 Hello and welcome. This is the ER Pwnage Threat Simulation Against SAP. This is a talk being given to the red team village at Defcon 28 Unfortunately with corona going around we can't really meet in person and talk through this, but Let's try to make the best of it. Hopefully you can get something out of this talk on targeting SAP All right, so who am I? My name is Austin Mark I'm a reformed basis admin. Basis admin is just the sys admin of the SAP world So they might do implementations migrations upgrades stuff like that So I got out of that went into doing a full-time pen testing number years ago, and I've been employed at RSM You've got my website a mark calm my Twitter and then my github And I go by the handle cryo and I have for quite some time Cool, so what is this? This is anthology. This is a talk being given to the red team village. It's a lightning talk about SAP anthology is just a Collection of talks that I'm giving this year and hopefully for years to come. This is just how I organize my talks and make sure things are Easy to digest and if you're interested in one topic, maybe you're interested in another so What is the goal? The goal of this talk is to provide red teams with enough knowledge to target SAP And kind of strike a balance between the new and the practical things that are tried and true and aren't going anywhere But then also speak at least briefly to some of the new and exciting techniques or exploits that we're seeing today Why SAP? Because it's unnecessarily complex in my opinion difficult to update and business critical Some of what we're going to talk about here can be applied to other ERPs What will be focused on SAP? They have allegedly well over a hundred and twenty thousand installations worldwide But some of the techniques that will be will be presenting on here can be applied to any ERP or anything you're attempting to target So some of this is going to be kind of ERP agnostic or target agnostic But really we're going to try to dive deep into SAP and focus mostly on on that ERP so the goal of this talk is to walk through some of those tried and true techniques and And review some of those vulnerabilities and give you a jumping-off point for attacking SAP All right, so on to the agenda. What are we going to cover? We're going to talk really quickly about what SAP is How we get into SAP? What if we want to get out of SAP and maybe move laterally and then what the impact of some of what we're doing is so As Red Teamers, maybe sometimes we just care about access We should we should be able to at least speak to what the impact is to the business and what we were able to get Access to all right. So what is SAP? SAP is an ERP. It's a suite of enterprise tools for management enterprises have to store it all somewhere and SAP wants to be that single point of truth. So if you can manipulate that single point of truth, the impact can be pretty substantial All right, and lastly, how do we get into SAP? So there are a number of recent exploits that have been released including 10k blaze recon, etc These are going to take a while for a lot of businesses to patch many SAP systems don't go through the standard patch Tuesday that you see with other Back end systems that support a business that tend to wait for a support pack or something that will effectively Hatch all of this at once with minimal downtime in the case of 10k blaze or to have regularly miss patched or Applied what they believe to be a patch without adjusting their ACLs And this vulnerability is unlikely to go away anytime soon But we're red team here. We really don't rely on poor patching practices practices to gain access And move laterally tried and true techniques such as session hijacking credential harvesting and phishing haven't exactly gone by the wayside Lastly, we'll talk a little bit about some of the impact of getting access into SAP Where it might help you elevate your privileges or crack bigger passwords or even pivot into a new exciting network Finding SAP so where's the fun at the SAP router is something that we regularly find because SAP requires it for support So if you're trying to get support from SAP you have to have this router installed And exposed to the web Also, we regularly find web services that are disclosing the exact landscape OS patch level Services running on the SAP Internal infrastructure and of course LinkedIn right we have third-party contractors all the time that are disclosing the exact client They're working for what they implemented what patch the level they moved everything to And support packs some of them are even kind enough to explain exactly what Security systems have been implemented in the case of the consultant on the very bottom But kind of the same thing that you would do for any other type of red team or any other type of investigation there are some SAP specific services and In background information that you can use to just further inform where you're going to target if you're trying to get into SAP All right, so moving on to some common exploits 10k blaze I don't think this is going anywhere 10k blaze is what I like to think of as the MS-17010 of the SAP world It gives you full-blown RCE. You can find it pretty much out anywhere and the impact is typically severe What's worse than MS-17? It's difficult and can be confusing for a business to patch Great research and proof of concepts were published by Dmitri and Matthew