SAP ERP

  1. Useful SAP System Administration Transactions
    1. http://www.erpgreat.com/basis/useful-sap-system-administration-transactions.htm
  2. Transactional RFC that can be used for remote code execution on SAP servers
    1. http://m.stechies.com/transactional-rfc/
  3. How to Hack SAP
    1. http://www.xpandion.com/Articles/how-to-hack-sap.html
  4. Editing data directly in database using &SAP_EDIT , can allow to gain SAP_ALL by editing authorization table data
    1. https://sapmentalnotes.wordpress.com/2008/10/26/edit-sap-tables/
    2. http://it.toolbox.com/blogs/sap-on-db2/a-few-sap-ecc-hacks-34484
    3. http://rahulursportal.blogspot.co.il/2009/10/do-not-hack-your-sap-system.html
  5. Hacking SAP BusinessObjects
    1. http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf
  6. Spectacular hacks and workarounds  from out there “in the wild”
    1. http://scn.sap.com/thread/1908514
  7. Blog with SAP basis tutorials
    1. http://sapbasisdurgaprasad.blogspot.co.il/p/about-me.html
  8. SAP Security slides. Slides 28-29 got expalanation about Pass-the-hash in sap RFC calls
    1. https://www.troopers.de/wp-content/uploads/2012/10/TROOPERS10_Some_notes_on_SAP_security_Alexander_Polyakov.pdf
  9. Attacking SAP clients:
    1. http://conference.hackinthebox.org/hitbsecconf2010kul/materials/D1T1%20-%20Alexander%20Polyakov%20-%20Attacking%20SAP%20Users%20with%20sapsploit.pdf
  10. SAP metasploit modules:
    1. https://labs.mwrinfosecurity.com/blog/2012/04/27/mwr-sap-metasploit-modules/
  11. Sniffing sap-gui passwords:
    1. http://www.daniel-berlin.de/security/sap-sec/sniffing-sap-gui-passwords/
  12. SapCap – SAP GUI protocl sniffer / decompressor
    1. https://github.com/sensepost/SapCap
  13. The script is a small PoC that is able to parse pcap files containing SAP GUI (DIAG) traffic and extract any SAP credentials found
    1. https://labs.mwrinfosecurity.com/tools/sap-decom/
  14. SAP environment defense system:
    1. https://www.onapsis.com/products/onapsis-security-platform
  15. SAP Penetration Testing Using Metasploit ( including SAP SMB Relay Attacks )
    1. http://information.rapid7.com/rs/rapid7/images/SAP%20Penetration%20Testing%20Using%20Metasploit%20Final.pdf
  16. sapyto is the first SAP Penetration Testing Framework
    1. http://www.cybsec.com/EN/research/sapyto.php
  17. ESNC Pentest Suite – SAP security scanner updated with latest exploits
    1. https://www.esnc.de/esnc-sap-security-audit-software/esnc-security-suite-sap-security-scanner.html#SAP-Penetration-Testing
  18. Attacking using bizploit:
    1. https://www.trustwave.com/Resources/SpiderLabs-Blog/Abusing-SAP-Servers/
  19. Download bizploit:
    1. https://www.onapsis.com/research/free-solutions
    2. https://github.com/davehardy20/SAP-Stuff
  20. Good comment on how to analyze sap security:
    1. https://www.reddit.com/r/AskNetsec/comments/2u2efr/penetration_testing_on_sapsystems_what_are_the/
    2. “Ex SAP-BC/NetWeaver consultant gone infosec here smile emoticon I know a thing or two…
      “Hacking SAP” is usually a matter of financial fraud rather than strict infosec. Like /u/thatstevelord said, SAP is a horrendously specific beast. However, in the end it’s still all just 1’s and 0’s, eh? So, yeah, SAP can be exploited, but it may take years to fully understand the architecture. That having been said, here’s a few pointers:
      *Each SAP instance (or SID) is composed of three layers: database, application and presentation), each landscape usually consists of four instances: dev, test, QA and production. Each of the layers can be exploited to some extent, but most effect can be gained by attacking the database. As for the choice in instance: go for the QA system – you don’t want to fsck up your customer’s primary business processes.
      *Each SAP instance is divided into clients. Each one has a user SAP, the application’s equivalent of “root”. Upon initial creation, this user SAP gets a default password: “060719992”. You’d be surprised if you knew how often these passwords aren’t changed in test or dev environments!
      *Try to get access to the shell of any server using username <SID>adm. Bruteforcing can help.
      *Try to get access to the database with user “sap<SID>”, “ora<sid>” or “db2<sid>”, depending on the DB used. Once you’re in, delete all records containing username sap* from table usr02. This will allow you to log in to the application using step 2.
      *If they still use the old-fashioned ABAP-stack, use one of the many vulnerabilities in SAPgui. This is a crappy bugfest of a frontend, with many exploits. Google is your friend!
      *Privilege-escalation from within SAP is a bitch, but it can be done. Gain access to transaction PFCG on a dev system, create a role and use STMS to transport the new role to a second system.
      *SAP often uses the IBM Java environment. Supposedly, there are some nice exploits you can abuse over there. If the Sun/Oracle JVM is used; I know of no vulnerabilities in that landscape, but there are bound to be some.
      *Figure out what modules the customer is using. Some of the more exotic IS (Industry Specific) modules are very buggy indeed. You’ll need industry knowledge for leveraging your exploits or demonstrating a proof-of-concept, though!
      *Think “data”. SAP-instances often communicate with other systems (BI, ESS, yada-yada) and these interfaces can be attacked. It should be possible to spoof XML-messages from a BI-system and get a remote dump of the database, for instance. Hard work, but again: it can be done.”
  21. SAP ERP Central Component Security Guide
    1. http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30adcac6-7a55-2a10-9fa9-a61d947f6ec9?QuickLink=index&overridelayout=true
  22. Erp security related companies:
    1. http://erpscan.com/
    2. http://www.erp-sec.com/
  23. ERP Security. Myths, Problems, Solutions
    1. http://dsecrg.com/files/pub/pdf/ERP%20Security.%20Myths,%20Problems,%20Solutions.pdf
  24. Lecture from blackhat 2009 about SAP penetration testing
    1. http://www.securitytube.net/video/262
    2. http://www.blackhat.com/presentations/bh-europe-09/DiCroce/BlackHat-Europe-2009-DiCroce-CYBSEC-Publication-SAP-Penetration-Testing-slides.pdf
  25. SAP session fixation attacks and protection from blackhat 2011
    1. https://media.blackhat.com/bh-eu-11/Raul_Siles/BlackHat_EU_2011_Siles_SAP_Session-WP.pdf
  26. TDCodes search – useful to find interesting transactions
    1. http://www.tcodesearch.com/tcodes/search?q=web
Advertisements

One thought on “SAP ERP

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s