Skip to content

QuickTipp: € and SAP password sometimes don't mix

SAP Just a quick update after a long time of silence on this blog:
The usage of the Euro symbol "€" in passwords might lead to problems in SAP.

A User of the type system had a complex password with the "€" symbol as one of the special characters.
It was impossible to login via RFC with this user and password.
For testing-purposes, a simple password was set and it did work.

To find out where the problem might be, I left out two special characters and this time it worked.
To get to the botttom of the problem, only left out "€" and testes again - it worked.

Long story short:
If you habe trouble with a complex password in SAP, check if the "€" is part of the password.
This might be your problem.

(tested on Basis release 7.50)
Kategorien: SAP

Taking Screenshots with EyeWitness

This is a quasi-update to my old blogpost Fun with Fiori

I recently discovered a tool call EyeWitness by Christopher Truncer.
Most of you will already know it, but for those who don't, let me give you a short introduction:

EyeWitness lets you take screenshots from web pages, RDP Login Screens and VNC Servers that don't use passwords.
The tool can use lists of URLs that you create yourself and that you generated with other tools like nmap or nessus.
After the scan EyeWitness will generate a report that contains information about the page/service and a screenshot.
All in all it's way better and faster then the method I used in my Fiori blogpost.

Installation

To install EyeWitness on Kali, you have to clone the repo with the command
git clone https://github.com/ChrisTruncer/EyeWitness.git

then cd into the EyeWitness directory and run the setup script
cd EyeWitness
./setup/setup.sh


Now you should be able to start EyeWitness with the command ./EyeWitness.py

In my case I had to install phantomjs manually, as it was not found by EyeWitness after the setup.
When I tried to take screenshots with the option --headless I got the error "Error: You are missing your phantomjs binary!"

To get EyeWitness to run properly, I downloaded phantomjs manually
wget https://bitbucket.org/ariya/phantomjs/downloads/phantomjs-2.1.1-linux-i686.tar.bz2

and unpacked it
tar -xvf phantomjs-2.1.1-linux-i686.tar.bz2

then I copied the binary to the EyeWitness binary directory
cp phantomjs-2.1.1-linux-x86_64/bin/phantomjs /EyeWitness/bin


After that, change into the EyeWitness directory and run it.
./EyeWitness.py -f url.txt --headless

-f specifies the file with urls that you are using
--headless lets you run EyeWitness without a desktop-environment.

################################################################################
# EyeWitness #
################################################################################

Starting Web Requests (3 Hosts)
Attempting to screenshot https://SECRETURL.ch
Attempting to screenshot https://what.SECRETURL.ch
Attempting to screenshot https://mega.SECRFETURL.ch
Finished in 6.76950407028 seconds

[*] Done! Report written in the /EyeWitness/03092017_112728 folder!
Would you like to open the report now? [Y/n] n


In the directory you will find the html-Report as report.html, as well as the necessary files for the report:
ew.db
jquery-1.11.3.min.js
screens style.css
ghostdriver.log
report.html
source


Now that you have the report, you can open it in a browser.


A little side note:
I'm running kali as a docker container, so I was looking for a way to export the report from the container to my docker-server.
This can be done by exporting it with the following docker-command from the docker-server:
docker cp CONTAINER-ID:/PATH/FILE /TARGETDIRECTORY

in my case it was
docker cp kaliremote:/EyeWitness/03092017_112728 /transfer

SAPs afraid of no Ghost! Or is it?

SAP Summary
While using Firefox in combination with the Add-on Ghostery on Windows10 & Server 2012, it's possible to flood a SAP-System with new sessions.

While opening a expense-report form, the page does not load the PDF, but reloads constantly and creates a new login with every reload.
Valid credentials and authorizations to display the forms are necessary.
There is no direct mitigation for this behavior.

----------------------------------------------------------------------------

Browser plugins can have some interesting or even unwanted effects on websites.
They can help to protect your privacy, leak your data, stop malware, and much more.
And they can, in the right combination of Browser and Plugin, DoS SAP-Systems!

While doing my expenses, I wanted to print the expense-form from the WEBGUI (using a Webdynpro).
After pressing the show/print button SAP creates a pop-up to load the form as a PDF.

This usually worked without a problem, but apparently I did something different today.
Pressing the button opens a pop-up in a new browser tab, but instead of displaying the PDF, the page stays blank and reloads constantly.

As this was clearly not working and I had to finish my expenses, I closed the blank page and switched grudgingly to IE.
While logging-in in with IE, the system informed me that I was already logged-in...70 times!