of for what was actually an older vulnerability They got a lot of attention during the proof of concept and During the talk they gave at opcode At the bottom of the screen, you've got a one-liner to dump hashes from the database this is a fully anonymous No, no authentication required command execution vulnerability with an SAP that without appropriate ACLs put in place You're going to get code execution as SID ADM SID ADM user is effectively the the SAP administrator, so you have full Accessful rights to add users dump tables You've essentially a full control over over the SAP system at that point. All right recon the new hotness a Few onapsis researchers identified in disclose cv 2020 6287 and 6286 Both of these are impacting the SAP Netweaver Java stack application servers. These servers are regularly exposed to the web That's a big part of why this is a concerning vulnerability Proof of concepts were developed and released by Dmitri same individual who also released 10k blaze This proof of concept was later built upon by zero Steiner and That proof of concept has since been merged into Metasploit the POC adds an administrative user that can then take full control of the SAP Java system The vulnerability relies on an authentication bypass and the application configuration wizard The fix is a little bit more straightforward than 10k blaze You can simply patch or disable the LM manager altogether And if you are to do that you're you're relatively safe The the high risk of this is that while 10k blaze is typically only seen on internal networks and relies on a Weakness and say the SAP router ACL This is something that's just directly exposed to the web and it's gotten a lot of attention from bug bounty hunters You are going out and creating proof of concept admin users And disclosing them to companies probably a little risky for that to be going on on some of your business critical systems All right, so fast-tracking your career as a basis admin SAP volans are fun, but there are plenty of ways to get initial access We do red team stuff We aren't here to be limited by a couple volans or patch management if you have a target or you want to have a target Basis admins are probably one of the best targets for gaining substantial access into SAP Basis is just a fancy word for SAP admin sometimes they are Sometimes they have special admin access sometimes special network access But they definitely have the rights that we're after And typically they're over provisioned with roles like SAP all which is effectively domain administrator for SAP admins one of my go-to's and tried and true techniques is RDP hijacking a basis session still works in most environments Getting that level of access typically means that we're going to go down the 80 pen testing road And I don't want to talk too much about that here But RDP hijacking is still super useful in environments and not just for SAP, right? This is something that we've used plenty of times when we're trying to get access into another ERP that might be the target and We might not have the software that's required even if we have credentials to log into those systems If your access permissions and rights or my access permissions and rights, I'll get where I need to go at the end of the day Regularly you'll find these basis administrators in their own group instead of active directory that should really narrow down where you're trying to We're trying to target and they regularly post contact information on an intranet. That should also give you a couple Directing points on where you can go find some of these users We also have a couple RDP hijacking demos here on the right That I've pulled off a double pulsar Just in case you're not familiar with RDP hijacking. There is a Mimi Katz module for it as well I believe this works since up all the way up to server to 2016 oh, we've got him hijacking a session and he's got some some sort of I was here first Really what you're doing is you're just stealing a session and you're assuming though the admin still logged in Doing his work even if the credentials are MFA or anything else You're you have their session at that point. All right, cool All right, phishing SAP users phishing is still consistently and regularly One of our most successful paths for initial access Excel macros continue to be useful But if you have SAP GUI scripting enabled which it almost always is in my experience They work particularly well for phishing for initial access directly into SAP SAP Excel macros aren't gonna have the common indicators of compromise that you would see when you're trying to fish for a Getting a C2 directly into memory Sure, there's a macro with an IPv4 or hostname pattern And an OLE object is created But that's not gonna trip AV or EDR on its own the bottom You can see a virus total looking at some very simple SAP macros that were created No, nothing is going to pick up on this. Yes, you don't have the same type of Shell access that you would have otherwise, but you could potentially use this with Some sort of SAP payload that when executed runs in the context of the user that's executing it if single sign-on is enabled SAP GUI scripting is something that almost every business relies on But if you're following along at home You probably are noticing that you're still gonna need a hostname a client number, maybe even a domain for Sending this type of information on behalf of a user. You