Re: Saprouter audit

From: Jan van Rensburg (jan.van.rensburg@epiuse.com)
Date: Wed Sep 13 2006 - 03:21:54 EDT

• Next message: ankur jindal: "RE: Fwd: Re: tools to scan source code"
• Previous message: Stefano Zanero: "Re: tools to scan source code"
• In reply to: prashant.gawade@paladion.net: "Saprouter audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Prashant,

Saprouter is closed source software for a closed spec protocol.
Therefor pentesting will take some manual labour. Depending on how
much time you want to put into this, you could do some reverse
engineering and try the usual suspects - buffer overflows etc.

This might be a useful starting point:
http://www.ccc.de/congress/2004/fahrplan/event/26.de.html

Quote from the site: "Most hackers perceive SAP R/3 installations as
enormous data graves with limited hack value because of its immense
size and doubtful design. However, there are usually lots of company
relevant data. As it is good and common practise, the more valuable
the data, the less it is protected."

Considering how crucial SAP can be to businesses who own it, the
security community would probably do their clients a huge service by
really getting to grips with SAP.

Regards,
Jan

On 12 Sep 2006, at 8:06 AM, prashant.gawade@paladion.net wrote:

> Hi all
>
>
>
> During penetration testing I found port 3299 is open on the
> serve.Research shows me that this port is open on saprouter.
>
> To give more information about saprouter
>
> It provides additional level of security to sap servers.We can set
> rules like normal cisco router on saprouter.It act like proxy for
> people connecting to the sap servers.
>
>
>
> I am looking for information like
>
> Penetration testing on sap router
>
> Things we can test on port 3299
>
>
>
> Prashant Gawade
>
> Information Security Consultant
>
> Paladion Networks
>
> Navi Mumbai
>
> India
>
>
> ----------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: ankur jindal: "RE: Fwd: Re: tools to scan source code"
• Previous message: Stefano Zanero: "Re: tools to scan source code"
• In reply to: prashant.gawade@paladion.net: "Saprouter audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:56 EDT