Attacking & Defending SAP Systems

thank you hello everyone can you hear me okay I see that you are returning we're almost there we're going to be starting right now okay well first of all thank you for being here and thank you for the organization to accept this talk today we're going to talk about attacking and defending SAP systems uh we're going to give like a brief introduction to these type of systems from the red teaming and from The Blue Team point of view we're going to see some of the attacks we're going to see some counter measures and even a little bit of monitoring what the strategies we can take to actually monitor and understand what is going on uh if you

don't know because you have never play with this type of systems um and you might be wondering what this a is no biggie it's just like the Main Financial system in the world and we're going to be talking about that um as I said before this is going to be just a really really brief introduction uh if you wanted to talk about sap we could be here like months sap is so big and has so many components um Cloud interfaces Etc that will be here months but hey at least you get an overview so this is a slide that we always put no one reads but it's very important pretty much it says that we don't want to override any

of the rights that sap has on its own brand that's it okay so I work for a company that specializes in sap cyber security and the company has some software but apart of that um I do a lot of the services especially the Sip penetration testing um through that experience is what I'm going to be sharing today of the common pattern attacks how attackers are normally targeting these type of financial systems and what are your chances to defend against those attacks sometimes it's easy sometimes well uh you will see in a few um again my name is Jordan Sant City I am the founder of the company and I started as probably many of you here

as a general penetration tester like attacking well I was specializing at the time on the banking industry that's why I got pivoted to to sap but I was attacking pretty much everything like switches uh application servers web apps Etc and at some point I started to get some interest as I was already doing some banking stuff I started to get some traction on sap like hey why all these little banking interface is going to this gigantic system what what is going on so that's how I got my expertise so I started to check and review and analyze Sab systems uh back in 2008 and and since then I have worked with many many big organizations like the a lot of

military institutions um the biggest OMG in the planet and tons and tons of the fortune 5and companies we're going to see later on why that they is so closely related with these important companies and today I had the privilege to speak here uh for you on the my first bites but I'm also an often speaker and training at black hat OAS HED in Sony hat cold blue Echo party I show the Sher Etc so enough about me let's see what we have for today I have splitted this presentation in actually Four we're going to see an introduction to sap and we're going to see the financial implications of sap it's very important that we spend these signs to give the

intro because otherwise you might not understand once we get to the point where we're going to see the attacks on real time uh actually virtualizing an sap system right now on my machine A reduced version for obvious reasons and I have because I'm crazy and I like to take risk I have like several light demos that I'm going to be showing to you uh if time allow us so yes on chapter three we got like fully technical really fast and finally we close up with some of the conclusions okay and the Q&A of course so chapter one for those of you that had never seen an sap system before you might be wondering okay what is sip

well sip is actually an acronym it stands for systems applications and products in data processing so of course no wonder why people chose say sip it's shorter it's easier it's catchy so I don't know if you knew about the history of sip but back in the 72 a little bit earlier there were a couple of Engineers working for IBM they were working on an Erp for IBM Erp stands for enterprise resource planning software uh to give you a super over simplification an Earp software aims to provide solutions to all the different parts of a company Logistics HR uh perform payments man goods management Etc so they were working on this Erp system for IBM and out of the blue pun

intended uh IBM says you know what the project gets cancelled and these guys look at each other and say hey wait we do have something good between our hands there is nothing similar on the market why don't we split up and create our own company maybe we can develop our own Erp system and let me tell you guys this was one of the most successful business decisions on the history of model software look at these numbers sib right now has more than 105,000 employees worldwide and two days ago they even announced that they're going to be over hiring like surpassing the expectations uh pretty much in India they're going to be hiring and hiring more people there are in

