Penetration Testing mailing list archives
Re: Pen-Testing SAP
From: Jon Kibler <Jon.Kibler () aset com>
Date: Sat, 03 Jan 2009 05:34:51 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 yelukati mahendra wrote:
Hi, Lemme wish to the members of this list a"Happy New Year" for 2009. I was wondering about the security of Packaged solutions like SAP,Siebel & Peoplsoft with regards to pentesting them. Are there any speciffice tests for these packages,apart from the generic set pentests which we do on the normal web applications ? Please let me know if there is any information in line to the above request. Cheers Mahendra.
Hi, I don't remember the specifics, but at one time, SAP installed with several default users and well know default passwords. Also, some of the ERP packages require certain administrative logins to be present -- often with well known passwords required -- to be able to run the software update functions. At least one of the packages also required a default DB administrative user/password to be able to update the database schema. If I was looking into hacking an ERP package, that is where I would start. Jon K. - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-224-2494 s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAklfP0sACgkQUVxQRc85QlMZHgCfYUArExCDRQbF6sLPIVzNrlom /dEAn3tb0mpxoBb7NE1wCVQTXEGFVl4y =+EYA -----END PGP SIGNATURE----- ================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
Current thread:
- Re: Pen-Testing SAP Ulises Retamal (Jan 03)
- <Possible follow-ups>
- Re: Pen-Testing SAP Andrew Johns (Jan 03)
- Re: Pen-Testing SAP Mike Duncan (Jan 05)
- RE: Pen-Testing SAP Renaud Bidou (Jan 05)
- Re: Pen-Testing SAP Mike Duncan (Jan 05)
- Re: Pen-Testing SAP Jon Kibler (Jan 05)