RE: SAP Pen-Test

From: Nicolas Gregoire (ngregoire_at_exaprobe.com)
Date: 11/04/04

Next message: Davi Ottenheimer: "Re: The business/marketing of pen-testing."

Previous message: sonoro: "Re: Vigilante security Scanner"
In reply to: Todd Towles: "RE: SAP Pen-Test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: pen-test@securityfocus.com
Date: Thu, 04 Nov 2004 08:17:39 +0100

> Hydra (parallized login hacker) from THC uses some SAP R/3 stuff.
> Anyone ever use test it?

I think that the code used in Hydra is derivated from mine, so I can
speak about it : Yes, it works fine !

In order to use Hydra against SAP servers, you will first need
'saprfc.h' and 'librfc.a' from the SAP SDK (freely available at [1]) to
compile hydra with SAP R/3 support (check the 'configure' file).

Once you've a working SAP-enabled hydra, you can use it to search for
valid login/passwd combos *without* account locking [2]. But a decent
way to do it is to begin with administrative/default accounts as listed
in [3].

However, there's a small bug in hydra : a check for the client ID (aka
"mandant" in SAP language) being between 0 and 99 is done, should be
0-999. Probably a confusion with the sysnr (TCP port = 3200+sysnr).

[1] : http://www50.sap.com/linux/eval/index.asp
[2] : http://securitytracker.com/alerts/2003/Mar/1006223.html
[3] : http://www.hoelzner.de/security/sap_default_passwords.php

Regards,

-- 
Nicolas Gregoire ----- Consultant en Sécurité des Systèmes d'Information
ngregoire@exaprobe.com ------[ ExaProbe ]------ http://www.exaprobe.com/
PGP KeyID:CA61B44F  FingerPrint:1CC647FF1A55664BA2D2AFDACA6A21DACA61B44F

Next message: Davi Ottenheimer: "Re: The business/marketing of pen-testing."

Previous message: sonoro: "Re: Vigilante security Scanner"
In reply to: Todd Towles: "RE: SAP Pen-Test"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]