still have to know where the SAP systems are which is not a huge problem If you're trying to get hostname so SAP web dispatcher is absolutely everywhere. It's regularly disclosing SAP hostnames domain schema services and patches. I Rarely see it require authentication at all, but if it does require authentication typically if you go from Slash default.html to index.html it bypasses authentication entirely it will disclose the hostname services OS version patches and and in my experience very rarely requires off at all Yes, these services can be disabled But you can also check at slash SAP slash public slash info But if you're able to grab the hostnames of some of these machines that you're trying to target you can pre-create SAP malicious GUI scripts or VBA macros and There's just a quick screenshot of all of the SAP Netweaver ICM services that are potentially disclosing this information Out of the web and I guarantee you there are plenty more All right, so let's talk about grabbing some plain text credentials If you can get shell access on an SAP user system those same SAP GUI scripts We just discussed are also worth hunting for regularly. They'll have hard-coded credentials And there might be some fun back-douring or persistence opportunities for those scripts If a single sign-on is not enabled SAP uses what's called SNC for encryption If you have shell access and you're able to find yourself in a man-in-the-middle type of position You can use an SAP Wireshark sector plug-in That will quickly look through and parse out passwords directly from SAP p-caps There's actually a Wireshark filter that does exactly that shout out to those guys who wrote this fantastic plug-in I've used it somewhat regularly if I can find a way to man in the middle of the traffic between an SAP system and And the the user systems a little bit of background on the user types that you might be able to collect You may get access to Dialog or non-dialogue users a dialogue user will allow you to just log in to SAP You can kind of think of it the same way you would an active directory domain user account and then similar to an active directory Service user account you have non-dialogue users. Those are users that cannot directly log in to SAP instead they will execute RFCs or ABAP code externally and they can't log directly into the system so if you do have access to a Non-dialogue user you may still be able to take advantage of some of the elevated rights that you have in that context Kind of show that and prove that out. I wrote RFC phone. I'm sure there's other tools that do the same thing But this was the tool that I pulled together You can see on the right-hand side Impact style enumeration and exploitation tool We have the IP the clients a user and a password that we were able to gain access to And we're going to copy that user's rights into a dialogue user called SAP priv user Script runs Collects those user pribs and moves them over to a brand new user We can also rag run the flag tack dump and that will give us all of the Shaw hashes for for an SAP system. So this is just a very quick proof of concept I plan to make some updates to this tool here soon Feel free to follow it. I plan to post something here in the next coming weeks But really this tool is designed to demonstrate the impact of compromising service accounts. Cool So let's talk about cracking those hashes B code is best code There are three types of hashes you'll typically see as part of testing SAP systems There are also SAP secure cred store hashes, but we're not going to really talk about that Those are better club covered by other talks. What I'm really most excited to see is backward compatibility enabled for Logons, which will mean that there's B code hashes. B code hashes are Will force every character to be uppercase and it will truncate the password to eight characters You might actually have a password that's much longer But if you can crack the first eight with B code and then maybe the last seven with a Hashcat mask attack for a 15 character password. You can start cracking out very very long admin passwords That would be difficult to crack otherwise There's a lot of ways to gather those those hashes be a different table reading boppies or Or even just accessing the usr-02 table and SAP and exporting a CSV On the bottom you can see some of the hash cat codes to crack these passwords in the back You can see a simple mask attack that executed almost immediately Where we were attempting to crack out a B code hash Using just a uppercase uppercase uppercase eight character password cracked out with password And then on the right hand side, you can kind of see what it would look like to pull these out of usr-02 There are also scripts that will pull these exact same tables And if you're trying to grab similar hashes you can do that inside of our c-pone as well But B code is the best code that is definitely what I'm looking for And I regularly see because it is required for supporting older kernel versions of SAP I think anything before 7.0 you have to be supporting B code All right code execution So everybody loves code execution. So we have hashes and we have access into SAP, but everybody wants shells If you're new to SAP, SAP comes with this handy decode called se38 and There's a transaction that you can run called rsb-d-c-o-s-0 You run that report it will give you a very basic shell and you can cat out at the