SlideShare a Scribd company logo

Penetration Testing SAP Systems

Onapsis Inc.
Onapsis Inc.

Penetration Testing SAP Systems

Technology
1 of 38
Download to read offline
Penetration Testing SAP® Systems Mariano NuMariano Nuññez Di Croceez Di Croce mnunez@onapsis.commnunez@onapsis.com October 23, 2009
2Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Disclaimer This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
3Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Who is Onapsis? Specialized company focused in the Security of Business-critical Applications (SAP, Siebel, Oracle E-Business Suite, …). Core business areas: Development of security software. Security consultancy services. Trainings on business-critical systems security. Who am I? Director of Research and Development at Onapsis. Degree in Computer System Engineering. Originally devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, IBM, … Speaker/Trainer at Black Hat, Sec-T, Hack.lu, DeepSec, Ekoparty, …
4Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Agenda Agenda Introduction. The need for Penetration Testing Business Applications. SAP Penetration Testing: Discovery phase. Exploration phase. Vulnerability Assessment phase. Exploitation / Risk illustration phase. Conclusions
5Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved IntroductionIntroduction Basic SAP concepts
6Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved What is SAP? Introduction SAP A.G is the leading provider of business management solutions. More than 140.000 SAP implementations around the globe. More than 89.000 customers in more than 120 countries. Third biggest independent software vendor (ISV). Provides different solutions for different kind of companies/industries and needs. Each solution implements a set of business processes that enable the company to fulfill its business needs. Solutions are based on modules, which are developed and run through the SAP NetWeaver platform.
7Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Landscapes, Systems and Instances Introduction Typical SAP Landspaces are composed of three systems: Development, Quality Assurance and Production. Each system is build upon one or more instances. Systems are identified by SAP System ID (SID). An instance is an administrative entity which groups related components of an SAP system, providing one or more services.
8Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Introduction Client (Mandant) Legally and organizationally independent unit in an SAP system (company group, business unit, corporation). Identified by a three-digit number. Default clients: 000, 001 and 066. Reports / Programs ABAP programs that receive user input and produce a report in the form of an interactive list. The RFC (Remote Function Call) Interface Used to call function modules on remote systems.
9Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved The need forThe need for Penetration TestingPenetration Testing Business ApplicationsBusiness Applications Everything is about risk.
10Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Lack of security from day 0… The need for Penetration Testing Business Applications SAP Implementations are long and complex projects. The company goal’s is to have the SAP system running by the deadline, no matter what. The SAP implementation-partner’s goal is to set the SAP system running by the deadline, no matter what. Applying a holistic approach to secure the systems is usually regarded as an unnecessary delay… Most SAP security settings are left by default Many default settings are not secure Many SAP systems out there are not secure +
11Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved From the trenches: Arguments & Mis-conceptions From the Chief Financial Officer (CFO): “SAP implementations are secure.” “Ok, just give everyone full access for three months…” “The risk is too low. Frauds just don’t happen.” “Our SAP systems were certified as SOX-compliant by a big4 auditing company. They are secure.” From the Chief Security Officer (CSO): “SAP implementations are secure.” “We have to secure the SAP system. We need to define strict roles and profiles and enforce Segregation of Duties.” “Only highly-skilled hackers can do that.” “The hacker needs to already have an account in the SAP system.” The need for Penetration Testing Business Applications
12Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved And now the facts… According to the FBI/CSI Computer Crime & Security Survey 2008, financial frauds caused by security incidents costed US companies an average of USD 463,100. SoD is necessary but it is NOT enough! There are many “unknown” threats that involve higher-level risks. More than 95% of the SAP implementations we have assessed, were prone to financial frauds derived from technical information security vulnerabilities. Many of those systems had been qualified as SOX / PCI DSS / ISO compliant by big-4 auditing companies!! The need for Penetration Testing Business Applications
13Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAPSAP PenetrationPenetration TestingTesting How to do it
14Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved sapyto First open-source SAP Penetration Testing Framework. Developed by Mariano Nuñez Di Croce. Support for activities in all phases of the pentest. Open-source (and free). Plugin based. Developed in Python and C. Version 0.93 released at Blackhat Europe 07. Command-line interface. The Open-source SAP Penetration Testing Framework
15Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovery PhaseDiscovery Phase Finding SAP targets
16Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovering SAP Systems and Applications Discovery Phase Available Options: Traffic sniffing. SAP portscanning. Checking SAPGUI configurations. SAP Systems use a “fixed” range of ports. Most ports follows the PREFIX + SYS. NUMBER format. Common ports: 32XX, 33XX, 36XX, 39XX, 3299, 81XX, …
17Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ExplorationExploration PhasePhase Getting as much information as possible
18Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Getting Information from SAP Application Servers Exploration Phase The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers. Can be called remotely (and anonymously) by default. Remote System Information: RFC Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Operating System: Linux Database Host: sapl01 Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4 System ID: TL1 RFC Destination: sapl01_TL1_00
19Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Getting Information from SAP Application Servers The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers. Can be called remotely (and anonymously) by default. Remote System Information: RFC Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Operating System: Linux Database Host: sapl01 Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4 System ID: TL1 RFC Destination: sapl01_TL1_00 Protection / Countermeasure Restrict connections to the Gateway at the network level. Protect against anonymous RFC calls For more information, refer to SAP Note 931252. Exploration Phase
20Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovering Available Clients There are some clients installed by default: 000, 001, 066. These clients are available in most SAP systems. After the installation, the administrator will install the *real* clients. It is possible to bruteforce the whole client-range to discover available ones. Exploration Phase
21Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved VulnerabilityVulnerability AssesmentAssesment PhasePhase Identifying security threats
22Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Default Users Vulnerability Assessment Phase There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. ADMIN000, 001Communication UserSAPCPIC SUPPORT066User for the EarlyWatch Service EARLYWATCH 19920706000,001ABAP Dictionary super user DDIC 06071992 PASS 000,001, 066 new clients Super userSAP* PasswordClientsDescriptionUser ID
23Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Default Users There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. ADMIN000, 001Communication UserSAPCPIC SUPPORT066User for the EarlyWatch Service EARLYWATCH 19920706000,001ABAP Dictionary super user DDIC 06071992 PASS 000,001, 066 new clients Super userSAP* PasswordClientsDescriptionUser ID Protection / Countermeasure Default users must be secured. SAP* should be deactivated. Use report RSUSR003 to check the status of default users. Vulnerability Assessment Phase
24Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP User Account Bruteforcing Usernames are up to 12 characters long. As part of the PenTest, you can try guessing/cracking user credentials. SensitiveInsensitiveCase 408Max. Length New Passwords (> 6.40)Old Passwords (≤ 6.40) WARNING! User locking is implemented! (usually, between 3-12 tries) Ops! In versions ≤ 6.20, lock counter is not incremented through RFC. Vulnerability Assessment Phase
25Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ExploitationExploitation // RiskRisk illustrationillustration PhasePhase Letting people understand the Real risk
26Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Showing that the risks are REAL Exploitation / Risk Illustration Phase It is easy for a security-aware officer to understand the risks by analyzing a vulnerability report. Anyway, dealing with false positives involves lot of effort (IT staff men- hours). Getting the CFO involved… Financial officers do not understand technical vulnerabilities. Show them the real risks! -> Live-demos, screenshots of post- exploitation activities, etc. It is the only way to get them involved and aware of the threats they are facing. They need to know the involved threats to manage risk efficiently!
27Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Remote sapyto shells and Beyond sapyto exploit plugins will generate shells/agents. For example, by abusing weak RFC interfaces, a remote shell can be spawned: Starting EXPLOIT plugins -------------------------- rfcexec(target#1-3) { Trying to connect... Creating new SHELL... SHELL created. } res: Ok Finishing sapyto execution - Fri Apr 1 22:37:42 2009 sapyto> shells sapyto/shells> show Shell ID: 0 [RFCEXECShell] Target information (#1): Host: sapl01 Connector: SAPRFC_EXT SAP Gateway Host: sapl01 … sapyto/shells> start 0 Starting shell #0 RFCEXECShell - Run commands & read files through rfcexec. The remote target OS is: Linux. sapyto/shells/0> run whoami Command was run successfully. tl1adm Exploitation / Risk Illustration Phase
28Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Remote sapyto shells and Beyond sapyto exploit plugins will generate shells/agents. For example, by abusing weak RFC interfaces, a remote shell can be spawned: Starting EXPLOIT plugins -------------------------- rfcexec(target#1-3) { Trying to connect... Creating new SHELL... SHELL created. } res: Ok Finishing sapyto execution - Fri Apr 1 22:37:42 2009 sapyto> shells sapyto/shells> show Shell ID: 0 [RFCEXECShell] Target information (#1): Host: sapl01 Connector: SAPRFC_EXT SAP Gateway Host: sapl01 … sapyto/shells> start 0 Starting shell #0 RFCEXECShell - Run commands & read files through rfcexec. The remote target OS is: Linux. sapyto/shells/0> run whoami Command was run successfully. tl1adm Protection / Countermeasure Starting of External RFC Servers is controlled through the file specified by the gw/sec_info profile parameter. This file should exist and restrict access to allowed systems to start specific programs in the Application Servers. The gw/reg_info file protects Registered Servers and should also be configured. For more information, refer to SAP Note 618516. Exploitation / Risk Illustration Phase
29Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Version F + Code Version B (2 hashes)G Based on SHA1, 40 characters, Case Insensitive, UTF-8 F ReservedE Based on MD5, 8 characters, Uppercase, UTF-8D Not implementedC Based on MD5, 8 characters, Uppercase, ASCIIB ObsoleteA DescriptionCode Vers. On June 26 2008, a patch for John The Ripper for CODVN B and G was publicly released. Exploitation / Risk Illustration Phase
30Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Version F + Code Version B (2 hashes)G Based on SHA1, 40 characters, Case Insensitive, UTF-8 F ReservedE Based on MD5, 8 characters, Uppercase, UTF-8D Not implementedC Based on MD5, 8 characters, Uppercase, ASCIIB ObsoleteA DescriptionCode Vers. On June 26 2008, a patch for John The Ripper for CODVN B and G was publicly released. Protection / Countermeasure Access to tables USR02 and USH02 should be protected. Password security should be enforced through profile configuration (login/* parameters). Table USR40 can be used to protect from trivial passwords. For more information, refer to SAP Note 1237762. Exploitation / Risk Illustration Phase
31Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism Discovered by me in 2007. Discovered by Jochen Hein in 2002 (D’oh!) Target: Default SAP/Oracle installations. The SAP+Oracle Authentication Mechanism SAP connects to the database as the OPS$<SID>ADM (e.g: OPS$PRDADM) Retrieves encrypted username and password from table SAPUSER. Re-connects to the database, using the retrieved credentials. Exploitation / Risk Illustration Phase
32Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle “trusts” that the remote system has authenticated the user used for the SQL connection (!) The user is created as “indentified externally” in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?) Exploitation / Risk Illustration Phase
33Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle “trusts” that the remote system has authenticated the user used for the SQL connection (!) The user is created as “indentified externally” in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?) Protection / Countermeasure Restrict who can connect to the Oracle listener: tcp.validnode_checking = yes tcp.invited_nodes = (192.168.1.102, …) Exploitation / Risk Illustration Phase
34Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ConclusionsConclusionsWrapping up
35Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Conclusions Conclusions Weak SAP security drastically increases the probability of business frauds. SAP Implementations usually leave the system running, not secure. By default, many settings are not safe and are never changed. Segregation of Duties is absolutely necessary, but IT IS NOT ENOUGH! Many technical vulnerabilities allow remote attackers to take complete control of the business information (even without having an account in the system). Even experienced SAP Administrators face hard times when trying to harden technical security settings, as many of them are not clearly documented.
36Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Conclusions Conclusions The current state-of-the-art in the auditing of these systems is far from being mature. Many “compliant” systems are still prone to financial frauds caused by security incidents. An SAP Penetration Test will provide you with and objective knowledge of the current risk level of your core business platform, helping you optimize IT staff effort and decrease fraud risks. This kind of assessment must be done by highly qualified professionals.
37Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ¿¿QuestionsQuestions?? mnunez@onapsis.commnunez@onapsis.com
38Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ThankThank youyou!! www.onapsis.com