155 countries if you look I think in the UN the the number of countries that the UN recognizes right now is around 222 well those guys they are working in 157 countries they're huge and most importantly they say that they have more than 480,000 customers worldwide and when they do the count they do like pretty much no matter if the customer has something like really small or if they only have a cloud component Etc who as long as you're paying for something as a related you're counted as a customer so in types of solutions how many SAP systems are out there and what are the main difference I'm going to give you again once again a super

oversimplification just to give you an idea of what they are out there and what information holds because again this could be like a gigantic map if we wanted to expand but for Simplicity sake I have divided this in three Enterprise Solutions supporting Solutions and the new ones the cloud Solutions Enterprise solutions to for you to understand it very easily is where people log to work very simple uh where if you need to request for vacations you log into an Enterprise solution if you are going to be processing what is the payment of the employees it's going to be an Enterprise solution if you want to do intelligence of the information that you have Enterprise Solutions the vast majority

right now in the market the vast majority of the Enterprise Solutions are still on Prem but this an active effort of sip to migrate those system 100% to the cloud I don't think they're going to be able to do it I think we're going to leave in what is called a hybrid environment a little bit on Prem a little bit in the cloud think about it there are a lot of pii information that you cannot just put directly in the cloud so if you only have if you if the company that you're working with only has one sap system and only one they will have what is called the sap Erp or s for Hana depending the version that

you're dealing with if the company's processing credit cards they're going to be there if the company is um paying vendors the money the bank accounts all the reference of the vendors the teens ER iband everything is going to be on the Earp then you have a couple others the the vi is where people uh utilize to do business intelligence uh for example customer has bought a pair of shoes like five years ago maybe time to keep sending emails uh offering new shoes well all that information is done in bi quarter information like knowing if compan is doing well like publicly trade company is doing well or not how they determine that with information on the vi and CRM for example is another

example of an Enterprise solution and is very important especially here in Europe because of the law um they centralize and correlate every single inter action of the people of the customers with the companies so it's very important to be protected because if we leak personal identify information that is going to be on the CRM guess what Mr gdpr will come knocking at your door then we have supporting Solutions this one's super simple the supporting Solutions the main goal is to provide support to the Enterprise Solutions here where you're normally going to be seeing uh are technical users to log in you you won't see the vast majority of the company Lo into this um for example you

have the GRC I'm pretty sure most of you will know what government risk and compliance it is right now to give you an example to make sure that if a user can create a purchase order that user should not be able to approve that purchase order for obvious reasons right fraud um we have mobile CL connect or Etc and finally as I told you before the newest and the greatest uh sap offering we have the cloud Solutions here it changes a lot it changes a lot in terms of the architecture the protocols that we're going to use Etc uh maybe if you are aware of sap you might hear about sap btp business technology platform

that will be the go to point for sap in the future AIG pretty much it will be an IDP if you want to combine this with single signon for some of the solutions and CPI that is is a really fancy way to call a middle world that is in the cloud pretty much you will accept request from all different uh SAP systems and it will centralize it and send it to your ompr network or to other club components that's like a gross generalization so very basic component um Concepts that you need to know before we can get technical here uh the first one is the concept of sap landscape a landscape and you will see it a lot in

the documentation is pretty much a logical division created by sip if someone tells you hey how your Erp landscape looks like that person will be asking you to describe the development system the QA system and the production system the minimum expression and sap here the manset for the vast majority is three Dev QA and production but it's up to the company to decide how many tiers they want to have to the left side you might have a Sandbox and it's totally fine um between between QA and production you might have uat and it's totally fine that is up to you of course the more you are the more you have to administer and the mod you have to

secure okay and each one of the systems is going to be identified what is called a seed uh three characters or three digits name that we're going to assign to the esap systems and that name cannot be repeated across the landscape so this is how the sap system looks like again an oversimplification for the sake of time uh of an sap how it looks like right and we're going to be talking mainly about the framework depending on the documentation and the version that you're dealing with you might find that that framework is being referred as netweaver or now with the new push thatb is doing they are referring as S4 or S4 Han Etc so so the

framework is definitely the most uh important piece of technology that Sab has to offer because its job is very important the framework that sits here on the application layer is on charge to regulate how the sap system is going to operate with the operating system how it's going to connect an interface and how the Sip system is going to connect to the database and we're going to see very soon that there are a lot of trust relationships that we can abuse if we have the right permissions now the framework is service oriented and we have two type of framework we have aab is the most important one and if you need to remember something for it is that it's