Now this was getting interesting - I finished my expenses with IE and did some snooping around!

I was able to replicate this behavior again and again with Firefox.
For every reload of the tab in Firefox, a new user-login was generated and displayed in the transaction AL08.

After a minute, my sessions outnumbered all other session put together!

To get to the bottom of this problem, I played around with a combination of browsers and my installed Add-ons while monitoring the sessions in AL08.
I was able to replicate the behavior reliably, but only with Firefox and Ghostery.
Chrome and Ghostery worked fine.

Tested Versions:
Firefox (49.x)
Ghostery (7.x)
Windows: 10 and Server 2012R2
SAP: ERP 6.0 EHP6, NW7.0 EHP3, Kernel 722_EXT, Basis Release 731 SP18

While browsing the Service Marketplace, the SAP Community Network and other trusted sources, I could not find any further information about this issue.
Either this is something not know to many people, or my google-fu was weak when I searched for a reason.

Looking around in the SAP Community Network and SAP Service Marketplace I found no easy solution for this problem.
I checked the parameter rdisp/max_alt_modes and it was set to "6" - so this parameter has no effect on http-logins.



There seems to be no parameter that can limit the logins via http for a single user, only the total number of http logins.

I have not tested other transactions that display Pop-ups, but I suspect that they are susceptible for this behavior as well.
Kategorien: SAP

Fun with Fiori

SAP Please remember, that this post is for educational purposes only. Only try this on systems that you own, or where you have permission by the owner.

Today I will show you how you can scan for SAP Fiori Launchpads and how we can try to access the systems.

Fiori is a new user experience technology from SAP. To keep it short and to avoid buzzword-bingo: It's used to replace the SAPGUI with a Webapp.
If you want to know more about Fiori, have a look at this website from SAP:
http://go.sap.com/product/technology-platform/fiori.html

As these Fiori Apps (yes, they call them Apps now) are made for Browsers and have nice graphs, diagramms, lines etc.
many people will not only want to use them internally, but as well when they are on the go.

And as a lot of people who are in charge don't like VPNs, these systems will be exposed to the internet.
They should be behind a reverse proxy, like SAP strongly recommends it, but nonetheless reachable via the internet.

This should be of interest to security-teams and pen-testers as the bad guys will surely know about it.

Early on, many SAP-Partners will rely on SAP Best-Practice solutions, as they have many advantages (faster implementation etc.).
Like with all SAP-Systems, we can assume that instances running Fioris will be patched rather slowly,
so they will offer an attack-surface to the bad guys that they will surely check for default-credentials and vulnerabilities.

Now that the stage is set, let's have some fun:

Let's assume we are members of an internal security-team and have the task to test our shiny new S4-System over the internet.
As our DevOps guys are sneaky bastards (but only from time-to-time) we will want to check all of our public IPs for Fioris.

A simple way to check for Fioris is to manually check our public IPs for the right URLs.

Start your Browser, enter your public IPs and add the following strings:

/sap/bc/ui5_ui5/ui2/ushell/shells/abap/FioriLaunchpad.html
/sap/bc/ui5_ui5/ui2/ushell/shells/abap
/sap/bc/ui5_ui5/ui2/ushell/shells
/sap/bc/ui5_ui5/ui2/ushell
/sap/bc/ui5_ui5/ui2
/sap/bc/ui5_ui5

At least one of them should, depending on the configuration, lead to the Fiori Launchpad.

Here is an example with the not-so-public-IP 192.168.168.168:

https://192.168.168.168/sap/bc/ui5_ui5/ui2/ushell/shells/abap/


By default the login-page should be looking something like this:


So now we have confirmation that a Fiori-site is available via the internet.

Besides Fiori that could be other stuff that is published from this system, i.e. a standard-Webgui.
/sap/bc/gui/sap/its/webgui

With our example-IP it looks like this:
https://192.168.168.168/sap/bc/gui/sap/its/webgui

And Bingo!


Now that we can access the system, do the usual tests with default-credentials etc.

In case you can't find your default-credential cheat-sheet you can use this post as reference:

SAP* 06071992
SAP* PASS
DDIC 19920706
DDIC Welcome01
SAPCPIC ADMIN
EARLYWATCH SUPPORT
TMSADM PASSWORD
TMSADM ADMIN
TMSADM $1Pawd2&
ADMIN welcome
ADSUSER ch4ngeme
ADS_AGENT ch4ngeme
DEVELOPER ch4ngeme
J2EE_ADMIN ch4ngeme
SAPJSF ch4ngeme
SAPR3 SAP
CTB_ADMIN sap123
XMI_DEMO sap123
IDEADM admin
IDESADMIN ides
SMD_ADMIN init1234
SMD_BI_RFC init1234
SMD_RFC init1234
SOLMAN_ADMIN init1234
SOLMAN_BTC init1234
SAPSUPPORT init1234
CONTENTSERV init1234
SMD_AGT init1234
BPINST Welcome1


In case you wonder, this list is nearly identical with the wordlist from the metasploit-framework.
I added the users BPINST and IDESADMIN, as they were missing.