Recommended

Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 

Recommended

Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Microsoft Security Development Lifecycle
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development Lifecycle
Razi Rais
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
n|u - The Open Security Community
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
Marco Morana
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
ShivamSharma909
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
Marcelo Martins
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
RSAArcher
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
ERPScan
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
ERPScan
 

More Related Content

What's hot

Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
 

What's hot (20)

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Cyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2CompTIA Security+ SY0-601 Domain 2
CompTIA Security+ SY0-601 Domain 2
 
Threat Modeling Everything
Threat Modeling EverythingThreat Modeling Everything
Threat Modeling Everything
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability Management
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Application security
Application securityApplication security
Application security
 
PPT-Security-for-Management.pptx
PPT-Security-for-Management.pptxPPT-Security-for-Management.pptx
PPT-Security-for-Management.pptx
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 

Viewers also liked

SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
Onapsis Inc.
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
Onapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis Inc.
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
Onapsis Inc.
 
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAM
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAMAsset management - Theme's in 2011 according to Capgemini cluster SAP EAM
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAM
Menno Barkmeijer
 

Viewers also liked (20)

Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Sap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hatSap security – thinking with a hacker’s hat
Sap security – thinking with a hacker’s hat
 
SAP Business Objects Attacks
SAP Business Objects AttacksSAP Business Objects Attacks
SAP Business Objects Attacks
 
5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications5 real ways to destroy business by breaking SAP applications
5 real ways to destroy business by breaking SAP applications
 
Pen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information ExposedPen Testing SAP Critical Information Exposed
Pen Testing SAP Critical Information Exposed
 
Understanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security StrategyUnderstanding the “Why” in Enterprise Application Security Strategy
Understanding the “Why” in Enterprise Application Security Strategy
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
Highway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMSHighway to Production Securing the SAP TMS
Highway to Production Securing the SAP TMS
 
Onapsis SAP Backdoors
Onapsis SAP BackdoorsOnapsis SAP Backdoors
Onapsis SAP Backdoors
 
Remedy Introduction
Remedy IntroductionRemedy Introduction
Remedy Introduction
 
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAM
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAMAsset management - Theme's in 2011 according to Capgemini cluster SAP EAM
Asset management - Theme's in 2011 according to Capgemini cluster SAP EAM
 
JOB POST: SAP SD FUNCTIONAL CONSULTANT - PRETORIA
JOB POST: SAP SD FUNCTIONAL CONSULTANT - PRETORIAJOB POST: SAP SD FUNCTIONAL CONSULTANT - PRETORIA
JOB POST: SAP SD FUNCTIONAL CONSULTANT - PRETORIA
 
Realtme sap scenarios and issues
Realtme sap scenarios and issuesRealtme sap scenarios and issues
Realtme sap scenarios and issues
 
Overview of Goods & Service tax
Overview of Goods & Service taxOverview of Goods & Service tax
Overview of Goods & Service tax
 
JOB POST: FI/ CO FUNCTIONAL CONSULTANT - PRETORIA
JOB POST: FI/ CO FUNCTIONAL CONSULTANT - PRETORIAJOB POST: FI/ CO FUNCTIONAL CONSULTANT - PRETORIA
JOB POST: FI/ CO FUNCTIONAL CONSULTANT - PRETORIA
 
SAP VC Online Training | SAP Variant Configuration Training Content
SAP VC Online Training | SAP Variant Configuration Training ContentSAP VC Online Training | SAP Variant Configuration Training Content
SAP VC Online Training | SAP Variant Configuration Training Content
 
JOB POST: SAP FI FUNCTIONAL CONSULTANT
JOB POST: SAP FI FUNCTIONAL CONSULTANTJOB POST: SAP FI FUNCTIONAL CONSULTANT
JOB POST: SAP FI FUNCTIONAL CONSULTANT
 

Similar to Penetration Testing SAP Systems

Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Onapsis Inc.
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
Onapsis Inc.
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
michelemanzotti
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
Onapsis Inc.
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
ERPScan
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
Onapsis Inc.
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Onapsis Inc.
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Symmetry™
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
ERPScan
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
Tunde Ogunkoya
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
PeterSmetny1
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
Achim D. Brucker
 

Similar to Penetration Testing SAP Systems (20)

Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC) Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
Attacks to SAP Web Applications: Your crown jewels online (BlackHat DC)
 
Attacks Based on Security Configurations
Attacks Based on Security ConfigurationsAttacks Based on Security Configurations
Attacks Based on Security Configurations
 
