SAP Post-Exploitation - One script to 0wn 'em All
The topic here is this: Post-exploitation for SAP systens - not at application level, but at OS level..
Imagine a red-teamer gained acess to aadm user ID. Having SSH or RDP access. Whats next?
Well, theres a lot he/sehe can do. adm has the rights to go query DB directly. adm can access userkeystore. adm typically has the rights to read PSE files and keytabs. adm typically can access /sapmnt/trans of other SID within the landscape. adm can aslo access profiles, DEFAULT.PFL, etc, and insert a command line backdoor that will restart each time the application starts.
Watch this space. Am developing that script. :)
=============================
SECTION 1: The Possible Probe Points
=============================
- Get the SID via /etc/passwd or net users or service query or current user
- Identify possible PSE file location
- identfiy any possible cert dumps to get p12 format
- identify DB and kernel version
- identify connectivity and userstore - R3trans or sqlplus or hdbsql or sqlcmd etc..
- generic scan for interesting files
- OSS ids, etc..
- grab instacn eprofiels - DEFAULT J*/D* and*SCS
- identify agent for backup solution - possible Adminsitartor or root privilege at backup solution side..
- use hdblcm.. see the below footnotes
==========================
SECTION 2: Methods & Examples
==========================
=============================
SECTION 1: The Possible Probe Points
=============================
- Get the SID via /etc/passwd or net users or service query or current user
- Identify possible PSE file location
- identfiy any possible cert dumps to get p12 format
- identify DB and kernel version
- identify connectivity and userstore - R3trans or sqlplus or hdbsql or sqlcmd etc..
- generic scan for interesting files
- OSS ids, etc..
- grab instacn eprofiels - DEFAULT J*/D* and*SCS
- identify agent for backup solution - possible Adminsitartor or root privilege at backup solution side..
- use hdblcm.. see the below footnotes
==========================
SECTION 2: Methods & Examples
==========================
Coming soon.
=================
SECTION 3: The script
=================
Coming soon.
SECTION 3: The script
=================
Coming soon.
SECTION 4: Backdooring Methods
1. Adding a persistent command via profilr
2. Manual create a new instamce, sapstart and sapstar generate default pass to add program cross client
3. Direct database SAP_ALL assignment
======= IGNORE BEYOND THIS LINE ========
[root@ayam /]# /hana/shared/HDB/hdblcm/hdblcm -help
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_GB.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
SAP HANA Lifecycle Management (hdblcm)
Copyright © 2000-2017 by SAP SE
Help: hdblcm --help [--action=add_hosts|register_rename_system [--pass_through_help]
| --uninstall [--pass_through_help]]
| --list_systems | --version
Usage: hdblcm [--action[=add_hosts|register_rename_system]] [--batch] [--configfile=]
[--dump_configfile_template=] [--uninstall]
--action[=add_hosts|register_rename_system] Specifies the action to be performed [interactive, default value: 'exit']
--batch -b Runs the program in batch mode using default values for unspecified parameters
--configfile= Reads parameters from the specified configuration file (parameters in command line
take precedence)
--dump_configfile_template= Creates a configuration file with default values
--help -h Displays the help information
For extended help, use with the parameter '--action' or '--uninstall'
--list_systems -L Shows installed SAP HANA systems
--pass_through_help Adds special parameters of subprograms to the help information
--uninstall Uninstall system or components
--version -v Displays the version of hdblcm
The environment variable 'HDB_INSTALLER_TRACE_FILE=' enables the trace.
The environment variable 'HDBLCM_LOGDIR_COPY=' creates a copy of the log directory.
