As a professional pentester, we have indeed faced security assessments that are entirely new to us. This means that we will need to document ourselves before, during and probably after the safety assessment has taken place.
Usually, if we search on the Internet we often find everything but actually if we look at how to make a pen test of an SAP environment or how to do a vulnerability analysis we find things outdated, old talks and above all little or no work methodology. The biggest problem we can find when we need to audit an SAP system, we must also take into account that the client may ask us for a security assessment of the architecture and therefore we must know that they make each of its components.
It is clear that if the client wants a review of the SAP WEB part, we may find it easy to configure Burp and start our pen test, however, if it is not a question of this type of security evaluation and we are required for something deeper then we need to Know some points before I will mention below.
If we look for information on how an SAP infrastructure works, we can find a thousand proprietary SAP documents that will drive us crazy. So let’s look at SAP is simple and for this, it is best to look at the Wiki where we get a brief description of what are the functions of this software so popular in banks and large organizations.
SAP Business Suite is a set of programs that allow companies to execute and optimize various aspects such as sales, finance, banking, purchasing, manufacturing, inventory and customer relations. It offers the possibility to carry out specific processes of the company or to create independent modules to work with other software of SAP or of other suppliers. SAP is based on an integrated technology platform called NetWeaver. The suite can support almost any vendor’s operating systems, databases, applications and hardware components.
Currently, it provides support for the following business areas:
- Product development
- Customer Service
- Human Resources
- Supply chain management
- Information technology management
Once we know to use this platform we can start analyzing its main components. These components that are implemented in NetWeaver Application Server (AS) can be installed on different platforms and different operating systems however the parts that interest us most as pen testers are the areas that have to do with configuration parameters, transactions, authorizations or Even the reporting area, however, we must review the following.
- Network Security
- Remote Function Calls (RFC)
- Web Services
- Central User Management
- Methods of transport
- System maintenance
- Patch Maintenance
- Logistics Services
In the same way, as in any other security assessment, we must follow the following phases:
- Phase of discovering SAP services in infrastructure
- Vulnerability assessment phase
- Exploration phase
Next, I will write a brief introduction about some concepts of SAP that we are interested in knowing and that we should know.
Instances and systems: SAP instance is known as a group of SAP components that provide us with one or more services.These systems are identified by SAP System ID or what is known as (SID). We must also know that the systems (instances) are parameterized through profiles.
Customer: Customers are independent in an SAP system and are identified by three digits. The default clients are 000,001 and 066.
Transaction: They are related to the sequences of dialogues that are maintained with the database the type of operations that are carried out. The codes that identify these transactions are varied but here are some examples (SE16, KF01, SU01, ..)
Authorizations: SAP provides the feasibility of configuring and assigning roles that will, in turn, contain the permissions we assign to you.
ABAP: ABAP is the type of high-level programming language that is used in SAP.
Reports or programs: BAR programs receive the data entered by the user, and they perform a report based on the form in an interactive way for the user.
Modules: There are different modules and functions that allow to be invoked remotely in SAP. The modules use Remote Function Call or what we know as RFC.
More Common Problems Detected in SAP Evaluation
The most common problems during a pen test have to do with the default configuration of SAP, and the administrators do not modify that. By default, many SAP settings are not secure, and we can take advantage of them to compromise the system altogether in certain scenarios.
The impact of an organization’s commitment to its SAP system is very high because this system usually stores confidential or sensitive information.
They actually hire us to detect failures in configurations, look for weaknesses in the infrastructure and thus increase the security of the systems based on our recommendations.
To carry out correctly our pen test we must have our arsenal ready for the pen test; this includes the following tools
- Tools for Rservices (rsh, rlogin, rexec)
- SQL client for multiple systems (Oracle, MSSQL)
- Tools for NFS and SMB
- Burp Suite
- Finally, Hydra-type brute force attack tools.
We must be cautious with the tools we use during the audit since we could cause a possible denial of service or even if we modify some value in SAP without understanding what its consequence may be an unfeasible system.
Phase of discovering SAP services in infrastructure
This phase is the most boring, but it is crucial to have a good result during the pen test. In this phase, we will have to detect and discover the services exposed by the infrastructure and belonging to SAP.
- Traffic analysis (We can configure Wireshark)
- Port Analysis
- Check the configuration from your SAPGUI client
The ports have a pre-defined format PRE + SYS.Number this means that the first two values indicate the service and the other two indicate the system
- Common ports are: 32xx, 33xx, 36xx, 39xx, 3299x81xx
Tools like Metasploit, Sapyco or Bizploit can be handy during this phase below a list of all Metasploit modules that are useful in this phase.