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
Cyber-Attacks & SAP systems: Is Our Business-Critical Infrastructure Exposed?
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
SAP security made easy
SAP security made easySAP security made easy
SAP security made easy
 
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution ManagerInception of the SAP Platform's Brain: Attacks on SAP Solution Manager
Inception of the SAP Platform's Brain: Attacks on SAP Solution Manager
 
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
A Holistic View on SAP Security Why Securing Production Systems Is Not Enough
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP SystemsExploiting Critical Attack Vectors to Gain Control of SAP Systems
Exploiting Critical Attack Vectors to Gain Control of SAP Systems
 
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution ManagerInception of the SAP Platforms Brain: Attacks on SAP Solution Manager
Inception of the SAP Platforms Brain: Attacks on SAP Solution Manager
 
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™ Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
Secure HANA in the Cloud | Mitigating Internal & External Threats | Symmetry™
 
Sap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depthSap penetration testing_defense_in_depth
Sap penetration testing_defense_in_depth
 
OWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatnościOWASP TOP10 2017 - Nowa lista przebojów podatności
OWASP TOP10 2017 - Nowa lista przebojów podatności
 
Assess and monitor SAP security
Assess and monitor SAP securityAssess and monitor SAP security
Assess and monitor SAP security
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
Accelerate2022-Solving the SAP Security Gap through Application-aware Network...
 
Deploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large ScaleDeploying Static Application Security Testing on a Large Scale
Deploying Static Application Security Testing on a Large Scale
 
Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015Delta g ric_consulting_presentation_erpscan_2015
Delta g ric_consulting_presentation_erpscan_2015
 
SAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 OverviewSAP Single Sign-On 2.0 Overview
SAP Single Sign-On 2.0 Overview
 
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
Google Technical Webinar - Building Mashups with Google Apps and SAP, using S...
 

More from Onapsis Inc.

Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
Onapsis Inc.
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
Onapsis Inc.
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
Onapsis Inc.
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
Onapsis Inc.
 

More from Onapsis Inc. (7)

Preventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based DeploymentsPreventing Vulnerabilities in SAP HANA based Deployments
Preventing Vulnerabilities in SAP HANA based Deployments
 
Onapsis Security Platform: Detection and Response
Onapsis Security Platform: Detection and ResponseOnapsis Security Platform: Detection and Response
Onapsis Security Platform: Detection and Response
 
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe... Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
Your Crown Jewels Online: Further Attacks to SAP Web Applications (RSAConfe...
 
Unbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwardsUnbreakable oracle er_ps_siebel_jd_edwards
Unbreakable oracle er_ps_siebel_jd_edwards
 
How Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the JewelsHow Hackers can Open the Safe and Take the Jewels
How Hackers can Open the Safe and Take the Jewels
 
Blended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory PlatformsBlended Web and Database Attacks on Real Time In-memory Platforms
Blended Web and Database Attacks on Real Time In-memory Platforms
 
Dissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI FrameworksDissecting and Attacking RMI Frameworks
Dissecting and Attacking RMI Frameworks
 

Recently uploaded

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Penetration Testing SAP Systems

