Exploiting SAP NetWeaver: From Hash Cracking to Remote Code Execution

TLDR: SAP environments are often treated as black boxes, but they are vulnerable to standard exploitation techniques like hash cracking and insecure Remote Function Call (RFC) configurations. This post details how to extract and crack SAP BCODE and SHA-1 hashes and demonstrates how to leverage misconfigured RFCs to achieve remote code execution. Security teams must prioritize patching CVE-2020-6287 and auditing RFC trust relationships to prevent unauthorized administrative access.

Enterprise resource planning software is the backbone of global commerce, yet it remains one of the most overlooked targets during penetration tests. Most researchers avoid SAP because of its perceived complexity and the proprietary nature of its ABAP language. This hesitation is a mistake. SAP systems are not impenetrable; they are simply poorly understood by the average attacker. When you strip away the corporate jargon, these systems are just databases and application servers that rely on standard authentication and communication protocols. If you can access the underlying tables or manipulate the function calls, you own the business logic.

Cracking SAP Password Hashes

Authentication failures are a primary concern in any environment, and SAP is no exception. The system stores user password hashes in the USR02 table. During a penetration test, if you gain read access to the database, you can dump these hashes and attempt to crack them offline.

SAP uses several hash formats, including the legacy BCODE and the more modern SHA-1 with random salt. The BCODE format is particularly weak because it only considers the first eight characters of a password. Even if a user sets a complex, twenty-character password, the system truncates it, making it trivial to crack with hashcat.

To extract these, you can use the SAP GUI to query the USR02 table directly. Once you have the hashes, you are looking for the BCODE or PASSCODE fields. The following command demonstrates how to initiate a crack against a BCODE hash file:

hashcat -m 7700 -a 0 sap_bcode.txt rockyou.txt

The -m 7700 flag specifies the SAP BCODE algorithm. Because BCODE is so computationally inexpensive, a standard wordlist attack will often yield results in seconds. If you encounter the newer SHA-1 hashes, you will need to account for the salt, but the principle remains the same. Never assume that an enterprise-grade system is using modern, salted password storage by default.

Weaponizing Remote Function Calls

Once you have valid credentials, the real fun begins with Remote Function Calls (RFCs). RFCs allow different SAP systems to communicate and invoke functions on each other. This mechanism is designed for business integration, but it is frequently misconfigured, allowing for unauthorized cross-system execution.

The security of an RFC depends on its "callback" configuration. In insecure modes, the system does not verify the identity of the calling system, effectively trusting any request that comes through the interface. If you have access to a development system with weak credentials, you can modify the code of an existing RFC function to include malicious logic.

For example, you can inject code into a standard ping function. When a production system calls this function, it will execute your modified code. This allows you to perform actions on the production system—such as creating a new administrative user—without ever needing direct credentials for the production environment. This is a classic case of Broken Access Control, where the trust relationship between systems is exploited to bypass authentication.

The Impact of CVE-2020-6287

If you are looking for a low-hanging fruit, look no further than CVE-2020-6287. This vulnerability, often called "SAP RECON," allows an unauthenticated attacker to create an administrative user via a single, specially crafted HTTP request to the SAP NetWeaver Java portal.

The vulnerability exists because the portal fails to properly validate requests to the CTC web service. By sending an XML payload to the CTCWebService endpoint, you can trigger the creation of a new user with full privileges. The impact is total system compromise. During an engagement, you can verify this by checking if the endpoint returns a 200 OK status with a blank page, which indicates the service is active and potentially vulnerable.

Defensive Priorities

Defending these systems requires a shift in mindset. First, patch management is non-negotiable. The fact that CVE-2020-6287 is still being exploited years after its disclosure is a failure of basic security hygiene. Second, audit your RFC destinations. Use the SM59 transaction code in the SAP GUI to review all configured RFC connections. Ensure that "callback" checks are enabled and that trust relationships are restricted to known, authorized systems.

Finally, treat your SAP environment as a high-value target. If you are a pentester, stop ignoring the SAP landscape. If you are a defender, start monitoring the USR02 table for unauthorized changes and keep a close eye on your RFC configurations. The barrier to entry is lower than you think, and the potential for impact is higher than most other systems in your stack.