SAPPIN' The Enterprise: Breaking What No One Else Pentests

Yep. So, hi. Uh, welcome to the painful world of SAP. So, you don't know what you've got yourselves into, but it's going to be painful. Um, so I'm going to first discuss kind of what it is, a brief overview of kind of how it works. Um, then we're going to dive into a couple of attacks and kind of show you how you can attack those systems. >> Um, so what it is, um, basically no one knows. It's completely mysterious, but it's essentially kind of a giant suite of tools um that kind of talk to each other. So, it's it kind of runs a whole business. So, different modules kind of function as different parts. So, you

have accounting, payroll, uh HR, distribution, kind of every part of a large enterprise will kind of use this software. Um, >> so some of the key points, it's highly customizable, so you can kind of tailor it to any business that has modules for pretty much everything you can imagine. Um, it's responsible for 87% of all global commerce, so it's pretty pretty much runs the world. Um, if it stops working, the business stops and probably the whole world stops as well. Um, and one of the key parts is interconnectivity. So all of the modules talk to each other and share that data. So it will constantly kind of keep up to date across all the different parts of

the business. Uh so just to kind of show you an example of kind of how you build out. So modules are essentially just a part of the business. So if you imagine for example you started off selling flowers like um like a small flower shop uh you kind of have your little business there and then say it kind of grew and you needed to kind of keep track better rather than just writing it down on notepad. You might install for example the accounting module kind of keep track uh and then it grows further. You probably need HR you need employees so you would add that module in um you might need manufacturing for those like

flowers. So you would add that and that would keep track of you know you know how they're growing for example and kind of keeping track of how many there are. And then distribution you would need to kind of add that module to keep track of shipments and and that sort of thing. That's just kind of an example of how you'd sort of start building it and utilize those different modules. Uh so just to discuss some architecture so I'm not going to go in detail just an overview but it's essentially a free tier uh model. So you have the application layer at the top which kind of is your presentation. So this is like your fit client. This is like your

browser which is kind of the more modern version which is Fiori. So that that you access in a browser. Then you then have the kind of application layer. So this is where the sort of engine code runs. So it uses something called ABA which is kind of SAP proprietary and it allows you to kind of make these different modules for your business and do very specific things. Um and that's where that runs. And then you've got the database layer which all that data is stored. Um so the most recent version is Snap Hannah and that's an in-memory database. So it basically stores all that all that data in memory and RAM. So it's it's quite resource intensive. So,

you're probably not going to be able to run it at home, at least with current RAM prices. Uh, so why should we care? Uh, basically money. Uh, it runs the world. It's responsible for all the money. Um, but for more specific, when it goes down, the entire business is going to stop functioning. It's not going to work like at all. >> Um, so for attackers, it's obviously a gold mine. You have sensitive PII information there from, you know, HR, payroll, that sort of stuff. Yeah, that's you might have financial records, keeping track of mergers that haven't happened yet, investments, things like that. Um, and you might also have kind of trade secrets and that intellectual

property. >> Um, so kind of some stats here. So 60% of SAP systems in production are actually running with known vulnerabilities. >> Um, this is taken from um, onapsis which you can see here. And uh, from 2024 to 2025, there's actually been a 210% rise in SAP attacks. Um, and that's probably going to increase next year as well. So, we should probably start caring about SAP uh before it kind of the whole world burns down. Um, so moving on to the fun part we're going to go into some kind of SAP attacks. So, the first simple one I'm just going to talk about is a password attack kind of brute forcing. So, SAP stores these

passwords in a database table called us2, which is essentially a t-code, which is kind of like it's basically just a table, kind of SAP's version of a table. So, you're accessing this user table. Um, it does have kind of historical parts as well. So, you might also find passwords in, you know, US2, arct, and kind of password history, but they're not as common. Um, and sort of a key thing is compatibility. So there are many different kind of hash versions and you can store obviously the weakest ones or the strongest ones but pretty much everyone also still stores the weak ones which is obviously very bad. Um so the top left image there you can see that's

