Abstract:Nowadays, everyone knows about the great importance of SAP systems and the critical data processed by them. Large companies install SAP Security Notes regularly so as not to repeat the mistake of Nvidia. One bug is not enough anymore to get access to all corporate SAP systems. Pentesters frequently find themselves in a situation where the OS of an SAP server has been compromised successfully, but they have not got an access to the ERP system. In addition, it is rather common to have an unprivileged account, which give them access to the encrypted password, but not to the whole system. Sometimes they even try to break into other systems with help of the passwords, which users usually use in the systems they’ve already broken, but they can’t, because they need them to be decrypted first. Where do we find the treasured password to access the financial transactions and revenues of NASDAQ monsters? Where and how does SAP store user passwords? Are all passwords stored as hashes, or can attackers find passwords in plaintext? This talk reviews the many places where SAP stores critical credentials, such as usernames and passwords, and, which is more interesting, the way it stores them. Methods of retrieving them will be described, and decryption utilities will be presented. SAP GUI shortcuts, RFC connections, SAP Security Storage, logs, traces, Database links, SAP HANA Storage, you name it – all varieties of SAP modules will be discussed in this talk.

Bio:Dmitry Chastuhin Head of SAP Pentesting team at ERPScan. He works upon SAP security, particularly upon Web applications and JAVA systems. He has multiple official acknowledgements from SAP for the vulnerabilities found. Dmitriy is also a WEB 2.0 and social network security geek who found several critical bugs in Google, Vkontakte, Yandex. He was a speaker at BlackHat, HITB, ZeroNights, Brucon and Deepsec. Alex Polyakov A father of ERPScan Security Scanner for SAP. Organizer of ZeroNights deep-technical security conference. His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, banking and processing software. He is the manager of EAS-SEC.org, a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors with acknowledgements from SAP. He is the writer of multiple whitepapers and surveys devoted to information security research in SAP like “SAP Security in figures”. Alexander were invited to speak and train at international conferences such as BlackHat, RSA, HITB and 35 others around globe as well as in internal workshops for SAP and fortune 500 companies.

Back to Passwords Con 2014 video list