where the money is uh here you have the credit cards the payments ions Etc the important stuff is the ABAB and mainly is utilized as a backend and you also have another one that is Java base that sap is not so slowly deprecating it but still you might find it in tons and tons and tons of companies it's mainly used for um extranets or to provide some web applications but again it's not being used anymore these net Weavers like a and Java will have its own set of services some services are share some others are not and each one of those services will have an specific Port so moving forward AP part of that aart of having one system we had the

concept of application servers look at this diagram look at production suppose that at the beginning we created a company we bought sap and we had to provide support for I don't know to give you an exaggeration 10 users perfect um when you do the hardware spec you don't do it for 10 you do it for 20 right well the business goes well a couple years pass and you no longer need to support 10 users now you need to support a thousand what do you do you throw everything away and you start from scratch no sap tells you hey why don't you add an addition application server and you do uh load balancing so that is

pretty much what is an application server is it's another entity that is part of the sap system um the only caveat is that each one of the instance each one of the application servers we have an instance number that you Define at installation time it goes from0 to 99 so in theory you might have up to 100 um instances out there okay and then there are uh some other differentiations each application server might have its own set of services because you can split it it's a little bit more complicated but just remember that each application might have services and that's it something that we're going to be seeing a lot especially when we try to fix some

of the stuff is the concept of profile parameters pretty much a profile parameter dictates how sap works is it's a configuration in sap and you have more than 2,000 profile parameters it's just one way to configure this IP and you you already have 2,000 ways to do it here it's pretty much everything from like the path of the logs the the amount of ramp that you want to give to the virtual machines to for example some security related like minimum passort length right every single one of those configurations can be done through a profile parameter but there is a caveat and this is a consequence of dragging technology from the '90s the kernel that this ipus is a little bit old and

therefore is monolithic what does it mean or what is the real impact well if I want to change the vast majority of the profit parameters there are a few that are different but if you want to change 95% of the profile parameters you need to restart the sap system for the changes to take effect and for those of you that don't know much about sap you might be well it's it's not a big deal uh I have my workstation with Windows and from time to time you ask me to to reboot or I have my Linux box and when I need a new kernel I do need to reboot it yeah fine but those are consumer things

this thing manages a lot of money and you can use it to sell stuff you can use it to pay taxes to interface with banks this thing needs to be 24/7 so it's not that you will be able to restart the sap system whatever you want it in general you have Windows of opportunities that are very well designed uh the ones that they restart more often they give you one per quarter and some customers only give you one per year so when you need to restart a system just to change for a minimum pass L that is a problem so here on the bottom you see how is the syntax of a profer parameter is quite simple like a key value you get

the key on this case deore audit and you get the value that pretty much is a path where you're going to be storing the locks chapter two what are the financial implications we know a little bit okay what sap is why is so important in the financial world look at this number 85% of the Fortune 500 companies for those of you that don't know Fortune 500 are pretty much the richest companies that are there in the world the richest and the biggest and 85% of those use sip any product of sip in general most of them they do have the Erp but to each their own and this is a claim that sap uh offers that they say that their

customers generate 80% of the total Global Commerce Revenue that is out there this of course is legal activities uh of course it doesn't have into account illegal activities I don't know how they were able to reach that number I'm 87% but it's is what they claim so what you are finding inside this kind of systems everything I'm going to say everything everything uh chances are that if your organization don't have an Scala well the most important system in your organization is going to be an sip you have employee salaries that you can easily modify if you hack into it uh you have payment to service providers credit cards bank accounts very important you have financial performance

reports uh it happened to me uh on a pentest that I was like hacking inside the sap system gigantic automakers um I was able to get the financial results before they make those financial results public for an attacker perspective that is crazy and it's an opportunity to gain a lot of money uh if the company did well you just go to the stock market that buy shares if the company did it uh poorly you choose go andure the company uh that's why it's so important from the T point of view to to enter or try to check these kind of systems and a part of that and this changes from country to Country this thing is directly connected to Banks uh

