats2 is a complete re-write of our customer’s statistics module in CloudLinux OS. It features more detailed charts, flexible architecture, and ability to extend the functionality. In this presentation, Igor Seletskiy, our CEO, discusses LVE Stats2.
SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
How lve stats2 works for you and your customersCloudLinux
LVE Stats2 is a complete re-write of our customer’s statistics module in CloudLinux OS. It features more detailed charts, flexible architecture, and ability to extend the functionality. In this presentation, Igor Seletskiy, our CEO, discusses LVE Stats2.
Dating Pro is a fully functional dating software script that allows the prompt and easy creation of dating, personals and social networking websites. This instruction helps to install Dating Pro software fast and easily .
Supercharging your PHP pages with mod_lsapi in CloudLinux OSCloudLinux
We’ve got big news - mod_lsapi is the fastest and most reliable way to serve PHP pages with Apache. It is a drop-in replacement for SuPHP, FCGID, RUID2, and ITK, has a low memory footprint and understands PHP directives from .htaccess files. It also supports PHP accelerators. It is fully compatible with PHP Selector, which allows end users to select the specific version of PHP they need. Here, learn more about this new production-ready feature, how it works and why it is so powerful.
Performance Schema for MySQL TroubleshootingSveta Smirnova
Percona Live (https://www.percona.com/live/data-performance-conference-2016/sessions/performance-schema-mysql-troubleshooting)
The performance schema in MySQL version 5.6, released in February, 2013, is a very powerful tool that can help DBAs discover why even the trickiest performance issues occur. Version 5.7 introduces even more instruments and tables. And while all these give you great power, you can get stuck choosing which instrument to use.
In this session, I will start with a description of a typical problem, then guide you how to use the performance schema to find out what causes the issue, the reason for unwanted behavior and how the received information can help you solve a particular problem.
Traditionally, performance schema sessions teach what is in contained in tables. I will, in contrast, start from a performance issue, then demonstrate which instruments and tables can help solve it. We will discuss how to setup the performance schema so that it has minimal impact on your server.
Dating Pro is a fully functional dating software script that allows the prompt and easy creation of dating, personals and social networking websites. This instruction helps to install Dating Pro software fast and easily .
Supercharging your PHP pages with mod_lsapi in CloudLinux OSCloudLinux
We’ve got big news - mod_lsapi is the fastest and most reliable way to serve PHP pages with Apache. It is a drop-in replacement for SuPHP, FCGID, RUID2, and ITK, has a low memory footprint and understands PHP directives from .htaccess files. It also supports PHP accelerators. It is fully compatible with PHP Selector, which allows end users to select the specific version of PHP they need. Here, learn more about this new production-ready feature, how it works and why it is so powerful.
Performance Schema for MySQL TroubleshootingSveta Smirnova
Percona Live (https://www.percona.com/live/data-performance-conference-2016/sessions/performance-schema-mysql-troubleshooting)
The performance schema in MySQL version 5.6, released in February, 2013, is a very powerful tool that can help DBAs discover why even the trickiest performance issues occur. Version 5.7 introduces even more instruments and tables. And while all these give you great power, you can get stuck choosing which instrument to use.
In this session, I will start with a description of a typical problem, then guide you how to use the performance schema to find out what causes the issue, the reason for unwanted behavior and how the received information can help you solve a particular problem.
Traditionally, performance schema sessions teach what is in contained in tables. I will, in contrast, start from a performance issue, then demonstrate which instruments and tables can help solve it. We will discuss how to setup the performance schema so that it has minimal impact on your server.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
OSMC 2008 | Monitoring MySQL by Geert VanderkelenNETWAYS
Monitoring MySQL has a long history within Nagios. Several plugins are available already. In addition to that, there are probably lots of plugins that have been developed by the community. We take a look at some of these and discuss what kind of additional useful information could be pulled out of a MySQL Server for monitoring it even better. A simple example on how to write such plugins will be shown, also using NDB API for monitoring MySQL Cluster. Now that MySQL Enterprise Monitor (MEM) is available, we'll go through the possibilities for combining the two platforms. We will also discuss the NDOUtils for storing configuration and event data using MySQL.
This talk starts with a brief overview of MySQL itself: some history, where it's heading too, and why it is so successful.
Atmosphere Conference 2015: Taming the Modern DatacenterPROIDEA
Speaker: Seth Vargo
Language: English
Today we are plagued by hundreds of choices when architecting a modern data center. Should our machines be virtual or physical? Should we use containers or Docker? Should we use a public cloud provider or a private cloud provider? Which configuration management tool is best to use? What about IaaS, PaaS, and SaaS? It would be manageable if these were binary choices; however, we often find ourselves in a hybrid environment.
As more operations choices are added to your data center, whether through company acquisitions, a growing development team, or general technical debt, managing complexity between legacy and new systems becomes a nightmare. Yet the end goal is still the same — safely deploy your application to your infrastructure. We need to tame our data centers by managing change across systems, enforcing policies, and by establishing a workflow for both developers and operations engineers to build in a collaborative environment.
This talk will discuss the problems faced in the modern data center, and how a set of innovative open source tooling can be used to tame the rising complexity curve. Join me on an adventure with Vagrant, Consul, and Terraform as we take your data center from chaos to control.
Visit our website: http://atmosphere-conference.com/
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
9. “…the world's leading provider of
business software, SAP (which stands for
"Systems, Applications, and Products in
Data Processing") delivers products and
services that help accelerate business
innovation for our customers.”
10. Other people describe them as…
“…the world's leading repository of
business critical information, SAP (which
stands for ”Security Ain't [our] Problem")
delivers products and services that
helpattackers gain access to critical
enterprise data.”
