PPT – Mo PowerPoint presentation | free to download

About This Presentation

Title:

Mo

Description:

Fancy MIS framework with template processes. Big basket for corporate eggs ... It's appaling stuff.' Enda Kenny, Fine Gael Leader. PPARs could've paid for: ... – PowerPoint PPT presentation

Number of Views:114

Avg rating:3.0/5.0

Slides: 84

Provided by: slo7

Category:

more less

Transcript and Presenter's Notes

Title: Mo

1
Mo Budget, Mo Problems

Steve Lord, Mandalorian

2
What is this talk about?

Large IT Projects
System Integrators
SAP

3
What is SAP?

Enterprise Resource Planning (SAP R/3)
CRM
EP
HR
FI/CO
BW
MM
PP

4
What is SAP/R3, really?

Business process re-implementation
Fancy MIS framework with template processes
Big basket for corporate eggs

5
Fundamentals of Large Projects

The bigger the budget, the harder the fall
Compound delays due to complex dependencies
Corners cut to meet deadlines
Functionality Vs. Security
Decision rarely based upon business case
When was the last time you signed off xxx
million?
Dont believe me?

6
Irish HSE PPARs and FISP Systems

PPARs (HR) and FISP (FI/CO)
Projected Combined Cost - 6.2mil
PPARs Cost when halted in 2005 - 80mil
FISP Cost when halted - 20.7mil
Revenues for Deloitte Touche - 34.5mil
Revenues for SAP Undisclosed (not part of DTs
fees)

7
PPARs

Its like a case study in how not to run a
project Its appaling stuff. Enda Kenny,
Fine Gael Leader
PPARs couldve paid for
A 600 bed Hospital
20 St. Patricks Day beers for Every Man, Woman
and Child in Ireland

8
HPs Internal Failure

iGSO
Launched in 2002
Consolidate 350 Digital, Compaq, HP, Tandem
systems
Expected finish date 2007

9
HP The Adaptive Enterprise that couldnt adapt

Total cost of Implementation failure
US400 mil (revenue)
US275 mil (operating profit)
3 Executives heads
Did I mention this was the total for Q3 2002?

10
How is SAP Implemented Internally?

Usually Poorly
Inadequate Skills/Experience
Poor/No Business Requirements Capture
Technology Driven Implementation
Poor Documentation
Usually very expensive (20mil)

11
How is SAP implemented by External Integrators?

Poorly
Front-loading Skills
Business Requirements Capture?
Partner-driven Implementation
Poor/No Documentation
Subject to contract wrangling
Can be extremely expensive (50mil)

12
Where does it all go wrong?

Lack of
Communication
Contingency
Requirements Capture/Analysis
Simplicity
Security

13
Where does Security come in?

At the end of a long queue
By the time it reaches us, it is
Non or semi-functional
Delayed
Costing the business
Securitys role is to
SUSO (Shut Up, Sign Off)

14
Show me the SUSO

You need to sign this off
If you dont
Youre blocking the business
Youre costing us money
Youre getting in the way of the project
If you do
Its your backside on the dotted line

15
End of Talk

Oh you want more?

16
This is the price, right?

Come on down!

17
This is the price, right?

Quiz Show
Prizes
Need Victims Volunteers

18
How it works

Question is asked
Potential answers are shown
You have to guess which one of the answers was an
actual response

19
This is the price, right?

Question 1

20
Why cant we use SSH?

A) It (PuTTY) isnt vendor supported
B) SFTP Doesnt support ASCII
C) We dont have a PKI
D) Key Management is too difficult
E) The TCO for OpenSSH is too high

21
Why cant we switch off RSH?

A) It requires a server rebuild
B) It requires extensive testing that would cost
millions
C) CowboyNeal
D) We use telnet, you insensitive clod!
E) We dont know what it would break

22
Why did the SI buy the tin prior to completing
the design stage?

A) Because the vendor rebate would be lower next
year
B) Because the client will have to write off the
hardware expenditure anyway
C) Because its easier to justify spending on one
round of big tin than two rounds of smaller tin
D) If the client has already paid a fortune up
front theyre less likely to pull the plug later

23
Why were all the consultants on the job South
African?

A) Because of S.As extensive investment in
enterprise technology training
B) Because all the experienced guys are from
Joburg
C) Because theyre cheaper than native employees
and have a lesser understanding of local
employment law