this thing allows you to perform business and financial transaction pay providers right away it's not like Swift that you have like a pre control Etc no here it just goes and depending on the country this thing also needs to be connected 24/7 to tax agencies every time that you sell something you need to declare on real time the sell to the different tax agencies again this depends on each one of the countries this and in combination with like the security organizations claiming that there are a lot of attacks a lot of cyber tax and there are a lot of money that is being lost to sap you might be wondering okay so why someone will

attack my sap system it runs business critical applications stores very very sensitive information the organizations highly depend on it and in simple words it's where the money is if if the attack is financially motivated and the company has an sap system well it's a no-brainer and because of that and here I want to do a disclaimer especially for those of you that are pentesters or do consult thing um it's very important to translate the vulnerabilities what do I mean uh if if you go to an organization and you ask okay who owns the workstations who owns the switches uh who owns I know the VIP funds they will tell well that would be the IT director

well if you ask who owns the sap system and again this depends on the organizations it will not be IT director it will be the CFO the Chief Financial Officer so if you go with a vulnerability and say hey you you know what I was able to get an rce and because this rce and a shell a payload that I have and the Shell Code I was able to get a shell and with that shell get into the system that person will look at you and what you're speaking Japanese or what but if you say hey you know what I was able to without credentials get inside your sap system inside the database and because of that

and I now have access to the credit cards that message changes a lot it immediately gets understood that there is a problem and that the organization needs to take needs to go a little bit further to actually mitigate and fix that problem it's very important that you articulate the message correctly and it's very important that you understand the business a little bit more when you present the results otherwise no one will understand you and things will still left uh and patch and broken so everything that we're going to see here we're going to divide in three like espinach sabotage and fraud espinach to be simple and to give you some examples it's I think um what information of one

company could be valuable for another like especially if you need to create like manufacturing stuff uh formulas Etc um sabotage these things sip is very often also connected to the line of production and if the sap system goes down you lose the tracking and you might need to throw away some of the production it happens to to us when we were working with a customer um that pretty much manufactur yours in order for them to be able to guarantee that the validity of the yur that they're not spoiled they needed to be running with Sab 247 if not they need to throw away the entire production and finally fraud the most most common one I

have seen it all here like people creating true employees getting true salaries Etc it's very common it's the most common type of attack that you see in sip okay so you got introduction you survived introduction very well um now we're going to start getting tnal now we're going to start seeing some of the attacks particular we're going to focus on one component again it's impossible to show you everything in just 45 minutes but we're going to use one of the most common attacks components in sap and one component that was created and is still extremely relevant today it was created in 1992 very old still very usful so we're going to be talking about the esap

gway the gway is a component that is in avab and Java and as many things in sip it will handle a proprietary protocol it's called sepic RPC it's actually a multi-level protocol um there is no much documentation about this only if you have like really good reverse engineer skills or if you are an sap employee more or less you know how it works there are a few rappers that makes your life easier even though now sap is deprecating those uh but still only if you do reverse engineer more or less you know how this thing works what is the main goal of this Gateway pretty much share messages you can share it from one sap system to another or an Sab system

and external interfaces by default the Gateway as I told you before it will run in its own service its own uh Port is 33xx what do you do I mean with XX remember the instance number that each one of the instances will have a number right well is here is is the same if I want to reach the Gateway on instance Z I hit the port 330 and if I want to hit the instance 01 I hit the P 3301 normally you will not expect to see the gway exposed to the internet but again I have seen it all shown to I you still find them very very easily so the gway might or might not

require credentials because it's a free country I do what you want yes it's very permissive and on top of that and with many many things in sip uh by default the communication is unencrypted and it's not easy at all to encrypt that communication it's not as like I put a certificate there and everyone is happy we can go home oh no it's a mini project in the newest newest versions of sap they do offer uh encryption by default but again it's self sign you you need to redo the whole process so it's a little bit tricky so what happens if the sap Gateway is unprotected as it is in many versions by default well a remote and

