Hacking a SAP Database

Jochen Hein

$Id: ora-hack-en.xml,v 1.1 2002/05/06 16:48:56 jhein Exp $


1. How to hack an SAP system

Warnung

Kids, don't do that at home. We are only using tools and technics that are long known...


1.1. Getting access with network means

We are starting with no knowledge about the system or the network (beside guessing that there is an R/3 system). Since most SAP customers are using an Oracle database chances for such a system are high. Our tool of choice is a Laptop with some network tools, an Oracle client, and the SAP kernel. We need network access, for example an unused port, a mini-hub, or we use a port connected to a printer. And now we start sniffing the network traffic.

SAP R/3 system communicate on possibly many ports. The application server listens on a port from 3200 to 3299, the message server on a port in the range 3600 to 3699. The last two numbers are called the system number. You can change the port numbers, but chances are very high, that the customer uses ports in these ranges. Have a look at the command line for tcpdump (Abbildung 1). There are other tools as well that you can use.

tcpdump will show all connects to the application servers. The expression tcp[13] & 3 != 0 matches these TCP packets. The option -n displays only IP addresses, no names. We note the output (Abbildung 2, the output has bee shortened.

We know one or more SAP application servers, and can now start looking at them in more detail. First defense against the sniffing attack is using a switch (most people do that by now). Nevertheless there are attacks against switches that degrade them to hubs. After that, the sniffing attack is again possible.

We now choose an unused IP address for our laptop (or use DHCP). Now we face the danger to get detected, since we are using an active network setup. It might be helpful to sniff DNS packets to get the IP address of the DNS server.

We use SAPGUI to connect to the SAP system. The last line in the window is the status line which tells us the System-ID. The System-ID is the same as the Oracle System-ID (if Oracle is used). If we have seen a connection to port 36nr we can use lgtst to get more information about the system.


1.2. Preparing the attack

We are now looking for the database server of the SAP system. A portscan on the SAP application server might reveal a message server and an Oracle port (Abbildung 4).

(1)
These are the ports of the SAP-Dispatcher (32xx), possibly gateway processes (33xx) and message server (36xx).
(2)
Looking for an Oracle Listener. Sometimes other ports are used as well...

A wild guess: We are facing a SAP system with database and central instance on one machine. We can verify that with sapinfo (Abbildung 5). sapinfo is part of the RFC-SDK on the GUI CD.

If the SAP Host has only one NIC we are ready. Otherwise it might help to use lgtst or queries to the DNS server to guess the right IP address.

Starting from noting we gained the following knowledge:

This is all wee need to know about the database, so we now launch our attack.


1.3. Getting access to the Oracle database

We craft a SQL-NetV2 konfiguration which will give us access to the database. We need the file sqlnet.ora (default SAP file, see Abbildung 6) and a file called tnsnames.ora (Abbildung 7). The environment variable TNS_ADMIN contains the path to these files, but on our laptop we are free to use whatever we like anyway.

If the default passwords have not been changed we can use the SQL command connect sapr3/sap@SID in svrmgrl to cennect to the database – thank you for playing. Otherwise we have to use the OPS$ access to get the SAPR3 password (Abbildung 8). So create a user sidadm and start playing...

(1)
We connect as the OPS$-User, no password needed.
(2)
Table SAPUSER contains the password and we are set.