Just a short note to mark the occasion as approximately six weeks after the website launch my videos have ticked over the one thousand views! There’s plenty of content brewing so look out for some more updates over the next few weeks.
If you’re looking to capture SAP Passwords by sniffing your network then the simplest and easiest way has to be using Cain and Abel. Cain and Abel is a fantastic tool which I’m been using for many years and was very pleasantly surprised to see the latest version 4.9.43 supports capturing and decompressing the SAP Diag protocol.
For a demo of how to capture SAP passwords using Cain and Abel see my video below.
In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented. A good alternative method would be to encrypt everything on your network by using IPSEC
If you’re looking for a more in depth network capture of the SAP DIAG protocol then see my Wireshark Posting on the same topic.
SAP GUI communication happens using the SAP DIAG protocol which is generally compressed making plain old networking sniffing out of the question which is exactly where the plugin comes into play.
If you want to experiment with what can be captured without compression set the system environment variable TDW_NOCOMPRESS to 1.
For a demo of how to capture SAP passwords using Wireshark see my video below.
In order to combat the vulnerability of having your SAP passwords sniffed then SAP recommends using SNC to provide end to end encryption but I have to admit I’ve not yet seen a company with this implemented. A good alternative method would be to encrypt everything on your network by using IPSEC
If you’re looking for an even easier way to capture SAP User passwords see my Cain and Abel posting on the same topic.
SAP Setup
In transaction SICF active the following services
Create your function modules in SE80 / SE37 don’t forget these must be remote-enabled
Optionally Create Service User.
From within the transaction soamanager:
Business administration – Web Service Administration.
Find your web service and choose the Overview Tab. Get the WSDL URL from the link “Open WSDL document for selected binding”Optionally you can also setup authentication here.
PHP Setup
Most installations have SOAP compiled in or enabled by default.
You can double check this with the function phpinfo
A video of a couple of examples of the kinds of things you can do when you link PHP to SAP using SOAP. PHP and SAP is a winning combination it’s lightweight, fast and enables rapid development of web based solutions like this.
Following an interesting conversation at the SAP User Group Conference about a lost password for SAP MaxDB I embarked on what I expected to be a quick bit of investigation. I searched the SAP Support Portal along with the SDN and was amazed I couldn’t find a reset procedure.
MaxDB Password Reset Procedure – Video Walkthrough
Ideally take a backup first and if you’re able to bring the database down before editing then all the better, failing that a reboot immediately after seems to keep things happy. I have seen an error once or twice when then first changing the password but re-trying the command has always cleared things up.
MaxDB 7.6 Password Reset
Find the target user in the upc file, overwrite the hash with zeros. Save and reboot.
Setting the control users password to ‘password’
MaxDB 7.7 Password Reset
Find the target user in the upc file, paste in a password hash which sets to ‘password’. Save and reboot.
Sample Hashes :
password = 358883B07AA93121891B4A932433115FB3DC1CC00B5027D8
sap = D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8
Setting the dbm users password to ‘newpassword’
MaxDB 7.8 Password Reset
Find the target user in the upc file, paste in a both password hashes as shown which sets to ‘password’. Save and reboot.
sap=
D8835545B45CD7401D82B49D2433115FB3DC1CC00B5027D8 04188B272DD84C48BA488F55E5B9012916D651F522CEEF0D29DC Setting the dbm users password to ‘newpassword’ with both the older version of dbmcli found in the database manager tool and then with current version, this keep everything in a happy consistent state.
Step 1: I fired up an excellent tool Process Monitor from SysInternals (Now Microsoft owned), opened up the database manager tool and reset my users password. I then reviewed all the events that had just happened, initially looking to see what files has been read from thus attempting to gain clues to how the change password operation might be working. Then later looking at what files had been written to ultimately hoping to see where the password might be saved.
Step 2: From analysis of the sdb.upc file I could see my users in plain text. I could be on to something interesting.
Step 3: After taking a backup of the upc file I changed the password once more and compared the two files. I could see clearly the only change made, this must be an encrypted version of the password.
Step 4: Now I was interested in see if the password was being salted with perhaps with a user name, hostname or some other secret. Comparing the password hashes across different servers, different versions and different database names showed no difference at all. Handy… for us.
A quick check proves I can simply copy and paste hashes between password files to reset them. I tried simply setting the password hash to all zeros which works nicely but only for version 7.6 as later versions generate an error.
If you’re reading this then the chances are you have at least a mild interest in IT security. I’ve been competing in the UK Cyber Security Challenge this year and I urge you to get involved. So far it’s been a fantastic experience and really got my interest sparked in this area. This year there has been a variety of different of paths from secure network design, penetration testing (or hacking) and forensics. There’s been theory and hands on challenges for example where you’ve had the opportunity to try out your skills against the clock to hack into as many servers as possible to gain root and administrator access. If more considered approach is more your thing then the Linux forensic investigation competition was brilliant and my personal favourite, here you had to identify 24 different compromises and identify how they were pulled off and how you could defend against them. I’ve seen some really clever cunning exploits and learnt a ‘stack’ of new tricks.
The top man James Lyne from Sophos explains more
As this is my blog it’s just about ok to blow my own trumpet with my results so far…
Those that have known me for some time know that wherever possible I like to get my catch phrase in “Bartlett Remains unimpressed”.
This is where it all began… Computing December 1999
Page 3 – Business Sites Open to Abuse
INTERNET service provider Global Internet has admitted that it left user names and passwords for 200 business web sites in an easily accessible file – but has no plans to warn its customers, writes Steve Ranger. The file could be downloaded by any of Global lnternet’s customers whose sites were hosted on the same machine. The file was protected by simple encryption, which could easily be broken by tools available on the Internet, said Matt Bartlett, who found the file. ‘Anyone who’s used Linux or Unix usually knows this sort of thing, especially those involved in administration tasks,’ said Bartlett, an IT technician at Global Internet customer Wilts Wholesale Electrical. ‘Now we know about it, we’ll change our passwords. But what about the other companies?’ Peter Venmore, a director at Global Internet, blamed human error and said: ‘We have a dozen of these servers and they are set up correctly.’ Warning customers to change their passwords is ‘not necessarily required’, he said, because ordinary users will be unable to decrypt the file. He admitted, however: If you want to throw a dictionary programme at it and the passwords are in plain text then you would be able to get access.’ Global Intemet is continuing its investigation, but Bartlett remains unimpressed. ‘All this is basic security, there is nothing clever involved,’ he said.
What clever devious way did I get hold of this password file?
A video is worth 10,000 words but basically this is the process I followed.
Hand typed the hex shown on the webpage into a file.
Uploaded the file to Linux and ran to ‘file’ command to give me a clue.
Command ‘ndisasm’ passes the file as assembly. It is assembly.
Used IDA Disassembler together with the Bochs x86 Emulator to step through the code. There is a check routine that points to the fact we are missing data.
Analysis of the original image shows a hidden comment within the raw content. Looks like base 64 encoded as the string is all printable characters and ends with ‘==’. Converted to hex using this online tool and pasted back into the original file.