24
Why are these not risks?

A) Because its not live yet
B) Because you need an account to access the
systems
C) Because youd need to have an RSH client and a
copy of finger to access the systems
D) Because youd need to have an FTP client to
gain access to an unshadowed /etc/passwd
E) Because there are plenty of other ways in
F) Because youre holding the project up so just
sign off or therell be trouble

25
Well done!

The good news is
People got prizes
The bad news is
Were all losers in the end

26
Breaking SAP

Send in the clowns

27
SAP Structure

Infrastructure Issues
Front-End Application
Business Logic
Business Processes
Database Skullduggery

28
Infrastructure Issues

Let me paint you a picture

29
What does an SAP deployment look like?
30
What does an SAP deployment look like?
31
Points of interest

There is no standard deployment
There should be Firewalls involved
If there are, Any-Any rules may be used
Sometimes the File Server(s) are shared between
dev, test and live too
Sometimes the App Server(s) are shared between
dev, test and live too

32
How (not) to conduct an SAP Pentest

Nmap
Amap
Nikto
Nessus
Metasploit

33
How to conduct an SAP Pentest

Nmap (-sS and sU only, no sV or A and watch
timings)
Manual confirmation of services with standard
client tools
RSH, Finger, Net View, Showmount, FTP
No active exploitation
Password guessing possible, but not automated

34
SAP Systems are

Unpatched
Unhardened
Unmaintained (caveat security)
Unmanaged (caveat security)

35
Once youve got local access

Useful tools
R3Trans
TP
SQL Trusts
OSQL E
SQLPLUS / as sysdba
MySQL u root, mysqld_safe

36
R3Trans

Uses SAPs abstracted SQL model (T-SQL)
Uses control files to perform actions upon
databases
R3Trans d v
Test database connection

37
R3Trans Control File

EXPORT
FILE/tmp/.export/
CLIENT000
SELECT FROM USR02
Start with
R3Trans /tmp/control
Dont forget to check trans.log

38
Where to look

/usr/sap/trans
/usr/sap/ltSIDgt
/home/ltSIDgtadm
There is no reason for these directories to be
world writeable!
Most should be 700, 770 or 775

39
From the trenches

We use RSH to copy files around the environment.
RSH has a feature call .rhosts which enables us
to restrict access to specific users or hosts

40
Front-End Issues

Busting down the door citing section 404

41
What front-end?

SAP has many
SAPGUI
WebGUI/NetWeaver/ITS/EP
SAPRFC
For the sake of time we will focus on SAPGUI
These issues do apply elsewhere though

42
SAPGUI
43
SAPGUI

See the box up next to the green tick?
Use /? to start debugging
Type in a transaction code (T-Code) to start a
transaction

44
SAP Transactions of Note

SU01 User Authorization
SU02 User Profile Administration
RZ04 Maintain SAP Instances
SECR Audit Information System
SE11 Data Dictionary
SE38 ABAP Editor
SE61 R/3 Documentation
SM21 System Log
SM31 Table Maintenance
SM51 List of Targets SAP Servers
SU24 Disable Authorization Checks
SM49 Execute Operating System Commands
SU12 Delete All Users
PE51 HR Form Editor (HR)
P013 Maintain Positions (HR)
P001 Maintain Jobs (HR)

45
SAP Transactions of Note

AL08 Users Logged On
AL11 Display SAP Directories
OS01 LAN Check with Ping
OS03 Local OS Parameter changes
OS04 Local System Configuration
OSO5 Remote System Configuration
OSS1 SAPs Online Service System
PFCG Profile Generator
RZ01 Job Scheduling Monitor
RZ20 CCMS Monitoring
RZ21 Customize CCMS Monitor
SA38 ABAP/4 Reporting
SCC0 Client Copy
SE01 Transport and Correction System
SE13 Maintain Technical Settings (Tables)
SUIM Repository Information System

46
You cant access those!

I can access them (or equivalents) if
restrictions are based on
Easy Access Menu Items
Transactions only
Custom-tables (e.g a ZUSERS table of allowed
users)
Restrictions need to be implemented at the
Authorization level
So what else is there?