  • 1. Penetration Testing SAP® Systems Mariano NuMariano Nuññez Di Croceez Di Croce mnunez@onapsis.commnunez@onapsis.com October 23, 2009
  • 2. 2Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Disclaimer This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.
  • 3. 3Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Who is Onapsis? Specialized company focused in the Security of Business-critical Applications (SAP, Siebel, Oracle E-Business Suite, …). Core business areas: Development of security software. Security consultancy services. Trainings on business-critical systems security. Who am I? Director of Research and Development at Onapsis. Degree in Computer System Engineering. Originally devoted to Penetration Testing and Vulnerability Research. Discovered vulnerabilities in Microsoft, Oracle, SAP, IBM, … Speaker/Trainer at Black Hat, Sec-T, Hack.lu, DeepSec, Ekoparty, …
  • 4. 4Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Agenda Agenda Introduction. The need for Penetration Testing Business Applications. SAP Penetration Testing: Discovery phase. Exploration phase. Vulnerability Assessment phase. Exploitation / Risk illustration phase. Conclusions
  • 5. 5Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved IntroductionIntroduction Basic SAP concepts
  • 6. 6Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved What is SAP? Introduction SAP A.G is the leading provider of business management solutions. More than 140.000 SAP implementations around the globe. More than 89.000 customers in more than 120 countries. Third biggest independent software vendor (ISV). Provides different solutions for different kind of companies/industries and needs. Each solution implements a set of business processes that enable the company to fulfill its business needs. Solutions are based on modules, which are developed and run through the SAP NetWeaver platform.
  • 7. 7Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Landscapes, Systems and Instances Introduction Typical SAP Landspaces are composed of three systems: Development, Quality Assurance and Production. Each system is build upon one or more instances. Systems are identified by SAP System ID (SID). An instance is an administrative entity which groups related components of an SAP system, providing one or more services.
  • 8. 8Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Introduction Client (Mandant) Legally and organizationally independent unit in an SAP system (company group, business unit, corporation). Identified by a three-digit number. Default clients: 000, 001 and 066. Reports / Programs ABAP programs that receive user input and produce a report in the form of an interactive list. The RFC (Remote Function Call) Interface Used to call function modules on remote systems.
  • 9. 9Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved The need forThe need for Penetration TestingPenetration Testing Business ApplicationsBusiness Applications Everything is about risk.
  • 10. 10Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Lack of security from day 0… The need for Penetration Testing Business Applications SAP Implementations are long and complex projects. The company goal’s is to have the SAP system running by the deadline, no matter what. The SAP implementation-partner’s goal is to set the SAP system running by the deadline, no matter what. Applying a holistic approach to secure the systems is usually regarded as an unnecessary delay… Most SAP security settings are left by default Many default settings are not secure Many SAP systems out there are not secure +
  • 11. 11Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved From the trenches: Arguments & Mis-conceptions From the Chief Financial Officer (CFO): “SAP implementations are secure.” “Ok, just give everyone full access for three months…” “The risk is too low. Frauds just don’t happen.” “Our SAP systems were certified as SOX-compliant by a big4 auditing company. They are secure.” From the Chief Security Officer (CSO): “SAP implementations are secure.” “We have to secure the SAP system. We need to define strict roles and profiles and enforce Segregation of Duties.” “Only highly-skilled hackers can do that.” “The hacker needs to already have an account in the SAP system.” The need for Penetration Testing Business Applications
  • 12. 12Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved And now the facts… According to the FBI/CSI Computer Crime & Security Survey 2008, financial frauds caused by security incidents costed US companies an average of USD 463,100. SoD is necessary but it is NOT enough! There are many “unknown” threats that involve higher-level risks. More than 95% of the SAP implementations we have assessed, were prone to financial frauds derived from technical information security vulnerabilities. Many of those systems had been qualified as SOX / PCI DSS / ISO compliant by big-4 auditing companies!! The need for Penetration Testing Business Applications
  • 13. 13Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAPSAP PenetrationPenetration TestingTesting How to do it
  • 14. 14Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved sapyto First open-source SAP Penetration Testing Framework. Developed by Mariano Nuñez Di Croce. Support for activities in all phases of the pentest. Open-source (and free). Plugin based. Developed in Python and C. Version 0.93 released at Blackhat Europe 07. Command-line interface. The Open-source SAP Penetration Testing Framework