unauthenticated attacker just by having network connectivity will be able to start or register programs they're called RVC external programs those programs come some programs come pre-register in sip but you can upload your own that is up to you one of those programs and the program that we are going to exploit and a program thatp uses a lot and when I say a lot is like a lot is called sap xpg the sap xpg will allow the sap system to H execute task operating system commands at the operating system level and it's going to do that with a system H sorry with a user that is called cadm the CDM is the Sap's operating system administrator so

if you gain access to this if you are able to exploit the Gateway you already have access to all the resources on the file system that belongs to the sap system and it's exactly what we're going to do if the cods of the light allow us so pretty much I have prepared an exploit I'm not going to give you the the details of this one because you can easily create a worm and sap is going to kill me um but you will see how easy it is to actually get common execution here you will see that IP that I'm hitting uh it says Local Host is because I'm doing some mhic with the nothing as everything

is cramped on on my PC but it's a live sap system that I have brought for you you just need to hit the port and pass the command just like that directly if the Gateway is unprotected Blom you get directly common execution and it's not just like it's you you can do pretty much whatever you want you you can do an ID to see the the Privileges that you have you can do like this pretty much you can do everything that they see ADM user can you can shut down this AP system right here you can delete the Kel perform a the of service everything remotely you just need network

connectivity so before we move forward how do we fix stuff okay if you're lucky enough and you don't need external interfaces to speak with your gateway you're in luck is just a Prof parameter very simple you just switch the Gateway ACL mode this profile parameter to one and you restart the sap system otherwise the changes will not take effect and once you do that only the application servers will be able to connect to the Gateway if you cannot have that because you have a legacy interface that you need to deal with well uh welcome to the magical War of the ACL files as a lot of things in sip is an access control list where you will need to Define like what

user from what IP to what sap host and to what program putting the ACL together it's itself is relatively straightforward is not complicating having the information to put the ACL in place like understanding what is passing through your gateway is different you might be thinking well Jordan from the blue teer point of view the execution the government execution was really straightforward so it should be really simple to detect these kind of things well yes and no uh unfortunately especially on the aab stack most of the audit Trails most of the security the a Trails do not come enable so you need to go one by one remember all those services that I was telling you before

you need to go one by one to each one of those services and activate the audit Trail and once you have that audit Trail you can do it with this profit parameter then yes the logs are going to be processed there is no uh there are not two logs in sap that they are similar and here they went wild every single service will have its own syntax own logs some of them will be really easy to purse as you see here the Gateway some others as the main a the trail no they're not even plain Texs uh some are binary so good luck interesting that in in splank so at this point what do we

have we have operating system commands but we want to do more well remember backa that was telling you that there is a trust relationship always always the application servers will maintain a trust relationship with the database what does it mean it means that if I have access to this CDM I will be able to execute arbitrary queries as the user that is running the sap system without providing any passwords just the the command and we're going to see it for this example uh the system that I have here for you today is running an Oracle database so we're going to see that we're going to be using the SQL plus client I'm pretty sure many of you

if you have work with Oracle interpass you have deal with the SQL plus you can go right now to oracle.com and download a copy there is no magic here it's just a regular client there is a problem here the way that we are using to execute queries is exactly the same thing that sap uses for the normal operatory so it is extremely and when I say extremely it's like extremely difficult as a forensic investigator or as a sock person uh to identify or to make the differentiation between a real attack and a normal execution unless the the attacker is a script Kitty and went wild truncating or deleting a lot of stuff it's very unlikely that you will be able

to to to tell apart normal operation versus these kind of things uh versus an attack so what we can find in the data is 95% of the stuff thatp handles is in the database so credit cards um salary bonus vacations purchase orders we will be able to modify them all if you have database access we also have password hashes and we're going to see some examples and I'm going to be describing for you the the command so you guys can see it pretty much we're do the same that we do last time we tag the host we tag the Gateway on the given port and look at this we invoke the SQL plus binary not one

