SAP CTF Pentest : From Outside To Company Salaries Tampering (closed) presented at deepsec 2017

by Yvan Genuer,

Summary : SAP is no longer an unknown black box for the security community and SAP products appear more and more often in audit requests. This training is focused on SAP Netweaver. Because we can't cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We'll provide different SAP Systems with different configuration issues in 'realistic' environment, and also a pre-configured attacker VM with all tools required to perform training activities. Few slides, lots of practice, that's the leitmotiv of this course. SAP knowledge is not required.
General knowledge on pentesting. SAP knowledges is NOT required.
Target audience:
Pentesters or security professional. Anyone interested to learn about SAP Security
Requirements / Material to bring by attendees:
A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM.
Similar works:
This course is an improved version of the training done during the Hack In Paris 2017 Conference. I've created two 'easy' SAP challenges for the free security platform ‘root-me’:
These challenges are not the same than the ones in this course.
Detailed presentation material will be provided to attendees at the start of course.
Please find the course outline below:
Day 1
Introduction to the world of SAP
SAP in numbers
SAP Netweaver ABAP?
Global technical concept
Technical component
SAP as user
Introduction to SAP Security
Latest changes in SAP Security
The SAP security parts
SAP Security Notes
Attack surface
Training infrastructure
Overview and warning
Hands-on : Tools, installation, setup
SAP cheatsheets for pentesters
What is SAProuter?
How SAProuters work
SAProuter vulnerabilities
Hands-on : Discover internal SAP, discover SAP port, forward port Remediation
Overview & How to
Hands-on : Moving around SAP Gui
SAP Gui information gathering
SAP Gui shortcut vulnerability
Hands-on : Retreive information, crack user password
Lastest vulnerabilities found
SAP Netweaver ABAP
SAP authorization
Password and default accounts
Hands-on : Find default account and password of target
SAP Message Server
Hands-on : Playing with Message Server
Hands-on : Playing with ICM
Hands-on : Playing with MMC
SAP RFC Gateway
Hands-on : RCE through SAP Gateway
Day 2
SAP Secure Store
ABAP Secure Storage
Hands-on : Decrypt ABAP Secure Storage
Secure Storage in File System
Hands-on : Decrypt SSFS
Database level security
Focusing on Oracle
Oracle OPS$ attack
Hands-on : Retrieve SAP database schema password
SAP Horizontal movement
Concept in SAP
RFC hardcoded credential
Hands-on : Get access to trusted SAP system with diaglog user
Hands-on : Get access to trusted SAP system with no-diaglog user
Pivot with SAP RFC Gateway
RCE to trusted RFC SAP system
SAP Vertical movement
Concept in SAP
Hands-on : SAP to OS
Hands-on : OS to database
Hands-on : SAP to database
Hands-on : Database to SAP
ABAP Code vulnerability (Overview)
ABAP Minimum basis
ABAP injection
Hands-on : Exploit abap injection
OS Command injection
Hands-on : Exploit OS injection
Native SQL Injection
Hands-on : Exploit SQLiAuthorization bypass
Hands-on : Bypass authorization example
Directory traversal
Hands-on : Exploit directory traversalCross client access
Hands-on : Cross client access example
Understand SAP OSS Security Patch
Hands-on : From SAP Security Patch to bind shell
5 Categories for 20+ tasks
Hands-on : CTF time !
Conclusion & Questions