15. So Many Reasons
Vulnerabilties are a part of it!
Every system has it‘s vulnerabilities
SAP installations often fall to business
Not an operations problem
Financial data should be handled by the business
Security team never gets close to it!
16. “YOU CAN'T TEST THAT, IT'S
BUSINESS CRITICAL!”
UNKNOWN PROJECT MANAGER
21. SAP MC Communications
Default port 5<instance>13/14
50013 HTTP
50014 HTTPS
Can use SSL
If it‘s configured
More on this later!
22. SAP MC Communications
Uses Basic authfor some functions
Yes... It‘s 2011
Yes... Companies still use Basic Auth
Most functions don‘t even use that!
30. Information is king
Version information
Sure, HTTP headers give that!
Nothing new here... mostly
Down to the patch-level
Can you say “targeted attack“
31.
32. Version Information
msfauxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
33. Version Information
msfauxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
34. Version Information
msfauxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
35. Version Information
msfauxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
36. Information is king
Startup profile
Instance name
SAP System Name
SAP SID
SAP DB Schema
Paths
....
39. Information is king
Server / Instance Environment
Computername
Database Names
Database Type (Oracle, MaxDB, ...)
Full Server Environment Variable list!
Information overload
OMG why!
42. Information is king
SAP Log/Tracefiles
SAP Startup Logs
Error / Debug Logs
Developer Traces
Security Logs
SAP ABAPSysLog
SAP Startup Times
PIDs
Services + Status Info
44. Log/Trace Files
<SAPControl:ReadDeveloperTraceResponse>
<name>E:usrsapNSPDVEBMGS00workdev_w0<name>
<item>trc file: "dev_w0", trc level: 1, release: "720"</item>
<item>---------------------------------------------------</item>
<item>* ACTIVE TRACE LEVEL 1</item>
<item>M pid 3564</item>
<item>M DpSysAdmExtCreate: ABAP is active</item>
<item>M DpShMCreate: allocated sys_adm at 09A40048</item>
<item>M DpShMCreate: allocated wp_adm at 09A43020</item>
<item>M DpShMCreate:allocated tm_adm at 09A47E48</item>
…
45. ABAP Log File
<SAPControl:ABAPReadSyslogResponse><log>
<item><Time>2011 10 14 15:06:18</Time>
<Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)
</Text><Severity>SAPControl-GREEN</Severity>
<item><Time>2011 10 14 15:06:12</Time>
<Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4;
Unicode Version 4.1
</Text><Severity>SAPControl-GREEN</Severity></item>
…
46. Information is king
Extracting data from logfiles
Logfiles include usernames
Scrape for usernames
Instant brute-force user list!
#wimming!
Just an example of the data availble
49. Information is king
Process Parameters
Output of the entire SAP configuration
Password Policies
Setup your Brute-force just right ;)
Hash Types
Still supporting those old 8 char hashes?
Security Audit Log Enabled ?
rsau/enabled (default: 0)
Is anybody watching?
50. Process Parameters
msfauxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
51. Process Parameters
msfauxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
54. Information is king
Useful Process Parameters
rsau/enabled
login/password_downward_compatibility
login/failed_user_auto_unlock
login/fails_to_user_lock
login/min_password_lng
login/password_charset
....
*Checkout consolut.com for a great list
55. “I put a whitebox configuration audit
in your blackbox penetration test, so
you can whitebox SAP while you
blackbox it!“
Quote by:
Me, just now!
75. Getting in the middle
4 different options for SSL protection
Self Signed
Device Default (not an option for SAP)
Enterprise CA
You sign your own certs centrally
Externally signed
Diginotar to the rescue!
SAP also offer signing services
76. Getting in the middle
Impersonate SSL
There‘s a module for that ;)
Creates a fake cert
As close to the original as possible
Useful SE options
Expired yesterday
Add CN names for ease of use
84. Brute Force
msfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP
msfauxiliary(sap_mgmt_con_brute_login) > run
[*]SAPSID set to 'NSP' - Setting default SAP wordlist
[*] Trying username:'sapservicensp' password:''
[-] [01/18] - failed to login as 'sapservicensp' password: ''
[*] Trying username:'sapservicensp' password:'sapserviceNSP’
[-] [02/18] - failed to login as 'sapadm' password: ''
[*] Trying username:'nspadm' password:''
…
85. OSExecute
auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128
auxiliary(sap_..._osexec) > set USERNAME sapservicensp
auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n
auxiliary(sap_..._osexec) > set CMD hostname
auxiliary(sap_..._osexec) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Command run as PID: 1240
Command output
--------------
WINXPSAP-TST
95. Fixing the issues
SAP Fix
SAP Note 1439348
Issue also discovered by Onapsis
No idea what it says!
SAP restrict ALL fix info to customers only
96. Next Steps
More Research
Finish the MITM module
Force Auth works now
JAVA Applet deployment not so much
Look at SAP SSL implementation
SSL is a punching bag right now
Sleep
98. Big Thanks
The REAL SAP Security Researchers
Onapsis
DSecRG
Raul Siles
CYBSEC
SAP PSRT
DirtySec (You know who you are!)
MacLemon for the PPT-fu
All the people who helped make this happen
Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
So what’s this SOAP thing then
Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
Lots of cool dataLots of cool functionsLots of fun to be had!
There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
So I scanned a small country!
What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
Wait... SSL will save us!
Yep.. It’s a feature remember? But we’ve already covered how we could get that
OSExecute is all well and good...Run a single commandGet the response..
Block itFilter itRestrict it to administratorsYES this means internally as well!