Sometimes, obtaining access to SAP, a security analysis specialist has no idea what to do next and how to demonstrate possible consequences of the detected vulnerabilities.
We\’ve obtained access to the company\’s internal network. How can we find SAP applications? The most interesting services:
- SAP DIAG – 32xx-3299 TCP;
- SAP RFC – 33xx-3399 TCP;
- ICM HTTP – 80xx TCP;
- Message Server HTTP -81xx;
- HTTP – 5xxxx.
Run Nmap and analyze the scan results.
Brute Force is a common method of obtaining access. The list of default accounts:
- SAP* — 06071992;
- SAP* — PASS;
- DDIC — 19920706;
- SAPCPIC — ADMIN;
- EARLYWATCH — SUPPORT;
- TMSADM — PASSWORD.
A library for development of applications working with SAP via the SAP RFC protocol will be used as an instrument. The library contains Startrfc.exe, a utility for RFC testing. Try to connect to the detected system using the default accounts.
If you\’ve managed to guess the password of the SAP* user, then you only need to connect to the system through SAPGUI (start saplogon.exe), and SAP is in your hands.
If default user brute force has failed, then it is possible to sort out passwords using company\’s employee list (obtained from AD, telephone directories, etc.).
Authentication credential hijacking
If authentication credentials brute force has failed, there is still a chance to hijack them. One of the following utilities can be used to hijack passwords with the help of the DIAG protocol:
- SAP DIAG Decompress plug-in for WireShark;
Moreover, RFC can be used to perform hijacking. Mariano Nunez Di Croce described the RFC protocol vulnerabilities and SAP access methods in his presentation Attacking the Giants: Exploiting SAP Internals.
Obtained access analysis
If we know authentication credentials of a dialog user, then we only need to install the SAP GUI client and use it to try accessing the system. In case of a successful access, analyze the privileges.
There is a HR management module in the system, which gives us an opportunity to access the employees\’ data.
If the account has limited rights, it is worth trying to increase your privileges.
One of the methods to do it is to obtain password hashes. Tables with password hashes: USR02, USH02, USRPWDHISTORY. Methods used to obtain the data:
- transactions SE16, SE16N, SE17, which provide access to the SAP tables;
- transaction ST04/SQL Command Editor;
- RFC protocol;
- database level;
- obtaining data from the OS file.
Use SAPGUI, MIL Read Table, VBS, and SQLplus as instruments. If we know user authentication credentials, we can connect to SAP and obtain password hashes by means of reading the USR02 table with transaction SE16 (if we have an access to it).
John the Ripper 1.7.9-jumbo-5 can be used for hash value brute force, as it comprises analysis of password hash generation algorithms of SAP systems (type B and F). You\’ll also need password dictionaries (for example, paid downloading of the dictionary Openwall Wordlists Collection Full Version is available).
Alternatively, you can use the automated tools of SAP system security analysis, which allow obtaining user passwords.
SAP HCM security
The SAP HCM system has several peculiarities that often make it vulnerable.
First of all, all data is stored in infotypes. Infotypes are data structures stored in particular tables. The most important infotypes are:
- 0000 — actions (employment, leaving the enterprise, organizational reassignment);
- 0002 — personal data;
- 0008 — basic pay;
- 0009 — bank details.
The next SAP HCM peculiarity is authorization settings. General authorizations and structural authorizations may intersect. Not obvious configuration very often results in too much authority granted to common users.
And finally, SAP HCM has a special authorization object P_PERNR, which allows configuring an employee\’s access to his own HR data. Experience has showed that this object is often configured in a way that users can edit their own data.
Data access in HCM SAP
SAP gives you a possibility to access HR data in several ways. First of all, using the HR transactions:
- PA20, PRMS —Display HR Master Data;
- PA30, PRMD —Maintain HR Master Data;
- PA40, PA42 — Personnel Actions;
- PA61 —Maintain Time Data.
Start transaction PA30, select infotype 0008 and learn the salary of the employee you are interested in. Or increase the salary amount. Substitute the bank account with transaction PA30 and infotype 0009.
Access to HR tables
One more method to access HR information is to read table contents. We are interested in the following transactions:
- SE16, SE16N, SE17 — General Table Display;
- SM30, SM31 — Call View Maintenance;
- SE11 — ABAP Dictionary.
We need tables, which names start with PA (they contain employees\’ data).
- PA0000 —employment, leaving the enterprise, organizational reassignment;
- PA0002 — personal data;
- PA0008 — basic pay;
- PA0009 — bank details.
Starting ABAP programs
SAP gives rights to run transactions, and each transaction calls an ABAP program. Therefore, if a user has rights to transaction SA38, he or she can launch a necessary program bypassing the authority needed for the connected transaction.
Here is a list of programs, which can be used to collect information about employees:
- RPPSTM00 — HR Master Data Sheet;
- RPLMIT00 — Employee List;
- RPLEHSU0 — Employee History Report;
- RPLNHRU0 — New Hire Reporting.
Use transaction SE93 to get the names of the programs used to launch other transactions.
We have considered the attack to the SAP system and the possibility not only to obtain information about employees but to gain financial benefit as well.
What can be recommended to increase the SAP protection level?
First of all, pay attention to Basis security. Regular installing of SAP Notes will allow avoiding the majority of threats. Second, do not neglect standards and best practices, especially in configuring SAP Basis or SAP HCM (SAP, DSAG, ANAO). Third, it is necessary to create audit procedures and carry them out regularly. And finally, do not forget about the SAP environment. The SAP system does not exist in vacuum — its security also depends on the security of the operating system, which it is based on, and on the DBMS security, where the data is stored.