password And and run some very standard commands but if you want to go above and beyond and you want to Find your own commands and run pretty much anything you want SM69 is the way you want to go. That is another T code with an SAP It's a little finicky to get a reverse shell or netcat out Shell a simple fix that that works for me is to curl over a one-liner name pipe reverse shell and After pulling that over you can execute it as a custom transaction. This is a very loud attack, right? You're gonna show up as a brand new program type Within this table, but if you're looking for a shell, this may be a way to to gate access So we've got a quick video of kind of what that looks like on the right hand side. You have a Transaction that I've created here. I'm just executing the script that I just curled into the standard directory I'm not listening yet. So we ran it once not listening come back up run it again And we've got a shell all right And lastly, we're going to talk a little bit about fuzzing SAP just some things that I've seen work Radams has been very very successful in fuzzing SAP in the past You can see a few ERP scan security researchers who have found vulnerabilities using it back in 2016 2017 Using that same framework, I like to use Cisco mutiny which leverages part of radamsa and automates a lot of the process of extracting potential fuzzers creating the fuzzer and then Being able to do fuzz cases all based off of just some p-caps you can pull out a wire shark and then you can of course use that wire shark deceptive that we talked about and Begin to understand what exactly is being fuzzed how it's being fuzzed and and dive deeper into the binary And to that end one of the things that I've been finding Kind of interesting and I haven't seen a ton of success with it yet But really excited about is this ball and fanatic plug-in for binary ninja that we'll go out look for sources and sinks and start Highlighting parts of the code inside of the control flow graph and maybe show you where a potential buffer overflow from a mem copy or a scan F Could be happening within the binary itself So on the right-hand side, you've got the HANA database index server and some potential buffer overflows up at the top That ball and fanatic believes that it's identified and then lastly I'm just gonna release a old POC that I had for Crash inside of the HANA database server that affected every version up until last August So if you haven't patched since this time last year consider patching But hopefully somebody can find it useful or at least kick some tires for somebody So those of you with a red teaming background or pen testing background have definitely touched impact it or a tool That's built off of impact it Similar but for SAP is pie SAP. It's a library for crafting SAP network packets built off of Skappy Martin Maintains this he does a fantastic job. He has a ton of example scripts Strongly strongly recommended for trying to craft SAP fuzzers The HDB off module is something that recently got pushed out. I'm super excited to try that out on my own One of my favorites and you can see it on the right hand side is this MS dump param example module that will tell you some of the potentially Sensitive settings that may or may not be enabled If you look at the right hand side Some of those have exclamation points and if we look down toward the bottom, we can see login password Downwards compatibility is set to zero now that would be a good thing, but bear in mind. This is just the The operating config not necessarily the running config. So even if it's a zero here, there's a potential that Downwards compatibility is enabled in something like RZ 11 We won't get into too much of that here the nuances just because it's marked there as downward compatibility disabled doesn't mean it's actually disabled in the running system And If that is disabled you might not get B code hashes but maybe you'll get B code hashes because somebody's gone and it made that adjustment in the running config and Somebody's logged in or changed their password with that enabled Further there's a ton of different protocols that this is supported Just if you're gonna do any sort of packet crafting. This is a strongly recommended tool for fuzzers or for SAP research and I use a lot of these tools in my Pen testing in addition to some of the standard modules you see inside of something like Cool All right, so what did we cover? New fangled SAP phones how to target SAP users and which SAP users I would personally target Gathering clear text credentials code execution as non-dialogue users fuzzing SAP as a target and the pi SAP library Some shout outs to some fantastic researchers friends people that I I look for Additional research from these are all fantastic SAP researchers I strongly recommend following each and every one of them and then on the right hand side You have my Twitter and discord feel free to reach out based on this talk ask questions And I'd love to hear from you collab on some stuff SAP is definitely a area of growing interest over the last couple years and I think it'll continue to be And with that we can turn it over for q&a I will be in the chat so feel free to drop me questions there This is pre-recorded just a little bit beforehand. So it's still very fresh But drop me questions and I'll be sure to get back to you quickly in the red team village discord channel And thank you for coming