add updates from contributions (#30)

Author: randomstr1ng

README.md

@@ -41,6 +41,7 @@ Contribution Process:
 - Marc Eisenhardt ([@etk39372](https://github.com/etk39372))
 - Frederik Weidemann ()
 - DaCodah ([@DaCodah](https://github.com/DaCodah))
+- Joris van de Vis ([@kloris](https://github.com/kloris))
 
 ## Supporters & Sponsors
 Thank you to all our supporters and sponsors for their help and support to allow us to continue our work on the project.

content/Getting_Started/supporter_and_contributors.md

@@ -10,6 +10,7 @@ weight: 4
 - Marc Eisenhardt ([@etk39372](https://github.com/etk39372))
 - Frederik Weidemann ()
 - DaCodah ([@DaCodah](https://github.com/DaCodah))
+- Joris van de Vis ([@kloris](https://github.com/kloris))
 
 # Supporters
 Thank you to all our supporters and sponsors for their help and support to allow us to continue our work on the project.

content/SAP_ABAP_Platform/known_attack_vectors/accessing_filesystem-read.md

@@ -15,6 +15,7 @@ This process can lead to access to sensitive files covering both business and se
   - `C13Z_FILE_DOWNLOAD_ASCII`
   - `C13Z_FILE_DOWNLOAD_BINARY`
 - OS Commands (Transaction SM49/SM69, custom code, ABAP code `CALL SYSTEM`, RFC Gateway vulnerability, Report `RSBDCOS0`, etc via `cat`,`ls`, `Get-FileContent`, ... commands)
+- ICM misconfiguration via parameter `icm/HTTP/file_access_<nr>` allows to create an alias from which you browse the entire filesystem via a URL. Authentication can be setup via profile parameter `icm/HTTP/auth_<nr>`.
 
 
 # Mitigation
@@ -23,5 +24,8 @@ This process can lead to access to sensitive files covering both business and se
 - Control and maintain `SPTH`
 - OS Commands: Requires different mitigation approach through authorization object for `S_LOG_COM` and `S_C_FUNCT`
 - Best practices for OS User Security from SAP
+- Setup authentication for ICM if needed (`icm/HTTP/auth_<nr>`)
 
 # References
+- [SAP Help docs for `icm/HTTP/auth_<nr>`](https://help.sap.com/docs/ABAP_PLATFORM_NEW/bd78479f4da741a59f5e2a418bd37908/483edf38c10272d2e10000000a42189c.html)
+- [SAP Help docs for `icm/HTTP/file_access_<nr>`](https://help.sap.com/docs/ABAP_PLATFORM_NEW/683d6a1797a34730a6e005d1e8de6f22/483e1b4e252f72d0e10000000a42189c.html)

content/SAP_ABAP_Platform/known_attack_vectors/os_command_execution.md

@@ -3,17 +3,19 @@ title: "OS Command execution"
 ---
 
 # Description
-There are various ways to execute os commands via ABAP. When OS commands are executed, `S_LOG_COM` or `S_C_FUNCT` is being checked, depending on the function used to execute OS commands. The execution itself is done through the ABAP kernel and using the OS level authorizations of the user `<SID>adm` or `SAPService<SID>` (Windows).
+There are various ways to execute os commands via ABAP. When OS commands are executed, `S_LOG_COM` or `S_C_FUNCT` is being checked in some of the below cases, depending on the function used to execute OS commands. The execution itself is done through the ABAP kernel and using the OS level authorizations of the user `<SID>adm` or `SAPService<SID>` (Windows).
 
 
 # Risk
-If an attacker can execute OS commands he elevates his privileges effective to `<SID>adm` or `SAPService<SID>` (Windows) on OS level. Depending on the OS command and technique used, the limitation may exists to restrict the access to single OS commands.
-If an attacker can execute arbitrary OS commands, then this leads to a full compromise of the system.
+If an attacker can execute arbitrary OS commands, then this leads to a full compromise of the system because of a.o. the implicit trust relation between the OS user and the Database. This effectively means you can go from the OS user to the Database without providing a password. In SAP Hana DB for example you can use the `hdbsql` executable on the OS with the `-U DEFAULT` flag to execute SQL queries (insert, update, select, etc) directly in the SAP Schema without having to provide any additonal authentication details.
 
 Examples:
-- Exfitrate private SSH keys
-- Overwrite SAP kernel binaries
+- Exfiltrate private SSH keys
+- Overwrite SAP kernel binaries or ACL files
 - Inject code into custom scripts
+- Extract the secure store
+- Via the DB trust relation extract password hashes, create SAP users with SAP_ALL directly in the DB
+- Delete log/trace files
 
 In certain cases user input filtering can be bypassed and in those cases the attack can lead to a full compromise of the system. If the execution is limited to a single command, then the business impact depends on the command or the allowed user input of e.g. the parameter.
 