[root@ayam /]#
SAP HANA Database Installations:
DAA /usr/sap/DAA/SYS OTHERS
SMDA98
J2E /sapmnt/J2E OTHERS
J00
SCS01
S4H /sapmnt/S4H OTHERS
D00
ASCS01
SMA /sapmnt/SMA OTHERS
DVEBMGS00
ASCS01
SMJ /sapmnt/SMJ OTHERS
J02
SCS03
WD1 /sapmnt/WD1 OTHERS
W04
Already used instance numbers: 00 00 00 01 01 01 02 03 04 98
Next free instance number: 05
Also sample:
Waiting for stopped instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function WaitforStopped 600 2
Starting instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function StartWait 2700 2
More to=do:
E:\usr\sap\XXX\ASCS31\exe>attrib *.exe | more
A E:\usr\sap\ XXX\ASCS31\exe\enqt.exe
A E:\usr\sap\ XXX\ASCS31\exe\enrepserver.exe
A E:\usr\sap\ XXX\ASCS31\exe\enserver.exe
A E:\usr\sap\ XXX\ASCS31\exe\ensmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\esmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\gwmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\gwrd.exe
A E:\usr\sap\ XXX\ASCS31\exe\krnlreg.exe
A E:\usr\sap\ XXX\ASCS31\exe\ldappasswd.exe
A E:\usr\sap\ XXX\ASCS31\exe\ldapreg.exe
A E:\usr\sap\ XXX\ASCS31\exe\lgtst.exe
A E:\usr\sap\ XXX\ASCS31\exe\msclients.exe
A E:\usr\sap\ XXX\ASCS31\exe\msg_server.exe
A E:\usr\sap\ XXX\ASCS31\exe\msmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\msprot.exe
A E:\usr\sap\ XXX\ASCS31\exe\niping.exe
A E:\usr\sap\ XXX\ASCS31\exe\ntscmgr.exe
A E:\usr\sap\ XXX\ASCS31\exe\sapcar.exe
A E:\usr\sap\ XXX\ASCS31\exe\sapccmsr.exe
A E:\usr\sap\XXX\ASCS31\exe\sapcontrol.exe
A E:\usr\sap\XXX\ASCS31\exe\sapcpe.exe
A E:\usr\sap\XXX\ASCS31\exe\sapgenpse.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntchk.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntkill.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntwaitforhalt.exe
A E:\usr\sap\XXX\ASCS31\exe\sappfpar.exe
A E:\usr\sap\XXX\ASCS31\exe\saprouter.exe
A E:\usr\sap\XXX\ASCS31\exe\sapsrvkill.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstack.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstart.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstartsrv.exe
A E:\usr\sap\XXX\ASCS31\exe\sapwebdisp.exe
A E:\usr\sap\XXX\ASCS31\exe\sldreg.exe
A E:\usr\sap\XXX\ASCS31\exe\startsap.exe
A E:\usr\sap\XXX\ASCS31\exe\stopsap.exe
A E:\usr\sap\XXX\ASCS31\exe\wdispmon.exe
x:\usr\sap\XXX\ASCS31\exe>
dest='hostname:8101' URL='/msgserver/text/logon?version=1.2
======= IGNORE BEYOND THIS LINE ========
[root@ayam /]# /hana/shared/HDB/hdblcm/hdblcm -help
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LC_CTYPE = "UTF-8",
LANG = "en_GB.UTF-8"
are supported and installed on your system.
perl: warning: Falling back to a fallback locale ("en_GB.UTF-8").
SAP HANA Lifecycle Management (hdblcm)
Copyright © 2000-2017 by SAP SE
Help: hdblcm --help [--action=add_hosts|register_rename_system [--pass_through_help]
| --uninstall [--pass_through_help]]
| --list_systems | --version
Usage: hdblcm [--action[=add_hosts|register_rename_system]] [--batch] [--configfile=
[--dump_configfile_template=
--action[=add_hosts|register_rename_system] Specifies the action to be performed [interactive, default value: 'exit']
--batch -b Runs the program in batch mode using default values for unspecified parameters
--configfile=
take precedence)
--dump_configfile_template=
--help -h Displays the help information
For extended help, use with the parameter '--action' or '--uninstall'
--list_systems -L Shows installed SAP HANA systems
--pass_through_help Adds special parameters of subprograms to the help information
--uninstall Uninstall system or components
--version -v Displays the version of hdblcm
The environment variable 'HDB_INSTALLER_TRACE_FILE=
The environment variable 'HDBLCM_LOGDIR_COPY=
[root@ayam /]#
SAP HANA Database Installations:
DAA /usr/sap/DAA/SYS OTHERS
SMDA98
J2E /sapmnt/J2E OTHERS
J00
SCS01
S4H /sapmnt/S4H OTHERS
D00
ASCS01
SMA /sapmnt/SMA OTHERS
DVEBMGS00
ASCS01
SMJ /sapmnt/SMJ OTHERS
J02
SCS03
WD1 /sapmnt/WD1 OTHERS
W04
Already used instance numbers: 00 00 00 01 01 01 02 03 04 98
Next free instance number: 05
Also sample:
Waiting for stopped instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function WaitforStopped 600 2
Starting instance using: /usr/sap/HDB/SYS/exe/hdb/sapcontrol -prot NI_HTTP -nr 02 -function StartWait 2700 2
More to=do:
E:\usr\sap\XXX\ASCS31\exe>attrib *.exe | more
A E:\usr\sap\ XXX\ASCS31\exe\enqt.exe
A E:\usr\sap\ XXX\ASCS31\exe\enrepserver.exe
A E:\usr\sap\ XXX\ASCS31\exe\enserver.exe
A E:\usr\sap\ XXX\ASCS31\exe\ensmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\esmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\gwmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\gwrd.exe
A E:\usr\sap\ XXX\ASCS31\exe\krnlreg.exe
A E:\usr\sap\ XXX\ASCS31\exe\ldappasswd.exe
A E:\usr\sap\ XXX\ASCS31\exe\ldapreg.exe
A E:\usr\sap\ XXX\ASCS31\exe\lgtst.exe
A E:\usr\sap\ XXX\ASCS31\exe\msclients.exe
A E:\usr\sap\ XXX\ASCS31\exe\msg_server.exe
A E:\usr\sap\ XXX\ASCS31\exe\msmon.exe
A E:\usr\sap\ XXX\ASCS31\exe\msprot.exe
A E:\usr\sap\ XXX\ASCS31\exe\niping.exe
A E:\usr\sap\ XXX\ASCS31\exe\ntscmgr.exe
A E:\usr\sap\ XXX\ASCS31\exe\sapcar.exe
A E:\usr\sap\ XXX\ASCS31\exe\sapccmsr.exe
A E:\usr\sap\XXX\ASCS31\exe\sapcontrol.exe
A E:\usr\sap\XXX\ASCS31\exe\sapcpe.exe
A E:\usr\sap\XXX\ASCS31\exe\sapgenpse.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntchk.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntkill.exe
A E:\usr\sap\XXX\ASCS31\exe\sapntwaitforhalt.exe
A E:\usr\sap\XXX\ASCS31\exe\sappfpar.exe
A E:\usr\sap\XXX\ASCS31\exe\saprouter.exe
A E:\usr\sap\XXX\ASCS31\exe\sapsrvkill.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstack.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstart.exe
A E:\usr\sap\XXX\ASCS31\exe\sapstartsrv.exe
A E:\usr\sap\XXX\ASCS31\exe\sapwebdisp.exe
A E:\usr\sap\XXX\ASCS31\exe\sldreg.exe
A E:\usr\sap\XXX\ASCS31\exe\startsap.exe
A E:\usr\sap\XXX\ASCS31\exe\stopsap.exe
A E:\usr\sap\XXX\ASCS31\exe\wdispmon.exe
x:\usr\sap\XXX\ASCS31\exe>
dest='hostname:8101' URL='/msgserver/text/logon?version=1.2
//alak
Comments
Post a Comment