Sap security – thinking with a hacker’s hat


Published on

null Mumbai - December 2011

Published in: Education, Technology
1 Comment
  • This presentation is using a combination of sapyto & metasploit.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Sap security – thinking with a hacker’s hat

  1. 1. Presented by Anand Tanksali – CISSP, CEH
  2. 2. <ul><li>SAP – (Systems Application and Products) </li></ul><ul><li>Provides different solutions: </li></ul><ul><ul><li>CRM, ERP, PLM, SCM, GRC, Business One… </li></ul></ul><ul><li>ERP Solutions consist of : </li></ul><ul><ul><li>FI,CO (Finance and Controlling) </li></ul></ul><ul><ul><li>SD (Sales Distribution) </li></ul></ul><ul><ul><li>HR (Human Resources) </li></ul></ul><ul><ul><li>MM (Materials Management) etc… </li></ul></ul><ul><li>Modules integrated together using Netweaver platform </li></ul><ul><li>SAP runs on multiple Operating Systems </li></ul>
  3. 5. <ul><li>Instances & Systems </li></ul><ul><ul><li>Admin entity groups related components providing one or more services </li></ul></ul><ul><ul><li>Systems are identified by SAP System ID (SID) </li></ul></ul><ul><ul><li>System instances parameterization done in Profiles </li></ul></ul><ul><ul><li>Client  Transaction  Authorization </li></ul></ul><ul><ul><li>Client default (000, 001 and 006) </li></ul></ul><ul><ul><li>Transaction code (SU01, SE16, FK01, PA20) </li></ul></ul><ul><ul><li>Authorizations  Users assigned roles as per profiles and contains authorizations </li></ul></ul><ul><ul><li>ABAP, Reports/Programs, Function Modules, RFC </li></ul></ul>
  4. 6. <ul><li>SAP_ALL profile = SAP GOD </li></ul><ul><li>Many profiles may enable and allow user to be GOD </li></ul><ul><li>Each SAP system uses its own DB </li></ul><ul><li>SAP processes run under <sid>adm or SAPService <SID> user accounts </li></ul><ul><li>Direct access to DB means SAP compromised!!!! </li></ul><ul><li>Connections between systems always based on TRUST </li></ul><ul><li>Many customer interfaces implemented using FTP (cleartext, weak passwords) </li></ul>
  5. 7. <ul><li>Why do you need SAP Security? </li></ul>Errr What about Security I don’t care SAP should be up and running by Tuesday we have to take care of user passwords Umm What Security we have enough guards no more excuses SAP should be up on Tuesday
  6. 8. <ul><li>What the CFO does not realize : Weak security controls can result in Business and Financial Loss / Frauds </li></ul><ul><li>CSO does not realize: SAP Security is much more than User Roles, Responsibilities & Authorizations </li></ul>
  7. 9. <ul><li>Security configurations of SAP is usually left to default </li></ul><ul><li>By default many configurations are not secure </li></ul><ul><li>Conclusion – SAP systems are not secure </li></ul>
  8. 10. <ul><li>First SAP Penetration Testing Framework developed by Cybsec -Labs </li></ul><ul><li>Provides support for </li></ul><ul><ul><li>platform discovery </li></ul></ul><ul><ul><li>investigation and </li></ul></ul><ul><ul><li>exploitation </li></ul></ul><ul><li>Current versions available on Windows / Linux </li></ul>
  9. 16. <ul><li>SAP designed to interact with external systems </li></ul><ul><li>Integrated Centralized information </li></ul><ul><li>Communicating with other systems </li></ul><ul><ul><li>ALE </li></ul></ul><ul><ul><li>EDI </li></ul></ul><ul><ul><li>HTTP </li></ul></ul><ul><ul><li>RFC </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>XML …… </li></ul></ul>
  10. 17. <ul><li>In early years SAP implemented IBM CPI-C interface to communicate with other systems </li></ul><ul><li>CPI-C allowed data transfer </li></ul><ul><li>Complex apps needed to call functions on other servers resulting in SAP Remote function Call interface </li></ul><ul><li>RFC is the key component of SAP apps </li></ul>
  11. 26. <ul><li>Vulnerabilities published by SAP </li></ul>
  12. 27. <ul><li>Admin should change passwords at regular intervals </li></ul><ul><li>Ensure user should not have SAP_ALL access rights </li></ul><ul><li>Adhere to SAP best practices </li></ul><ul><li>Disable auto unlocking </li></ul><ul><li>Enforce a strong password policy </li></ul><ul><li>Restrict access to Database </li></ul>
  13. 28. <ul><li>RFC is the weakest link in SAP and needs to be secured </li></ul><ul><li>SAP admin must apply patches and harden the servers </li></ul><ul><li>Network admin should apply rules on firewall and deny ports not required to be used for day-to-day operations </li></ul><ul><li>Network admin should monitor logs regularly </li></ul><ul><li>Advanced attacks should be avoided with proper configurations and patch management </li></ul>
  14. 29. Thank You! Anand Tanksali Email: