All Your SAP P@$$w0RdZ Belong to Us
Date: August 2014
Publication: Passwords14 Las Vegas
Source 1: http://www.dsec.ru/upload/medialibrary/c3d/c3dedb60c7cca1d7a1f3e4b3aab41859.pdf
Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first.
Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters? Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext? This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented. SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.
PasswordResearch.com Note: Video of presentation available: https://www.youtube.com/watch?v=jWCSy0TbVRU Slides available at URL are associated with this presentation, but from a different conference.
Do you have additional information to contribute regarding this research paper? If so, please email email@example.com with the details.