After all this manual labor, you might be wondering if there are no possibilities to automate some of these test.

The metasploit-framework has some modules, that can help us to be more efficient.

First we will add the Fiori-URLs to metasploit in a standalone wordlist.
Create a file in the wordlist-directory of your metasploit-installation.
vim /usr/share/metasploit-framework/data/wordlists/sap_ui5.txt

Add the following lines

/sap/bc/ui5_ui5
/sap/bc/ui5_ui5/sap
/sap/bc/ui5_ui5/ui2/ushell
/sap/bc/ui5_ui5/ui2/ushell/shells
/sap/bc/ui5_ui5/ui2/ushell/shells/abap
/sap/bc/gui/sap/its/webgui

We can use this list with the sap_icm_urlscan module of metasploit.

If you want to scan the usual URLs as well, simply add the lines to the file sap_icm_paths.txt

Start metasploit and open the module
msfconsole
use auxiliary/scanner/sap/sap_icm_urlscan


set the IP or Hostname, the Port and the path to the file we just created.
If the system is using SSL configure the setting accordingly.
If its not using SSL WTF is it doing on the interwebs???

set RHOSTS myFiori.fiorilover.com
set RRPOT 443
set SSL true
set URLFILE /usr/share/metasploit-framework/data/wordlists/sap_ui5.txt


that should be enough for a scan.
run


You should know how to carry on from here... :-)

Have Fun!
Kategorien: SAP

Finding exposed SAP-Webservices

SAP UPDATE: I found a much quicker way to take the screenshots:
Taking Screenshots from a list of URLs with EyeWitness


ATTENTION: Only scan systems, if you have a mandate to do so! If you don't have permission, it might be at best impolite, at worst illegal to scan any systems!

Now that we have the disclaimer out of the way, let's start...

If you want to find out what Webservices a SAP-System exposes either internally or over the internet, there are a couple of ways to find out. In this post, I will show you two of them.

The slow way is via the SAP transaction SICF:
Execute SIFC, in the selection screen press F8 andf then choose your system in the menu.
You can now click through all the different services.
If the name is greyed out, the service is inactive.
You can enter the path of the server in your browser to have a look at the service.
For example, if you take the path sap/public/icf_info, you can open it by adding the hostname or ip of the system http://mysapsystem.local/sap/publicf_info

If you want to look at all services this way, it would take a long time...


Now for a quicker solution - metasploit to the rescue!

What we need:
Metasploit - obviously
Firefox
and the Firefox Add-On Grab-Them-All

Start metasploit as usual an open the module sap_icm_urlscan:

msf> use auxiliary/scanner/sap/sap_icm_urlscan
msf> set RHOSTS http://mysapsystem.local
(or whatever)
msf> run


Now you will get a long list with URLs that the module has tested.
At the end it will show you the path to a textfile containing the URLs.

There are many ways to generate Screenshots of the URLs we have found, but this is the one I prefer:
Open Firefox and install the Add-on Grab-Them-All https://addons.mozilla.org/de/firefox/addon/grab-them-all/

After a restart of Firefox, press ALT to open the menu and go to Extras -> Grab-Them-All
Press the Button "File with URLs to grab" and select the file that metasploit dumped in the filesystem.
Select as destination-folder for your screenshots and press Lets go!

A preview-window will open and show you the progress.

If a page requires credentials, you will get be prompted for it.

After the tool is finished, you will have some nice screenshots of all pages that were found.

There are other plugins, better ways and so on, but this is the way I used and it worked for me :-)
Kategorien: SAP

Getting rid of Flash

Windows You want to completely uninstall the "abomination unto nuggan" Adobe Flash from your shiny Windows 10 system?


I have some bad news for you: It's not possible to cleanly uninstall Adobe Flash from Windows - at least if you have Windows 8, 8.1 or 10.

Microsoft has bundled Flash with Internet Explorer since Windows 8 came out and in Windows 10 it's integrated in IE and Edge.

In both Browsers you can deactivate Flash but not uninstall it.