  • 15. 15Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovery PhaseDiscovery Phase Finding SAP targets
  • 16. 16Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovering SAP Systems and Applications Discovery Phase Available Options: Traffic sniffing. SAP portscanning. Checking SAPGUI configurations. SAP Systems use a “fixed” range of ports. Most ports follows the PREFIX + SYS. NUMBER format. Common ports: 32XX, 33XX, 36XX, 39XX, 3299, 81XX, …
  • 17. 17Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ExplorationExploration PhasePhase Getting as much information as possible
  • 18. 18Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Getting Information from SAP Application Servers Exploration Phase The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers. Can be called remotely (and anonymously) by default. Remote System Information: RFC Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Operating System: Linux Database Host: sapl01 Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4 System ID: TL1 RFC Destination: sapl01_TL1_00
  • 19. 19Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Getting Information from SAP Application Servers The RFC_SYSTEM_INFO function module returns information about remote SAP Application Servers. Can be called remotely (and anonymously) by default. Remote System Information: RFC Log Version: 011 Release Status of SAP System: 700 Kernel Release: 700 Operating System: Linux Database Host: sapl01 Central Database System: ORACLE Integer Format: Little Endian Dayligth Saving Time: Float Type Format: IEEE Hostame: sapl01 IP Address: 192.168.3.4 System ID: TL1 RFC Destination: sapl01_TL1_00 Protection / Countermeasure Restrict connections to the Gateway at the network level. Protect against anonymous RFC calls For more information, refer to SAP Note 931252. Exploration Phase
  • 20. 20Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Discovering Available Clients There are some clients installed by default: 000, 001, 066. These clients are available in most SAP systems. After the installation, the administrator will install the *real* clients. It is possible to bruteforce the whole client-range to discover available ones. Exploration Phase
  • 21. 21Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved VulnerabilityVulnerability AssesmentAssesment PhasePhase Identifying security threats
  • 22. 22Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Default Users Vulnerability Assessment Phase There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. ADMIN000, 001Communication UserSAPCPIC SUPPORT066User for the EarlyWatch Service EARLYWATCH 19920706000,001ABAP Dictionary super user DDIC 06071992 PASS 000,001, 066 new clients Super userSAP* PasswordClientsDescriptionUser ID
  • 23. 23Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Default Users There is public information regarding the existence of default SAP user accounts. Many of these accounts are configured with high privileged profiles. ADMIN000, 001Communication UserSAPCPIC SUPPORT066User for the EarlyWatch Service EARLYWATCH 19920706000,001ABAP Dictionary super user DDIC 06071992 PASS 000,001, 066 new clients Super userSAP* PasswordClientsDescriptionUser ID Protection / Countermeasure Default users must be secured. SAP* should be deactivated. Use report RSUSR003 to check the status of default users. Vulnerability Assessment Phase
  • 24. 24Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP User Account Bruteforcing Usernames are up to 12 characters long. As part of the PenTest, you can try guessing/cracking user credentials. SensitiveInsensitiveCase 408Max. Length New Passwords (> 6.40)Old Passwords (≤ 6.40) WARNING! User locking is implemented! (usually, between 3-12 tries) Ops! In versions ≤ 6.20, lock counter is not incremented through RFC. Vulnerability Assessment Phase
  • 25. 25Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ExploitationExploitation // RiskRisk illustrationillustration PhasePhase Letting people understand the Real risk
  • 26. 26Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Showing that the risks are REAL Exploitation / Risk Illustration Phase It is easy for a security-aware officer to understand the risks by analyzing a vulnerability report. Anyway, dealing with false positives involves lot of effort (IT staff men- hours). Getting the CFO involved… Financial officers do not understand technical vulnerabilities. Show them the real risks! -> Live-demos, screenshots of post- exploitation activities, etc. It is the only way to get them involved and aware of the threats they are facing. They need to know the involved threats to manage risk efficiently!
  • 27. 27Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Remote sapyto shells and Beyond sapyto exploit plugins will generate shells/agents. For example, by abusing weak RFC interfaces, a remote shell can be spawned: Starting EXPLOIT plugins -------------------------- rfcexec(target#1-3) { Trying to connect... Creating new SHELL... SHELL created. } res: Ok Finishing sapyto execution - Fri Apr 1 22:37:42 2009 sapyto> shells sapyto/shells> show Shell ID: 0 [RFCEXECShell] Target information (#1): Host: sapl01 Connector: SAPRFC_EXT SAP Gateway Host: sapl01 … sapyto/shells> start 0 Starting shell #0 RFCEXECShell - Run commands & read files through rfcexec. The remote target OS is: Linux. sapyto/shells/0> run whoami Command was run successfully. tl1adm Exploitation / Risk Illustration Phase
