RE: SAP Pen-Test

From: Marc Heuse (Marc.Heuse@nruns.com)
Date: Wed Nov 03 2004 - 18:36:12 EST

• Next message: Nicolas Gregoire: "RE: SAP Pen-Test"
• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: The business/marketing of pen-testing."
• In reply to: Rob Shein: "RE: SAP Pen-Test"
• Next in thread: Nicolas Gregoire: "Re: SAP Pen-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There is much for for SAP R/3 Pentesting, however mostly known to world of
sap admins...
SAP R/3 has had various remote vulnerabilities, e.g. in their RPC stuff.

But thats not the important stuff. With a normal user account, a lot of
things can be done, e.g. trying to access data in the database, executing
operating system commands ... all possible with a sapgui and spa r/3
features :-) and there is a LOT to test. I have a book in my desk about
auditing r/3 - it has got over 500 pages. go figure.

but start your search on the web, e.g. google for "sap r/3 audit", and you
will find some texts, many of them in german though. This might be a good
start: http://www.it-audit.de/html/ian_sp_sap_sp.html (maybe use babelfish
for translation :-)

And finally - for the old fashioned pentesters - there is hydra
(www.thc.org) which can brute force logins on sap r/3 via the network. You
need sap sap rfcsdk though, but that can be ordered for free from the sap
web site.

have fun :-)

Cheers,
Marc

====================================================================
Marc Heuse
n.runs GmbH
Mobile Phone: +49-160-98925941
Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10
====================================================================
 
-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Tuesday, 02. November 2004 14:12
To: tambler.20.tam@spamgourmet.com; pen-test@securityfocus.com
Subject: RE: SAP Pen-Test

Phenoelit has done some interesting research on this, including the release
of a few exploits for SAP ITS. I can't say I've seen very much else
covering SAP, however. You also might find it interesting to read the
chapter of "Stealing the Network: How to Own a Continent" that was written
by FX; in it, he describes a progressive (albeit extremely skilled) attack
against an SAP system.

> -----Original Message-----
> From: Sven Tambler [mailto:tambler.20.tam@spamgourmet.com]
> Sent: Friday, October 29, 2004 4:42 AM
> To: pen-test@securityfocus.com
> Subject: SAP Pen-Test
>
>
> Hello everyone,
>
> I want to test a SAP Enterprise Portal. Do you know a tool for
> pen-testing a SAP portal? Of course, there are a lot of tools and
> techniques for apache or IIS and you can use them in a similar way.
> Otherwise there are a lot of SAP originalities and
> specialities you have
> to keep in mind. I don´t search for a tool like "nessus for
> SAP" - such
> a thing doesn´t exist - but some advices or plug-ins could be very
> useful. Could you by any chance be able to help?
>
> Thanks - Sven
>
>
>

• Next message: Nicolas Gregoire: "RE: SAP Pen-Test"
• Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: The business/marketing of pen-testing."
• In reply to: Rob Shein: "RE: SAP Pen-Test"
• Next in thread: Nicolas Gregoire: "Re: SAP Pen-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:08 EDT