that you have here in your local machine if not the one that is on the sap system and we say hey I want to elevate our privileges we want to use this uh trust relationship so whatever we are going to execute please do us a favor and execute it as cdba and then you pass the query the the query you previously create you do an echo select all from you leave it on the Sab system and then you execute it once you have that that's it it goes directly to the database without asking you credentials because again you are abusing the trust relationship that sap already is maintaining with the database so you have all the users and

you have two hashes we're going to be talking why there are two

hashes so we have now now access to the operating system we have now access to the database we want to get to the application right we want to use in the application so what do we do well uh someone that is not very skillful or couldn't care less about the system as we can execute the queries we do an insert into da da and create a new user for us that is not neat and that is definitely not for a a good professional what we're going to do as we have access to the hashes we're going to use those hashes and we're going to crack them so we can log the sap system and here comes

the funny part depending on the version of your sap system uh you might have up to three different hashes for the same user and using up to four algorithms It's s bit complex uh long story short is for Don compatibility Aller SAP systems they only know how to create older hashes newer SAP systems will able to create and support all of them the first one and the most vulnerable is called B code and hear this is md5 base md5 it's up to eight characters long no matter if you put like a gigantic hash whatever you put there sap is going to truncate it in eight case insensitive uh some of you if you have experiencing with cracking the you're

already enjoying this it's non Unicode and it does have a salt good at least the the hash is salt but the hush is using the salt the username so yeah you canot do a rainbow table for pretty much everyone but you can Target whatever usit you want then you have a newer one passcode is s ha1 base so at least now your passwords can be up to eight car long they K sensitive now we are duplicating the Char set very good and it's even unical so from the cracking point of view it will take many many more hints in order to actually crack the passwords they share a a fency with a V Cod they do use a salt but the salt

is the username still not the best and then we have the newest ones that called PW salted hash where we have two possibilities uh we can do a salted s A1 with 20 uh 10 24 iterations how does it work you get the password you hash it once and then you apply uh 1,23 more hashing you do that to make the hash more expensive the more expensive it is to generate the longer it will take for an attacker to crack it and then you have the newest the greatest uh algorithm that only the newp system can support that is assaulted s ha but this time 522 bits uh the other one was 128 15,000 iterations you hash you hash

you hash you hash 15,000 the same passwords and assault size that is really big these ones take a day um years and years to to to crack so what do we do here well we're going to take the advantage here as we saw some of the hashes I'm going to be showing to you that we're going to use J Reaper uh you know this open source uh tool to actually crack the hashes but there is a caveat the format is a little bit part particular look at this is the username double do the Sal but remember the Sal was the username and from the double dot here here comes the the different part from the double dot to

the dollar sign ball that is obligatory it has to be 40 spaces if you don't do 40 spaces exactly J the reaper will not recognize the hash so once you have that you pretty much go to John run you invoke John the reaper for most of the hashes John is smart enough it will recognize that there are hashes from sap you CH pass the hash as we are targeting B code you saw that it's just like that the password is up to eight characters long so it's really easy to crack the higher you go in terms of the hash well it takes more and more obviously so pretty much you have the user Jordan with the password

super SEC so you go to the sap you connect so you do Jordan and that's it as the password was valid and this is my first log on sap is saying hey okay it work would you like to change your initial password so

good once again um what can we do to actually make things better well if you are lucky enough that in your organization or your customer is running like the newest versions of sap system good what you can do is to disable downwards compatibility you just change the profile parameter and put it to zero and you can always force that sap to use the latest and greatest hash algorithm and on top of that because all the old hashes will remain you need to to run a specific program in order to clean up the vulnerable hashes if you are not lucky enough and you need to support all the SAP systems you are stuck with it there is nothing you can