  • 28. 28Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Remote sapyto shells and Beyond sapyto exploit plugins will generate shells/agents. For example, by abusing weak RFC interfaces, a remote shell can be spawned: Starting EXPLOIT plugins -------------------------- rfcexec(target#1-3) { Trying to connect... Creating new SHELL... SHELL created. } res: Ok Finishing sapyto execution - Fri Apr 1 22:37:42 2009 sapyto> shells sapyto/shells> show Shell ID: 0 [RFCEXECShell] Target information (#1): Host: sapl01 Connector: SAPRFC_EXT SAP Gateway Host: sapl01 … sapyto/shells> start 0 Starting shell #0 RFCEXECShell - Run commands & read files through rfcexec. The remote target OS is: Linux. sapyto/shells/0> run whoami Command was run successfully. tl1adm Protection / Countermeasure Starting of External RFC Servers is controlled through the file specified by the gw/sec_info profile parameter. This file should exist and restrict access to allowed systems to start specific programs in the Application Servers. The gw/reg_info file protects Registered Servers and should also be configured. For more information, refer to SAP Note 618516. Exploitation / Risk Illustration Phase
  • 29. 29Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Version F + Code Version B (2 hashes)G Based on SHA1, 40 characters, Case Insensitive, UTF-8 F ReservedE Based on MD5, 8 characters, Uppercase, UTF-8D Not implementedC Based on MD5, 8 characters, Uppercase, ASCIIB ObsoleteA DescriptionCode Vers. On June 26 2008, a patch for John The Ripper for CODVN B and G was publicly released. Exploitation / Risk Illustration Phase
  • 30. 30Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved SAP Password Considerations & Cracking SAP has implemented different password hashing mechanisms. Passwords hashes are stored in table USR02 (BCODE, PASSCODE) and USH02. Code Version F + Code Version B (2 hashes)G Based on SHA1, 40 characters, Case Insensitive, UTF-8 F ReservedE Based on MD5, 8 characters, Uppercase, UTF-8D Not implementedC Based on MD5, 8 characters, Uppercase, ASCIIB ObsoleteA DescriptionCode Vers. On June 26 2008, a patch for John The Ripper for CODVN B and G was publicly released. Protection / Countermeasure Access to tables USR02 and USH02 should be protected. Password security should be enforced through profile configuration (login/* parameters). Table USR40 can be used to protect from trivial passwords. For more information, refer to SAP Note 1237762. Exploitation / Risk Illustration Phase
  • 31. 31Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism Discovered by me in 2007. Discovered by Jochen Hein in 2002 (D’oh!) Target: Default SAP/Oracle installations. The SAP+Oracle Authentication Mechanism SAP connects to the database as the OPS$<SID>ADM (e.g: OPS$PRDADM) Retrieves encrypted username and password from table SAPUSER. Re-connects to the database, using the retrieved credentials. Exploitation / Risk Illustration Phase
  • 32. 32Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle “trusts” that the remote system has authenticated the user used for the SQL connection (!) The user is created as “indentified externally” in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?) Exploitation / Risk Illustration Phase
  • 33. 33Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Exploiting SAP/Oracle Authentication Mechanism There is a special Oracle configuration parameter named REMOTE_OS_AUTHENT. If set to TRUE, Oracle “trusts” that the remote system has authenticated the user used for the SQL connection (!) The user is created as “indentified externally” in the Oracle database. Oracle recommendation: remote_os_authent = false SAP default and necessary configuration: remote_os_authent = true What do you need? Database host/port. SAP System ID. Oracle Instance ID ( = SAPSID?) Protection / Countermeasure Restrict who can connect to the Oracle listener: tcp.validnode_checking = yes tcp.invited_nodes = (192.168.1.102, …) Exploitation / Risk Illustration Phase
  • 34. 34Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ConclusionsConclusionsWrapping up
  • 35. 35Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Conclusions Conclusions Weak SAP security drastically increases the probability of business frauds. SAP Implementations usually leave the system running, not secure. By default, many settings are not safe and are never changed. Segregation of Duties is absolutely necessary, but IT IS NOT ENOUGH! Many technical vulnerabilities allow remote attackers to take complete control of the business information (even without having an account in the system). Even experienced SAP Administrators face hard times when trying to harden technical security settings, as many of them are not clearly documented.
  • 36. 36Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved Conclusions Conclusions The current state-of-the-art in the auditing of these systems is far from being mature. Many “compliant” systems are still prone to financial frauds caused by security incidents. An SAP Penetration Test will provide you with and objective knowledge of the current risk level of your core business platform, helping you optimize IT staff effort and decrease fraud risks. This kind of assessment must be done by highly qualified professionals.
  • 37. 37Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ¿¿QuestionsQuestions?? mnunez@onapsis.commnunez@onapsis.com
  • 38. 38Penetration Testing SAP Systems www.onapsis.com – © Onapsis S.R.L. 2009 – All rights reserved ThankThank youyou!! www.onapsis.com