6. Where to begin?
― Scan ports
• 32xx
• 33xx
• 36xx
― Gather information about the system
• Find available clients
• Check for default passwords
• Identify a database server
― Tools:
• MaxPatrol (PenTest)
• sapyto
• console bruter by PT
14. Direct access to Oracle
database
― Remote_OS_Authentication:
• User authentication by OS login
― SAPSR3 user password is stored in table
OPS$<SID>ADM.SAPUSER
― Password could be recovered
15. Direct access to Oracle
database
― Механизм Remote_OS_Authentication
• Аутентификация по имени пользователя в ОС
― Пароль пользователя SAPSR3 хранится в таблице
OPS$<SID>ADM.SAPUSER
― Пароль возможно расшифровать
16.
17. Password Hijacking via
a Network
― Protocols: DIAG, RFC, HTTP
― Tools: Wireshark, SAP DIAG
plugin for Wireshark,
Cain&Abel, SapCap
21. Hacking Passwords
― Algorithms: A, B, D, E, F, G, H, I (CODVN field)
― Tables: USR02, USH02, USRPWDHISTORY
― Tools: John the Ripper
― Profile parameters:
login/password_downwards_compatibility,
login/password_charset
22. Cryptographic algorithms
BCODE
field
PASSCODE
field
PWDSALTHEDHASH
field
A 8, upper, ASCII, username salt X
B MD5, 8, upper, ASCII, username salt X
D MD5, 8, upper, UTF-8, username
salt
X
E MD5, 8 , upper, UTF-8, username
salt
X
F SHA1, 40, UTF-8, username salt X
G X X
H SHA1,40, UTF-8, random salt X
I X X X