Hands-on LabSAP security analysis

Alexey Yudin

Positive Technologies

LABS

Service discovery. Get information. Remote password brute force.

Authentication data capture (RFC/DIAG). Authorization bypass. VBA+RFC.

Privileges analysis. Access to user password hashes. “Offline” password brute force.

Get data from another mandant. Access to OS files. Run OS commands.

SERVICE DISCOVERY

Tools

Nmap

RFCSDK/NWRFCSDK

Vbs/Python

SAP Frontend 7.20

Scenario

Scan ports

Get service information

Mandant discovery

Account brute force (RFC)

Account brute force (GUI)

Port scanning

Search for SAP systemshttp://scn.sap.com/docs/DOC-17124

• SAP DIAG - 32xx-3299 TCP• SAP RFC - 33xx-3399 TCP• ICM HTTP - 80xx TCP• Message Server HTTP -81xx• HTTP – 5xxxx

OS• SSH/Telnet/Rlogin – 22/23/512-514

DBMS• Oracle 1521-1530

Automation. SAP RFCSDK.

SAP RFCSDK is a library used for application development that communicate with a SAP system via SAP RFC protocol.

It includes a utility for testing RFC - Startrfc.exe.

It helps to integrate the system with PHP, Perl, VB, С++, Python.

StartRFC.exe

StartRFC.exe. Get information.

StartRFC.exe. Mandant discovery and password brute force.

Mandant discovery

Account brute force

Default accounts

SAP* - 06071992

SAP* - PASS

DDIC – 19920706

SAPCPIC – ADMIN

EARLYWATCH - SUPPORT

TMSADM – PASSWORD

SAPGUI Scripting

By default, scripting enabled in SAP Frontend.

Knowledge of VBS is enough for password brute force.

Enable sapgui_userscripting on server side for SAP automation.

You can use VBS/JScript.

SAPGUI Scripting. VBS

An example how to brute force passwords via DIAG

You can use function OpenConnectionByConnectionString

Add credentials to appropriate fields - findById

Check script results (error/no error)

Display the result

VBS example

Usage of Python

An example how to get data from SAP structures

An example how to get data from SAP tables

You need RFC SDK, С/C++ compiler, NWRFC for Python

Check the results (error/no error)

Display the results in console or print to a file

Python example

DATA CAPTURE

Tools

Wireshark

SAP DIAG plugin for Wireshark

Microsoft Excel + VBA

Password capture

Password capture with DIAG protocol• Wireshark plugin SAP DIAG Decompress (2011) (http://

www.securitylab.ru/software/409481.php) • SApCap (2011) (http://

www.sensepost.com/labs/tools/poc/sapcap)• Cain&Abel (2011) (http://oxid.it)

Password capture with RFC protocol• Attacking SAP by Mariano Nuñez Di Croce (https://

www.blackhat.com/presentations/bh-europe-07/Nunez-Di-Croce/Presentation/bh-eu-07-nunez_di_croce-apr19.pdf)

DIAG password capture

RFC data capture

Passwords are sent in encoding form

Obfuscation algorithm – XOR

The key for password recovery

31 3e c3 60 e1 06 4e 3f 6b 48 c8 12 f5 fc 20 3c 89 61 2f f1 ef 2e af f3 bd ec 7e 25 b6 a0 71 83 a3 ea 7f ec 09 8a 40 21

RFC password capture

Usage of VBA

An example how to get data from SAP structures

An example how to get data from SAP tables

You need SAP GUI or.ocx components for import

Check the results (error/no error)

Show the results in Excel format

VBA example

PASSWORD BRUTE FORCE BY KNOWN HASH

Tools

SAP Frontend

Perl

John the Ripper. Сommunity Enhanced

Privilege analysis

You find an account.

Try to log in

If login is successful, analyze its privileges (at the first time, run transaction SA38/SE38/SE16/SE17/ST04)

Check your rights and privileges via RSUSR002

RSUSR002

Collect password hashes

Tables with hashes: USR02,USH02,USRPWDHISTORY

How to get data: • SE16/SE16N/SE17• ST04/SQL Command Editor • RFC• Database Level…• OS Level/get data from a OS file

Tools: SAPGUI, MIL Read Table, VBS, SQLplus ….

SE16

ST04.SQL Command Editor

Get data using program run directly SA38/SE38

Using SE93 transaction

Open table STSC and get name of program.

Choose fields for the results.

SA38/SE38 run the program directly.

ST04.SQL Command Editor

ST04.SQL Command Editor

Get data from tables via SQ01/SQ02

Create new InfoSet (table) with SQ02 transaction

Run SQ01 transaction, choose the created dataset.

Choose fields for the results.

Run the report, get results.

SQ01/SQ02

SQ01/SQ02

SQ01/SQ02

SQ01/SQ02

SQ01/SQ02

SQ01/SQ02

Vulnerabilities in hash algorithms

CODVN A is an out-of-date algorithm developed by SAP – password length <=8, characters in UPPERCASE

CODVN B is an out-of-date algorithm based on MD5, password length <=8, remaining part of passwords is discarded, all characters are in UPPERCASE, special characters are replaced by ^

Vulnerabilities in hash algorithms

CODVN D is an out-of-date algorithm aimed to improve B algorithm: especially password reduction and the usage of special characters.

CODVN E was developed to replace passwords B and D and aimed to eliminated their problems. Versions from 4.6x to 6.x include it.

• SAP Note 874738 - New password hash calculation procedure (code version E)

Vulnerabilities in hash algorithms

CODVN F is now the most widely used hash algorithm based on SHA1, password length is up to 40 characters, strings are converted into UTF-8 before hashing, therefore you can use almost any character. Versions starting 7.00 include it.

Vulnerabilities in hash algorithms

CODVN G = B+F – firstly you can brute force a part of password of 8 characters long via B algorithm, and then use this part to brute force the password via G algorithm. Versions starting 7.00 include it.

Vulnerabilities in hash algorithms

CODVN H is the most secure hash algorithm based on SHA1 with variable salt length. Versions starting 7.02 include it.

CODVN I = B+F+H – the same problems G

The rate of password brute force• up to 700 000 passwords per second for CODVN B• up to 300 000 passwords per second for CODVN G

John The Ripper. Community Enhanced

John the Ripper 1.7.9-jumbo-5 enables analysis of hash algorithms for SAP passwords of B and F types.

Password dictionaries Openwall wordlists collection full version - paid download

You can parallel tasks among several CPUs.

Testing of passwords

Download USR02 (fields BNAME/BCODE/PASSCODE)

Create files in username:username<spaces to 40 bytes>$HASHCODE format

Choose a dictionary or create your own

Run john the ripper

Results of testing

ACCESS TO FILES AND OS COMMANDS

Directory Listing.

Run AL11 transaction

Using SE37 for running functional module.

Using CG3Y/CG3Z transaction.

Directory Listing

Directory Listing

Directory Listing

Directory Listing

Run OS commands

Run SM51 transaction

Type grep in transaction field

Type text like nnn” ? & <OS command> &

Run OS commands

Run OS commands

Run OS commands

Run OS commands

Run SM49/SM69 transaction.

Create your own start options.

Run with necessary options.

You can save the results locally.

Run OS commands

Run OS commands

Run OS commands

Run OS commands

Run SA38 transaction

Load RSBDCOS0 program

Type OS program in the field

Check the results.

Run OS commands

Run OS commands

Thank you for your attention!

Alexey Yudin

ayudin@ptsecurity.ru