actually a B-code hash. Um so that's a MD5 base. It's very weak. The sort of upside to that is it's very easy to crack but the downside is um it will only ever crack the first eight characters. So even if your password is longer than eight characters, it will only ever check for the first eight. So if your password is longer than eight characters, you're never going to actually guess it. Um you've got the second one there, which is uh code VN uh F, which is kind of shan. That's kind of the most common one that's used. Now you also have Shiaan with random salt. And then you have this uh G/I, which is kind

of all of them sort of mashed together. Um, and you can see at the bottom there, that's the that's the hashcat codes which you can use to crack these hashes. Uh, so yeah, I will show you a demo of kind of extracting those hashes and then um cracking them. So if it works. Yep. So you can kind of log in there. You can execute this query. Um, and you can see on the left you'll see these different values. So you got B code there and then that one as well and then that one. And that's what's going to show when we execute this. And you can see the different users here. So, um, the first one, that B-code actually

had all zeros. So, if it's all zeros, it means it's not being used. You can see here as well, that one's also not being used. But at the far end, you'll see the most recent one, which is that SHA one there. So, you can basically take those. Um, this is showing cracking B-code. So, this is just a bunch of test users. Uh, this is not from a test. So, I can show this. Um, and it kind of cracks them very, very quickly. A lot of the passwords are the same and kind of weak for the demo, but you can see it kind of run there and they they start to come through. So, kind of very simple what

you're normally used to probably in a pen test. Um, just kind of get your feet wet in attacking SAP before we start diving in further. Um, so moving on, that's probably what you're going to look like after this presentation. Um, SAP RFC. So, RFC is a remote function call. So this is basically kind of a mechanism that lets one SAP system communicate with another um and kind of invoke functions on another. So you might use it you know to uh get the dev environment to contact prod or prod to dev um and kind of basically test that code. Um so RFC has these things called uh kind of or has different security modes. So you have 0

to three 0 and one. Um they don't do this call back check which is essentially checking that it's a kind of verified system. It's a system. It's not a system that you've spun up or kind of that's kind of like an allow list essentially. And then you've got um callback check kind of simulated. So actually does a simulation. It doesn't actually run it. Um and then obviously you've got the most secure one where you're not allowed to do it but no one really enables that one. Um so with this you can create a malicious function. So say for example we have two SAP systems that can communicate. So we have a dev system and a prod system. Um let's say you also

found a weak password like we just cracked. Um and on that dev system you might have admin access. So that's kind of common. You'll have a weak password and you'll basically own the entire dev system. So on the production system there might be a function that will perform a simple ping. So there is an RFC ping function built in um and you can kind of use that. So um on here you can see this is a list of kind of all these function calls that you can do and at the bottom there you've got a call back example uh which I made. So just for demo purposes but yeah if you kind of have that access to that dev account

typically the dev account will be able to modify that code. So you'll be able to actually modify the the ping or the code that's actually doing the ping. Um and if you do that, you can kind of see here this is kind of the code editor. It doesn't really have anything in it right now, but we we'll change that. Um so yeah, basically if you can modify that function code and add malicious stuff and get a prod system to talk to it, what will happen is it will actually execute that code and then you can get it to call back to the prod system and it'll actually execute that code on the prod system. So for example, if you can

make it add a malicious user and then get it to call back and it'll actually add the user on the prod system, not the dev system. Um so some examples, so this is AVAP code. You don't need to understand it. Basically, it's just adding a malicious user. So you can see uh yeah line four and five it's basically adding a hacker one user and a password. So what will happen is you'll run the ping function and then the ping function will go and grab this code. It'll execute this code. it will call back to the prod system and actually add a user on the prod system. And the kicker for this is you don't need admin

privileges or any account on the prod system. So if an admin goes in there and tries to do a ping and you've got this malicious function on the dev, you can basically own the prod environment and I'll show a demo of that really quick. Uh so yeah here um you've got kind of the host and then you also have the store credentials. So you can see a user and the password is stored so you can't actually see it but it doesn't matter cuz we don't need any of that. So you can see executed there. That's just a standard ping like you would normally see. And then you can go in you can kind of edit this function on the dev system

on the right and you can add your malicious Aback code or um in this case I'm just adding it to make it wait 10 seconds. So once this executes, you can see the response is actually now 10 seconds on the um on the pro server. So you would be able to then go in there um and kind of add your code. You could do whatever you can um kind of come up with in your mind and you can kind of add that code there and then you would actually execute it and you would add a malicious user, an admin user on the prod system and you could gain access that way and do terrible, terrible