do um to actually migrate to the newest hashes simply because the older SCP system will not understand the new hashing and that's it you are stuck forever until you can actually migrate those sip systems so we got operating system commands we got access to the database we're able to crack the hash we got application Level access what else we can do well the most important security mechanism that sa has for both AA and Java is called Security Storage we're going to see only the one for Eva because it's the most important pretty much the security storage is a file system container that is encrypted nothing out of the ordinary and what we can find there o a love of

stuff usernames host Port passwords for the database pins for containers that will contain public and private Keys uh for certificates or whatever whatever you are using H encryption keys for what is called destinations from moving from one system to another Master passwords the passwords of the most powerful users a lot of very important secrets are stored here by the all this file system container you will find one or two uh files the first one the one that you will find always is it ends in dot do pretty much is as I said before it's a file that is encrypted in triple des and it's not like generic triple Des Sab always likes to to have something uh

generic modify it and release it uh there is always a twist with the encryption and also you might or might not have a DOT key if you don't have a DOT key which is by default you are encrypted with a default and hardcoded key pretty much everyone in the world has that key if you're lucky enough that your administrator installed correctly you will find a custom encryption key that will be on this key file I don't have a lot of time to explain like how does it works so I'm going to resume it a lot uh pretty much at the beginning at the left side you have the the file is completely encrypted and sap does a first row of

decryption and it partially decrypts a part of the structure then he uses the information that was partially decrypted to do to to generate another key and to do yet another route to decrypt the whole thing and I'm going to show you first I'm going to show you the program that I have created for you this is just a python screen as you can see is triple Des I'm using PES and if you go up you have some hardcoded keys so there that you might you might not use in case you want to open it yourself um pretty much that's it oh if you know a little bit of reverse engineer and you are able to for

example uh deag an operator you will be able to see and you will be able to get um the information and first I want to show you here that the files is not that they're empty they're completely encrypted they're encrypted you don't see the password you just see random strings that thisp uses as eye catchers and then the custom encryption key so we take this we have the algorithm we know how to decrypt it boom look at this you have the full connection to the database the port you have the seat the name of the database the user and the password immediately if there were more Secret you will also get them for this example

was just the the database connection okay so what we can do here pretty much we run a program that is the sex store to uh secure the secur storage we have to enforce a a custom encryption key and we if you have a sec storage that is vulnerable you have to rry it with the new key so we have full access to pretty much everything but what is missing well a back door pretty much as an attacker you want to create something that will allow you to connect back and actually uh without effort jump right into the sap system what we're going to do remember that we saw that there were a lot of hashes for for a user that that

is weird what a user should have so many hashes well it's because of this downwards compatibility as we are not sure as an sap we're not sure to what system we're going to be talking to sap has to generate all of them and depending to how it is configured you might say only accept the new ones or only accept the old ones or accept everything well as an attacker we're going to configure it in four and we're going to force it to accept everything this is how it will looks like regularly if you create a user Jordan with a super secure 1224 password sap will generate it but as the V code is only eight

characters long it's going to trate it as an attacker the only thing that you do you do an update to one of the files to to to the Road and that's it you as an attacker you will be able to log in with Jordan and password evil pass and the veric user Jordan will be able to connect with super secure 124 and this I'm closing up is one of my main beef with the new regulations of n where they tell you that you should only rotate passwords if you suspect that the passwords were compromised I wish you the best of luck trying to determine that someone is back dooring your sap system like this so if you follow that n

recommendation this thing will stay there forever until the user decides that he or she wants to change the password so we need to be very very mindful of this kind of recommendations so to close up uh again sap is super complex it's a quite complex discipline it's very hard to uh talk about it in only 45 minutes for the red teamers there are a lot of entry points here we just saw one there are thousands and thousands of entry points that you can exploit and Flo the good teer for the blue teers your hope is to try to prevent an attacker to set food on the system if an attacker gets one foood there it's extremely extremely difficult

to detect and to stop that prevent prevent prevent implement the patches is extremely important all the lcls activate the Audi trails and do all this and pent test regularly it's your only hope thank you so much uh for your time and your patience and now if you have questions please let me know