- Auxiliary / scanner / sap / sap_router_info_request
- Auxiliary / scanner / sap / sap_router_portscanner
- Auxiliary / scanner / sap / sap_service_discovery
- Auxiliary / scanner / sap / sap_icm_urlscan
- Auxiliary / scanner / sap / sap_rfc_client_enum
- Auxiliary / scanner / sap / sap_soap_rfc_ping
- Auxiliary / scanner / sap / sap_soap_rfc_system_info
- Auxiliary / scanner / sap / sap_icf_public_info
- Auxiliary / scanner / sap / sap_soap_th_saprel_disclosure
- Auxiliary / scanner / sap / sap_soap_rfc_read_table
- Auxiliary / scanner / sap / sap_rfc_read_table
- Auxiliary / scanner / sap / sap_rfc_usr02
Brute force attacks:
- Auxiliary / scanner / sap / sap_web_gui_brute_login
- Auxiliary / scanner / sap / sap_soap_rfc_brute_login
- Auxiliary / scanner / sap / sap_rfc_brute_login
Attacks to execute commands in Windows or Linux
- Auxiliary / scanner / sap / sap_rfc_dbmcli_sxpg_call_system_command_exec
- Auxiliary / scanner / sap / sap_rfc_dbmcli_sxpg_command_exec
- Auxiliary / scanner / sap / sap_rfc_sxpg_call_system
- Auxiliary / scanner / sap / sap_rfc_sxpg_command_exec
- Auxiliary / scanner / sap / sap_rfc_abap_install_and_run
- Auxiliary / scanner / sap / sap_rfc_system
- Exploit / multi / sap / sap_rfc_abap_install_and_run
- Exploit / multi / sap / sap_rfc_sxpg_command_exec
- Exploit / multi / sap / sap_rfc_sxpg_call_system
- Auxiliary / scanner / sap / sap_soap_rfc_sxpg_call_system_exec
- Auxiliary / scanner / sap / sap_soap_rfc_sxpg_command_exec
- Auxiliary / scanner / sap / sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
- Auxiliary / scanner / sap / sap_soap_rfc_dbmcli_sxpg_command_exec
- Exploit / multi / sap / sap_soap_rfc_sxpg_call_system_exec
- Exploit / multi / sap / sap_soap_rfc_sxpg_command_exec
- Exploit / multi / sap / sap_mgmt_con_osexec_payload
Remote attacks via SMB Relay.
- Auxiliary / scanner / sap / sap_soap_rfc_eps_get_directory_listing
- Auxiliary / dos / sap / sap_soap_rfc_eps_delete_file
- Auxiliary / scanner / sap / sap_soap_rfc_pfl_check_os_file_existence
- Auxiliary / scanner / sap / sap_soap_rfc_rzl_read_dir
- Auxiliary / scanner / sap / sap_smb_relay
Modules for creating users in SAP
- Auxiliary / scanner / sap / sap_soap_bapi_user_create1
- Auxiliary / scanner / sap / sap_soap_rfc_susr_rfc_user_interface
- Auxiliary / scanner / sap / sap_ctc_verb_tampering_user_mgmt
Modules for interacting with the administration console via SOAP
- Auxiliary / scanner / sap / sap_mgmt_con_abaplog
- Auxiliary / scanner / sap / sap_mgmt_con_brute_login
- Auxiliary / scanner / sap / sap_mgmt_con_extractusers
- Auxiliary / scanner / sap / sap_mgmt_con_getaccesspoints
- Auxiliary / scanner / sap / sap_mgmt_con_getenv
- Auxiliary / scanner / sap / sap_mgmt_con_getlogfiles
- Auxiliary / scanner / sap / sap_mgmt_con_getprocesslist
- Auxiliary / scanner / sap / sap_mgmt_con_getprocessparameter
- Auxiliary / scanner / sap / sap_mgmt_con_instanceproperties
- Auxiliary / scanner / sap / sap_mgmt_con_listlogfiles
- Auxiliary / scanner / sap / sap_mgmt_con_startprofile
- Auxiliary / scanner / sap / sap_mgmt_con_version
Vulnerability assessment phase
Now that we should already have all the information of the system that we are auditing I must also comment that some of the modules or tools that I have named before also serve for the exploitation phase.
The ports of the service known as the dispatcher and the port of the web console must be analyzed with determination. The dispatcher service is where the SAP client is connected by default so we would gain direct access to the system if we gain access as an administrator with default credentials. Here are some of the default SAP credentials.
- SAP * – 06071992
- SAP * – PASS
- DDIC – 19920706
- SAPCPIC – ADMIN
- EARLYWATCH – SUPPORT
- TMSADM – PASSWORD
- TMSADM – ADMIN
Software outdated or out of support
Finding outdated SAP modules or out-of-support clients are the most common cases within the SAP security assessment. This is usually because the end user does not update the customer and the production modules often contain sensitive information and need to be accessible at all times. These are the most common causes for which the SAP system is not usually updated, and therefore we can take advantage of it.
This is a big problem for the organization because some of the known vulnerabilities are public and therefore give a great advantage to the attacker who will have more chances of success in the case of attack.
Third Party Software
We must not forget that SAP is installed in many systems and that these must also be attacked and violated (as long as it is within the scope). It does not do us any good to have all SAP updated if the systems are vulnerable, in one way or another we would gain access to the data and therefore the systems should be audited according to the benchmark CIS guide.