There are How-to's out there that show ways to do it, but they might leave you with some minor issues like Windows Updates that won't work and so on.
I tried it in my tiny lab-environment and ended up reverting to a earlier snapshot - so don't do it!

Here is how to get rid of flash as far as possible/advisable:
Download the Flash-Uninstaller from Adobe https://helpx.adobe.com/de/flash-player/kb/uninstall-flash-player-windows.html#mainDownloadtheAdobeFlashPlayeruninstaller
Close all browsers and run the uninstaller.

This should remove Adobe Flash from all browsers - where it is possible.

In IE go to Settings -> Manage Add-Ons -> locate Shockwave Flash Object and disable it.

In Edge go to Settings -> View Advanced Settings and set the slider at the "Use Adobe Flash Player" setting to off.

So now that we have uninstalled Flash where it is possible and disabled it where it's not removable.

Now you can surf the internet without flash - even in IE and Edge.

Just one small question: Why the F are you surfing with IE or Edge while you could use a real Browser? :-)

@Microsoft: Would you guys be so kind to fix this shit?

WHOIS

root@kali:/ whois Kai Siers
root@kali:/ ++?????++ Out of Cheese Error. Redo From Start
root@kali:/ whois Siers Kai
root@kali:/ +++Divide By Cucumber Error. Please Reinstall Universe And Reboot +++
root@kali:/


















Bizsploit on Linux

Installing Bizsploit on Windows is really easy, but on Linux you have to do more than just klick install :-).
Here is my little guide how I got it working:

The Linux-Version requires the SAP RFC Librarys which you can get via the SAP Service Marketplace.
In the new Launchpad, simply search for SAP RFC SDK 7.11 or directly for RFC_13-20004597.SAR
Choose your OS and download the file.

If you don’t have an S-User you will need to find someone who does and is willing to download the file for you.
Don’t use any "alternative" Source (if you find any) as you don’t want to start pentesting form a potential compromised envoirenment.

To unpack the file, you will need sapcar, which you can download from Service Marketplace as well.
If you need a workaround, you can try using 7zip to unpack the file, but I’m not 100% sure it’s working.

So after downloading the file, copy it to your pentesting-system and extract it with sapcar:
./sapcar -xvf RFC_13-20004597.SAR


make a new directory
mkdir /usr/sap


copy the extracted files including the directory structure to the /usr/sap directory with
cp -avr rfcsdk/ /usr/sap


Now we have to export the library path, so that bizsploit can find it
export LD_LIBRARY_PATH='/usr/sap/rfcsdk/lib'


Now for some dependencies that we have to meet:

Make sure you have the gcc compiler on-board
apt-get install build-essential


Install the libstdc++5 Library
apt-get install libstdc++5


Install python-dev
apt-get install python-dev


Install python-gobject
apt-get install python-gobject



Now you can download bizploit from onapsis
https://www.onapsis.com/research/free-solutions

You will have to provide an email-address, as they will send you the download-link.
And yeah, they might call you - at least they did call me :-).

After downloading the file, unpack it unipz and cd into the extracted directory.
Here you have to compile bizploit against the RFC library.

If you copied the rfcsdk-folder to /usr/sap you can simply run
python setup.py build


If your directory-structure is different, please refer to the INSTALL-file in the bizploit folder.

Now we can install bizploit with
python setup.py install


After the installation has finished, you will have to change some file permissions, at least I had to:
chmod 770 bizsploit


You should now be able to start bizploit by calling
./bizploit


If any of the steps fail, verify that you installed all prerequisites for bizploit!

Docker - Basics just for me

As a base for my pentesting activities I created a preconfigured docker-droplet with digitalocean.

I installed the Kali-Linux docker image:
https://www.kali.org/news/official-kali-linux-docker-images/

then installed metasploit:
http://johan.cc/2015/04/07/kali-linux-and-metasploit-docker/

-----------------

And now let's get to the nitty gritty:

List the docker-containers:
docker ps -a

start a docker container:
docker start CONTAINER

to use the docker container:
docker attach CONTAINER

to exit the docker container:
exit

to stop the docker container:
docker stop CONTAINER


In the Kali-Container:
start Postgres:
service postgresql start

start metasploit:
msfconsole

at the end, stop postgres:
service stop postgresql

and exit the container:
exit


Tips and Tricks:
rename a container:
docker rename CONTAINER-ID NewName


I will keep this post up-to-date as I find out new stuff!

You have to start somewhere...

I suspect nobody will ever read this Blog, so I will keep the introduction short.
My aim with this blog is to create a kind of knowledge-base for myself that is not existing in a walled garden.
Maybe somebody might even find this stuff helpful...

