1. SAP Attack Methodology
Dmitry Gutsko
Security expert
Positive Technologies
PHDays III

2. Agenda

3. SAP: Typical three-tier architecture

4. SAP: Attack vectors

6. Where to begin?
― Scan ports
• 32xx
• 33xx
• 36xx
― Gather information about the system
• Find available clients
• Check for default passwords
• Identify a database server
― Tools:
• MaxPatrol (PenTest)
• sapyto
• console bruter by PT

7. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

8. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

9. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

10. Default passwords
User account Default
password
Statistics
SAP* 06071992
PASS
0%
25%
DDIC 19920706 0%
TMSADM PASSWORD
$1Pawd2&
25%
12,5%
EARLYWATCH SUPPORT 0%
SAPCPIC ADMIN 25%

11. Default passwords
User account Default
password
Статистика использования
SAP* 06071992
PASS
0%
25%(сбер,Газ
DDIC 19920706 0%
TMSADM PASSWORD
$1Pawd2&
25%(Ом,сбер
12,5%(Газ
EARLYWATCH SUPPORT 0%
SAPCPIC ADMIN 25%(Газ, сбер

12. Additional information
(RFC_SYSTEM_INFO)

14. Direct access to Oracle
database
― Remote_OS_Authentication:
• User authentication by OS login
― SAPSR3 user password is stored in table
OPS$<SID>ADM.SAPUSER
― Password could be recovered

15. Direct access to Oracle
database
― Механизм Remote_OS_Authentication
• Аутентификация по имени пользователя в ОС
― Пароль пользователя SAPSR3 хранится в таблице
OPS$<SID>ADM.SAPUSER
― Пароль возможно расшифровать

17. Password Hijacking via
a Network
― Protocols: DIAG, RFC, HTTP
― Tools: Wireshark, SAP DIAG
plugin for Wireshark,
Cain&Abel, SapCap

18. DIAG protocol

19. RFC protocol

21. Hacking Passwords
― Algorithms: A, B, D, E, F, G, H, I (CODVN field)
― Tables: USR02, USH02, USRPWDHISTORY
― Tools: John the Ripper
― Profile parameters:
login/password_downwards_compatibility,
login/password_charset

22. Cryptographic algorithms
BCODE
field
PASSCODE
field
PWDSALTHEDHASH
field
A 8, upper, ASCII, username salt X
B MD5, 8, upper, ASCII, username salt X
D MD5, 8, upper, UTF-8, username
salt
X
E MD5, 8 , upper, UTF-8, username
salt
X
F SHA1, 40, UTF-8, username salt X
G X X
H SHA1,40, UTF-8, random salt X
I X X X

23. USR02 table
BNAME, BCODE, PASSCODE Fields

24. John the Ripper

26. Client Bypass
― Use transaction ST04
― Use transaction SM49/SM69
― Create your own ABAP program

27. Transaction ST04

28. Transaction ST04

29. Transaction ST04

30. Transaction SM49/SM69

31. Transaction SM49/SM69

32. ABAP program
― Source code:
― Report results:

34. Access to other SAPs
― Decrypt authentication data of RFC connection (0-day)
• RSECTAB, RFCDES tables

35. Access to other SAPs

36. Access to other SAPs

37. Access to other SAPs

38. Access to other SAPs
No data is shown by SE16

39. Access to other SAPs

40. Access to other SAPs

41. Access to other SAPs

42. Access to other SAPs

44. Hiding the Evidence of High Privileges
(profile SAP_ALL)
― Report RSUSR002 (transaction SUIM)
• Use Reference User
• Create a new profile ~ SAP_ALL,
Profile1 + Profile2 + Profile3 ~ SAP_ALL
• Create user ………… (0 day)
• Change ABAP code of report RSUSR002
• Update table UST04

45. Reference User

46. Reference User

47. Reference User
No user TEST1

48. Create a new profile

49. Create a new profile

50. Create a new profile
SAP_0 = SAP_ALL

51. Create a new profile
No user TEST4

52. User ………… (0 day)
― ABAP code of RSUSR002 report:

53. User ………… (0 day)
― ABAP code of RSUSR002 report:

54. User ………… (0 day)
― ABAP code of RSUSR002 report:
No user …………

55. Modification of RSUSR002 ABAP code
― Insert a new string:
DELETE userlist WHERE bname = ‘<USERNAME>’

56. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

57. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

58. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:
No user TEST0

59. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

60. Thank you for your attention!
Dmitry Gutsko
dgutsko@ptsecurity.ru