things. Um, and I didn't actually execute this because this was uh a real system and didn't want to break it, but just for yeah, demonstration purposes, I I modified the ping. Um, so kind of the next one. So, SAP Recon was a a massive vulnerability. So, this came out in 2020. So, it was essentially a critical flaw in SAP's Java Netweaver systems. So, Netweaver you kind of you access through the portal. It's kind of like an administrative portal. you can obviously configure the system and and kind of do things through that portal. Um, but yeah, this was unauthenticated rce that basically allowed you to create admin users. Um, it kind of sounds difficult to exploit, but it's actually

not. All it is is just one special HTTP request and you can add an admin user login and yeah, it's definitely fine. So yeah, this is the request here. So, it's basically just an XML request and then you'll have a bit in the middle which is your payload which is literally just your username and password and then you send this off to a specific endpoint called I think it's CTC web service bean it doesn't matter you know what it is um but basically if you can access that and get a 200 okay blank page it means it's vulnerable so any system in the wild if you created that and got a blank page you could run this get an admin user and

put in the Um, and you can see there that the payload as well. So, just to show you kind of how bad that is. So, on the left you've got the patch code and on the right you've got the um unpatch code. So, in the patch code it now actually checks that you're part of the admin users and that you have those administrator permissions. And on the right that was just completely missing. So, even large companies make terrible, terrible mistakes. Um, and I can show that here as well. So, this is a Python script. So, I'm going in here. I'm modifying the IP. Um, and then that dash a uh basically means to add an admin user. That's just part of

that Python script that I wrote. Um, so modifying it. Uh,

uh, yeah, here it is. So once it runs um it will kind of spy this output and you can see it's generating the payload and it will eventually finish and you've got a new admin user which you can then use to log into the portal and to do whatever admin things you you kind of want. So it gives you the URL there as well with that endpoint. So you can just go to that um kind of log in here and you can see that that user will will work if I decide to do it. There you go. And there you you log in and you've got access to the admin portal and can do anything an admin can completely from an

unauthenticated perspective. Uh yeah, I just wanted to show off those couple of attacks. So just uh to kind of conclude so attacks on these apps as I said before is increasing um and it's going to increase again. So in this year we actually had um a vodka company that went bankrupt because their SAP system got attacked and they couldn't get back in and they actually filed for bankruptcy. And then JLR um they actually use a SAP zero day which came out about April to gain access and we all know what happened with JLR. Um so these systems underpine everything you know finance supply chain HR banks you know customer ops everything so we want to keep it secure

and then threat actors are obviously converging on these environments we with that increase um we're seeing not just pentesters attacking it but also threat actors you know things like North Korea and and such like that so it's a big deal and we should start securing these systems a little bit more um but yeah um congrats you you survived the SAP talk. I hope you understood it. Um, and uh, it seems like it's be time.

Any questions?

Is that the CVE? Yeah. Yeah, that's been patched. Yeah, but still most systems are still unpatched and they yeah, it's still quite vulnerable and you can actually go on um Showdown and kind of search for that URL and you can see all these exposed app systems that are vulnerable to that CVE. So, it's still a big problem today. >> Any more questions? There was one at the back there. Sorry.

Uh, so that's local. So that's a thick client, but you can do the same. It's s basically runs the same if you use the fit client or the more modern version now is logging into kind of a modernized web portal. But uh yeah, kind of. Yeah. So you would kind of log in and you'd have these different panels. You can click into the different modules and do whatever you need to do. It's just a different way of seeing it but ultimately it functions the same at that application layer. So where that engine code get is executed that's the same across whether you access it in the browser or the f client. There's no difference to running what sorry

um it's honestly it's basically just patching it. Um so big enterprises kind of need this software. It's kind of a monopoly, so you can't really get rid of it. Um, but yeah, honestly, it's just patching. People just need to patch it. You know, that CV is still still exists and still being exploited and they're not patching it. So, yeah, patch management is kind of the key thing here. No worries. Round of applause again, everyone.