Impressum

Administratives

Dies ist eine private Homepage von:
Kai Siers, Loomattstrasse 42D, 8143 Stallikon, Schweiz


 


Haftungsausschluss


Der Autor übernimmt keinerlei Gewähr hinsichtlich der inhaltlichen Richtigkeit, Genauigkeit, Aktualität, Zuverlässigkeit und Vollständigkeit der Informationen.


Haftungsansprüche gegen den Autor wegen Schäden materieller oder immaterieller Art, welche aus dem Zugriff oder der Nutzung bzw. Nichtnutzung der veröffentlichten Informationen, durch Missbrauch der Verbindung oder durch technische Störungen entstanden sind, werden ausgeschlossen.


Alle Angebote sind unverbindlich. Der Autor behält es sich ausdrücklich vor, Teile der Seiten oder das gesamte Angebot ohne gesonderte Ankündigung zu verändern, zu ergänzen, zu löschen oder die Veröffentlichung zeitweise oder endgültig einzustellen.


 


Haftung für Links


Verweise und Links auf Webseiten Dritter liegen ausserhalb unseres Verantwortungsbereichs Es wird jegliche Verantwortung für solche Webseiten abgelehnt. Der Zugriff und die Nutzung solcher Webseiten erfolgen auf eigene Gefahr des Nutzers oder der Nutzerin.


 


Urheberrechte


Die Urheber- und alle anderen Rechte an Inhalten, Bildern, Fotos oder anderen Dateien auf der Website gehören ausschliesslich oder den speziell genannten Rechtsinhabern. Für die Reproduktion jeglicher Elemente ist die schriftliche Zustimmung der Urheberrechtsträger im Voraus einzuholen.


 



Datenschutzerklärung

Administratives

Datenschutzerklärung


Verantwortliche Stelle im Sinne der Datenschutzgesetze ist:


Kai Siers, Loomattstrasse 42D, 8143 Stallikon, Schweiz


Löschung bzw. Sperrung der Daten


Wir halten uns an die Grundsätze der Datenvermeidung und Datensparsamkeit. Wir speichern Ihre personenbezogenen Daten daher nur so lange, wie dies zur Erreichung der hier genannten Zwecke erforderlich ist oder wie es die vom Gesetzgeber vorgesehenen vielfältigen Speicherfristen vorsehen. Nach Fortfall des jeweiligen Zweckes bzw. Ablauf dieser Fristen werden die entsprechenden Daten routinemäßig und entsprechend den gesetzlichen Vorschriften gesperrt oder gelöscht.


Ihre Rechte auf Auskunft, Berichtigung, Sperre, Löschung und Widerspruch


Sie haben das Recht, jederzeit Auskunft über Ihre bei uns gespeicherten personenbezogenen Daten zu erhalten. Ebenso haben Sie das Recht auf Berichtigung, Sperrung oder, abgesehen von der vorgeschriebenen Datenspeicherung zur Geschäftsabwicklung, Löschung Ihrer personenbezogenen Daten. Bitte wenden Sie sich dazu an unseren Datenschutzbeauftragten. Die Kontaktdaten finden Sie ganz unten.


Damit eine Sperre von Daten jederzeit berücksichtigt werden kann, müssen diese Daten zu Kontrollzwecken in einer Sperrdatei vorgehalten werden. Sie können auch die Löschung der Daten verlangen, soweit keine gesetzliche Archivierungsverpflichtung besteht. Soweit eine solche Verpflichtung besteht, sperren wir Ihre Daten auf Wunsch.


Sie können Änderungen oder den Widerruf einer Einwilligung durch entsprechende Mitteilung an uns mit Wirkung für die Zukunft vornehmen.


Änderung unserer Datenschutzbestimmungen


Wir behalten uns vor, diese Datenschutzerklärung gelegentlich anzupassen, damit sie stets den aktuellen rechtlichen Anforderungen entspricht oder um Änderungen unserer Leistungen in der Datenschutzerklärung umzusetzen, z. B. bei der Einführung neuer Services. Für Ihren erneuten Besuch gilt dann die neue Datenschutzerklärung.


Fragen an den Datenschutzbeauftragten


Wenn Sie Fragen zum Datenschutz haben, schreiben Sie uns bitte eine E-Mail oder wenden Sie sich direkt an unseren Datenschutzbeauftragten:


info@itsec.siers.ch


Die Datenschutzerklärung wurde mit dem Datenschutzerklärungs-Generator der activeMind AG erstellt.