2. SAP Attack Methodology
Dmitry Gutsko
Security expert
Positive Technologies
PHDays III

3. Agenda

4. SAP: Typical three-tier architecture

5. SAP: Attack vectors

7. Where to begin?
― Scan ports
• 32xx
• 33xx
• 36xx
― Gather information about the system
• Find available clients
• Check for default passwords
• Identify a database server
― Tools:
• MaxPatrol (PenTest)
• sapyto
• console bruter by PT

8. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

9. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

10. Clients
SAP Application server
Client 000 Client 001 Client 066 Client 800

11. Default passwords
User account Default
password
Statistics
SAP* 06071992
PASS
0%
25%
DDIC 19920706 0%
TMSADM PASSWORD
$1Pawd2&
25%
12,5%
EARLYWATCH SUPPORT 0%
SAPCPIC ADMIN 25%

12. Default passwords
User account Default
password
Статистика использования
SAP* 06071992
PASS
0%
25%(сбер,Газ
DDIC 19920706 0%
TMSADM PASSWORD
$1Pawd2&
25%(Ом,сбер
12,5%(Газ
EARLYWATCH SUPPORT 0%
SAPCPIC ADMIN 25%(Газ, сбер

13. Additional information
(RFC_SYSTEM_INFO)

15. Direct access to Oracle
database
― Remote_OS_Authentication:
• User authentication by OS login
― SAPSR3 user password is stored in table
OPS$<SID>ADM.SAPUSER
― Password could be recovered

16. Direct access to Oracle
database
― Механизм Remote_OS_Authentication
• Аутентификация по имени пользователя в ОС
― Пароль пользователя SAPSR3 хранится в таблице
OPS$<SID>ADM.SAPUSER
― Пароль возможно расшифровать

18. Password Hijacking via
a Network
― Protocols: DIAG, RFC, HTTP
― Tools: Wireshark, SAP DIAG
plugin for Wireshark,
Cain&Abel, SapCap

19. DIAG protocol

20. RFC protocol

22. Hacking Passwords
― Algorithms: A, B, D, E, F, G, H, I (CODVN field)
― Tables: USR02, USH02, USRPWDHISTORY
― Tools: John the Ripper
― Profile parameters:
login/password_downwards_compatibility,
login/password_charset

23. Cryptographic algorithms
BCODE
field
PASSCODE
field
PWDSALTHEDHASH
field
A 8, upper, ASCII, username salt X
B MD5, 8, upper, ASCII, username salt X
D MD5, 8, upper, UTF-8, username
salt
X
E MD5, 8 , upper, UTF-8, username
salt
X
F SHA1, 40, UTF-8, username salt X
G X X
H SHA1,40, UTF-8, random salt X
I X X X

24. USR02 table
BNAME, BCODE, PASSCODE Fields

25. John the Ripper

27. Client Bypass
― Use transaction ST04
― Use transaction SM49/SM69
― Create your own ABAP program

28. Transaction ST04

29. Transaction ST04

30. Transaction ST04

31. Transaction SM49/SM69

32. Transaction SM49/SM69

33. ABAP program
― Source code:
― Report results:

35. Access to other SAPs
― Decrypt authentication data of RFC connection (0-day)
• RSECTAB, RFCDES tables

36. Access to other SAPs

37. Access to other SAPs

38. Access to other SAPs

39. Access to other SAPs
No data is shown by SE16

40. Access to other SAPs

41. Access to other SAPs

42. Access to other SAPs

43. Access to other SAPs

45. Hiding the Evidence of High Privileges
(profile SAP_ALL)
― Report RSUSR002 (transaction SUIM)
• Use Reference User
• Create a new profile ~ SAP_ALL,
Profile1 + Profile2 + Profile3 ~ SAP_ALL
• Create user ………… (0 day)
• Change ABAP code of report RSUSR002
• Update table UST04

46. Reference User

47. Reference User

48. Reference User
No user TEST1

49. Create a new profile

50. Create a new profile

51. Create a new profile
SAP_0 = SAP_ALL

52. Create a new profile
No user TEST4

53. User ………… (0 day)
― ABAP code of RSUSR002 report:

54. User ………… (0 day)
― ABAP code of RSUSR002 report:

55. User ………… (0 day)
― ABAP code of RSUSR002 report:
No user …………

56. Modification of RSUSR002 ABAP code
― Insert a new string:
DELETE userlist WHERE bname = ‘<USERNAME>’

57. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

58. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

59. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:
No user TEST0

60. Deletion of Profile Assignment from
UST04 table
Assignig profile SAP_ALL:

61. Thank you for your attention!
Dmitry Gutsko
dgutsko@ptsecurity.ru