47
Reports

RPCIFU01 Display File
RPCIFU03 Download Unix File
RPCIFU04 Upload Unix File
RPR_ABAP_SOURCE_SCAN Search ABAP for a string
)
RSBDCOS0 Execute OS Command
RSPARAM Check System Parameters
RSORAREL Get the Oracle System Release

48
Tables

Accessible through
SE16 (Maintain Tables)
SE17 (Display Tables)
SA38 (Execute ABAP)
SE38 (ABAP Editor)
Customizations (ZZ_TABLE_ADMIN etc.)
Will Be Covered Later

49
Job Scheduler

Cant get OS access?
Use SM36 or SM36WIZ Instead
Specify Immediate Start
External Program as Step

50
Custom Transaction fun

Input Validation
Selection Criteria Expansion
Path specification (../../, // etc)
Shell Escapes ( /bin/ls, /bin/ls etc)
SQL Injection
Export/Import file fun and games
Bypass Authorization Checks

51
From the trenches

As discussed in the meeting on ltredactedgt with
ltredactedgt, weve agreed that there is no further
action required. I appreciate that you are on
holiday at the moment, but we will take your
expected non-response in advance as agreement
upon the matter.

52
Database Skullduggery

Here be Dragons

53
Database Stuff

The Database contains all the data.
The Database is accessed by SAP users through the
SAP system.
The SAP database is not subject to the same
controls as SAP itself.
WARNING DO NOT MODIFY THE DATABASE WITHOUT
PERMISSION SIGNED IN BLOOD (not yours)

54
Getting In

Patch Weaknesses
Brute Force
Roundhouse Kicks
Default Accounts

55
Speaking of Default Accounts

Default Accounts (with Oracle Hashes)
DDIC/199220706 (4F9FFB093F909574)
SAP/SAPR3 (BEAA1036A464F9F0)
SAP/6071992 (B1344DC1B5F3D903)
SAPR3/SAP (58872B4319A76363)
EARLYWATCH/SUPPORT (8AA1C62E08C76445)

56
Note about Schemas

lt610 has SAPR3 as Schema Owner
gt610 uses SAP as Schema Owner

57
Database Queries of Note

Select MANDT,BNAME,BCODE,USTYP,CLASS from
ltSAPDBgt..USR02
SELECT FROM UST04
SELECT FROM TSTCT WHERE SPRSL E
SELECT FROM DBCON
exec master.dbo.xp_cmdshell 'cmd.exe /c net view

58
Common Values in the DB

ACTVT Activity Code
USTYP User Type
MANDT Client Number
BUKRS Company Code
BEGRU Authorization

59
USTYP values

USTYP specifies the type of user (used in USR02)
A Dialog (interactive user)
C Communications (CPIC)
D System (BDC)
S Service
L Reference
People often dont change passwords on CPIC users
as theyre not sure what breaks

60
Tables to look at

BKPF Accounting Header (FI)
BSEG Accounting Document Segment (FI)
CEPC Profit Master Data
EKKO PO Header
RSEG Incoming Invoice
RBKP Invoice Receipts
KNA1 Customer Master Records
LFA1 Vendor Master Records
PNP Personnel Data (HR Only)
CSKS Cost Centre Master (HR)
T569V Payroll Control Records (HR)

61
Subverting Business Logic

Its not a lie, we just didnt tell you that

62
How SAP Controls Access

Local logon details in USR02
Profile details in UST04, USR04 etc.
Authorizations Profiles

63
Custom SAP Code and Access Control

ABAPs and Auths 101
Authorization checks
AUTHORITY-CHECK OBJECT ltobjectgt
If the authority check statement isnt there, it
is assumed that you can go ahead!

64
SAP Authorization Concept
65
Common Authorization Snafus

Pyramid Structure Approach
Overly Restrictive Approach
Use Standard SAP Profiles Approach
Transactions/Menu only Approach
Objects only Approach

66
So what happens when things go wrong?
67
When things go wrong

Too much access
Too little access
Disgruntled Employees and no audit trail
Enron style fun

68
Business Process Hacking

Where you too can be like Neo

69
Business Process Hacking

When your business processes are correctly
aligned all is good.
When they arent
And its even worse when its legislation

70
BPH Vs. Social Engineering

From the Canadian charter of rights and freedoms
20. (1) Any member of the public in Canada has
the right to communicate with, and to receive
available services from, any head or central
office of an institution of the Parliament or
government of Canada in English or French, and
has the same right with respect to any other
office of any such institution where
a) there is a significant demand for
communications with and services from that office
in such language or
b) due to the nature of the office, it is
reasonable that communications with and services
from that office be available in both English and
French.
Is this charter open to abuse?