Upload
positive-hack-days
View
2.129
Download
6
Tags:
Embed Size (px)
Citation preview
LABS
Service discovery. Get information. Remote password brute force.
Authentication data capture (RFC/DIAG). Authorization bypass. VBA+RFC.
Privileges analysis. Access to user password hashes. “Offline” password brute force.
Get data from another mandant. Access to OS files. Run OS commands.
Scenario
Scan ports
Get service information
Mandant discovery
Account brute force (RFC)
Account brute force (GUI)
Port scanning
Search for SAP systemshttp://scn.sap.com/docs/DOC-17124
• SAP DIAG - 32xx-3299 TCP• SAP RFC - 33xx-3399 TCP• ICM HTTP - 80xx TCP• Message Server HTTP -81xx• HTTP – 5xxxx
OS• SSH/Telnet/Rlogin – 22/23/512-514
DBMS• Oracle 1521-1530
Automation. SAP RFCSDK.
SAP RFCSDK is a library used for application development that communicate with a SAP system via SAP RFC protocol.
It includes a utility for testing RFC - Startrfc.exe.
It helps to integrate the system with PHP, Perl, VB, С++, Python.
Default accounts
SAP* - 06071992
SAP* - PASS
DDIC – 19920706
SAPCPIC – ADMIN
EARLYWATCH - SUPPORT
TMSADM – PASSWORD
SAPGUI Scripting
By default, scripting enabled in SAP Frontend.
Knowledge of VBS is enough for password brute force.
Enable sapgui_userscripting on server side for SAP automation.
You can use VBS/JScript.
SAPGUI Scripting. VBS
An example how to brute force passwords via DIAG
You can use function OpenConnectionByConnectionString
Add credentials to appropriate fields - findById
Check script results (error/no error)
Display the result
Usage of Python
An example how to get data from SAP structures
An example how to get data from SAP tables
You need RFC SDK, С/C++ compiler, NWRFC for Python
Check the results (error/no error)
Display the results in console or print to a file
Password capture
Password capture with DIAG protocol• Wireshark plugin SAP DIAG Decompress (2011) (http://
www.securitylab.ru/software/409481.php) • SApCap (2011) (http://
www.sensepost.com/labs/tools/poc/sapcap)• Cain&Abel (2011) (http://oxid.it)
Password capture with RFC protocol• Attacking SAP by Mariano Nuñez Di Croce (https://
www.blackhat.com/presentations/bh-europe-07/Nunez-Di-Croce/Presentation/bh-eu-07-nunez_di_croce-apr19.pdf)
RFC data capture
Passwords are sent in encoding form
Obfuscation algorithm – XOR
The key for password recovery
31 3e c3 60 e1 06 4e 3f 6b 48 c8 12 f5 fc 20 3c 89 61 2f f1 ef 2e af f3 bd ec 7e 25 b6 a0 71 83 a3 ea 7f ec 09 8a 40 21
Usage of VBA
An example how to get data from SAP structures
An example how to get data from SAP tables
You need SAP GUI or.ocx components for import
Check the results (error/no error)
Show the results in Excel format
Privilege analysis
You find an account.
Try to log in
If login is successful, analyze its privileges (at the first time, run transaction SA38/SE38/SE16/SE17/ST04)
Check your rights and privileges via RSUSR002
Collect password hashes
Tables with hashes: USR02,USH02,USRPWDHISTORY
How to get data: • SE16/SE16N/SE17• ST04/SQL Command Editor • RFC• Database Level…• OS Level/get data from a OS file
Tools: SAPGUI, MIL Read Table, VBS, SQLplus ….
Get data using program run directly SA38/SE38
Using SE93 transaction
Open table STSC and get name of program.
Choose fields for the results.
SA38/SE38 run the program directly.
Get data from tables via SQ01/SQ02
Create new InfoSet (table) with SQ02 transaction
Run SQ01 transaction, choose the created dataset.
Choose fields for the results.
Run the report, get results.
Vulnerabilities in hash algorithms
CODVN A is an out-of-date algorithm developed by SAP – password length <=8, characters in UPPERCASE
CODVN B is an out-of-date algorithm based on MD5, password length <=8, remaining part of passwords is discarded, all characters are in UPPERCASE, special characters are replaced by ^
Vulnerabilities in hash algorithms
CODVN D is an out-of-date algorithm aimed to improve B algorithm: especially password reduction and the usage of special characters.
CODVN E was developed to replace passwords B and D and aimed to eliminated their problems. Versions from 4.6x to 6.x include it.
• SAP Note 874738 - New password hash calculation procedure (code version E)
Vulnerabilities in hash algorithms
CODVN F is now the most widely used hash algorithm based on SHA1, password length is up to 40 characters, strings are converted into UTF-8 before hashing, therefore you can use almost any character. Versions starting 7.00 include it.
Vulnerabilities in hash algorithms
CODVN G = B+F – firstly you can brute force a part of password of 8 characters long via B algorithm, and then use this part to brute force the password via G algorithm. Versions starting 7.00 include it.
Vulnerabilities in hash algorithms
CODVN H is the most secure hash algorithm based on SHA1 with variable salt length. Versions starting 7.02 include it.
CODVN I = B+F+H – the same problems G
The rate of password brute force• up to 700 000 passwords per second for CODVN B• up to 300 000 passwords per second for CODVN G
John The Ripper. Community Enhanced
John the Ripper 1.7.9-jumbo-5 enables analysis of hash algorithms for SAP passwords of B and F types.
Password dictionaries Openwall wordlists collection full version - paid download
You can parallel tasks among several CPUs.
Testing of passwords
Download USR02 (fields BNAME/BCODE/PASSCODE)
Create files in username:username<spaces to 40 bytes>$HASHCODE format
Choose a dictionary or create your own
Run john the ripper
Directory Listing.
Run AL11 transaction
Using SE37 for running functional module.
Using CG3Y/CG3Z transaction.
Run OS commands
Run SM51 transaction
Type grep in transaction field
Type text like nnn” ? & <OS command> &
Run OS commands
Run SM49/SM69 transaction.
Create your own start options.
Run with necessary options.
You can save the results locally.
Run OS commands
Run SA38 transaction
Load RSBDCOS0 program
Type OS program in the field
Check the results.