@@ -29,6 +31,19 @@ In certain cases user input filtering can be bypassed and in those cases the att
 - Custom Code/ Third Party Code (ABAP `CALL 'SYSTEM'`)
 - Vulnerable Components (e.g. SAP RFC Gateway)
 - Schedule Background Jobs as user `DDIC`
+- Instance profile (executed upon (re)starting SAP): `Execute_XX = <your_command_to_execute_here>` (XX = number like 01)
+- SAP Kernel call from ABAP coding:
+```abap
+CALL 'ThWpInfo' ID 'OPCODE' FIELD (Linux only)
+		REPORT ZTEST.
+		DATA OPCODEXEC TYPE X VALUE 9.
+		CALL 'ThWpInfo' ID 'OPCODE' FIELD OPCODEXEC
+		ID 'SERVER' FIELD ''
+		ID 'PROG'   FIELD 'mkdir '
+		ID 'ARGC'   FIELD 1
+		ID 'ARG1'   FIELD '/tmp/blablabla'.
+		WAIT UP TO '0.9' SECONDS.
+```
 
 # Mitigation
 - Requires different mitigation approach through authorization object for `S_LOG_COM` and `S_C_FUNCT`

content/SAP_ABAP_Platform/known_attack_vectors/password_hashes.md

@@ -13,12 +13,15 @@ These Tables are:
 - VUSER001
 - VUSR02_PWD
 - USR_TOTP
+- EDIDC (Idocs from CUA)
 
 There are various ways to access the content of those tables with the consequence of disclosing the hashes. SAP development implemented different hash algorithms throughout the years. The below list shows a breif overview of the used algorithms, starting from the weakest first:
 
--BCODE           -> outdated an highly insecure
--PASSCODE        -> outdated and insecure
--PWDSALTEDHASH   -> currently recommended version
+Algorithm | comment
+----------|---------
+BCODE | outdated an highly insecure
+PASSCODE | outdated and insecure
+PWDSALTEDHASH | currently recommended version
 
 A detailed explanation is available [here](https://www.daniel-berlin.de/security/sap-sec/password-hash-algorithms/).
 
@@ -29,9 +32,15 @@ Older SAP password hash algorithms (such as those based on weak cryptographic fu
 
 # Options
 - Extraction of hashes using Transaction (SE16, SE16N, DBA_COCKPIT, etc)
-- Extraction of hashes via OS Command (special case, access underlying database and tables mentioned above (SQL-Query with Select statement) -> should refer to HDBSQL / SQL-Access OS Command <Option>
-- Cracking hashes (Hashcat, John the Ripper)
-
+- Extraction of hashes via OS Command (special case, access underlying database and tables mentioned above (SQL-Query with Select statement) ([more information here](/SAP_ABAP_Platform/known_attack_vectors/os_command_execution/#))
+- Cracking hashes (e.g. with Hashcat, John the Ripper)
+  - Supported hashtypes from Hashcat (by 26th September 2025): 
+    - SAP CODVN B (BCODE)
+    - SAP CODVN B (BCODE) from RFC_READ_TABLE
+    - SAP CODVN F/G (PASSCODE)
+    - SAP CODVN F/G (PASSCODE) from RFC_READ_TABLE
+    - SAP CODVN H (PWDSALTEDHASH) iSSHA-1
+    - SAP CODVN H (PWDSALTEDHASH) isSHA512
 
 # Mitigation
 - Use at least PWDSALTEDHASH for all your current hashes
@@ -52,3 +61,6 @@ Older SAP password hash algorithms (such as those based on weak cryptographic fu
 - [In depth analysis - Password Hash Algorithms](https://www.daniel-berlin.de/security/sap-sec/password-hash-algorithms/)
 - [Report ZCLEANUP_PASSWORD_HASH_VALUESX - Remove weak password hash values](https://community.sap.com/t5/application-development-and-automation-blog-posts/report-zcleanup-password-hash-valuesx-remove-weak-password-hash-values/ba-p/13525553)
 - [Protect read access to password hash value tables](https://me.sap.com/notes/1484692/)
+- [SAP IDOC Hash Harvester](https://github.com/kloris)
+- [Hashcat pasword bruteforcer](https://hashcat.net/hashcat/)
+- [John the Ripper](https://www.openwall.com/john/)