Penetration Testing mailing list archives
RE: SAP Pen-Test
From: "Marc Heuse" <Marc.Heuse () nruns com>
Date: Thu, 4 Nov 2004 00:36:12 +0100
There is much for for SAP R/3 Pentesting, however mostly known to world of sap admins... SAP R/3 has had various remote vulnerabilities, e.g. in their RPC stuff. But thats not the important stuff. With a normal user account, a lot of things can be done, e.g. trying to access data in the database, executing operating system commands ... all possible with a sapgui and spa r/3 features :-) and there is a LOT to test. I have a book in my desk about auditing r/3 - it has got over 500 pages. go figure. but start your search on the web, e.g. google for "sap r/3 audit", and you will find some texts, many of them in german though. This might be a good start: http://www.it-audit.de/html/ian_sp_sap_sp.html (maybe use babelfish for translation :-) And finally - for the old fashioned pentesters - there is hydra (www.thc.org) which can brute force logins on sap r/3 via the network. You need sap sap rfcsdk though, but that can be ordered for free from the sap web site. have fun :-) Cheers, Marc ==================================================================== Marc Heuse n.runs GmbH Mobile Phone: +49-160-98925941 Key fingerprint = AE3F CDC0 8C7B 8797 BEAC 4BF8 EC8F E64B 0A84 EA10 ==================================================================== -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Tuesday, 02. November 2004 14:12 To: tambler.20.tam () spamgourmet com; pen-test () securityfocus com Subject: RE: SAP Pen-Test Phenoelit has done some interesting research on this, including the release of a few exploits for SAP ITS. I can't say I've seen very much else covering SAP, however. You also might find it interesting to read the chapter of "Stealing the Network: How to Own a Continent" that was written by FX; in it, he describes a progressive (albeit extremely skilled) attack against an SAP system.
-----Original Message----- From: Sven Tambler [mailto:tambler.20.tam () spamgourmet com] Sent: Friday, October 29, 2004 4:42 AM To: pen-test () securityfocus com Subject: SAP Pen-Test Hello everyone, I want to test a SAP Enterprise Portal. Do you know a tool for pen-testing a SAP portal? Of course, there are a lot of tools and techniques for apache or IIS and you can use them in a similar way. Otherwise there are a lot of SAP originalities and specialities you have to keep in mind. I don´t search for a tool like "nessus for SAP" - such a thing doesn´t exist - but some advices or plug-ins could be very useful. Could you by any chance be able to help? Thanks - Sven
Current thread:
- SAP Pen-Test Sven Tambler (Nov 01)
- RE: SAP Pen-Test Rob Shein (Nov 03)
- RE: SAP Pen-Test Marc Heuse (Nov 05)
- Re: SAP Pen-Test Nicolas Gregoire (Nov 03)
- Re: SAP Pen-Test Martin Eiszner (Nov 05)
- <Possible follow-ups>
- RE: SAP Pen-Test Todd Towles (Nov 03)
- RE: SAP Pen-Test Nicolas Gregoire (Nov 05)
- RE: SAP Pen-Test Rob Shein (Nov 03)