Re: Pen-Testing SAP

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

yelukati mahendra wrote:
> Hi,
>
> Lemme wish to the members of this list a"Happy New Year" for 2009.
>
> I was wondering about the security of Packaged solutions like SAP,Siebel & Peoplsoft with regards to pentesting them.
> Are there any speciffice tests for these packages,apart from the generic set pentests which we do on the normal web 
> applications ?
>
> Please let me know if there is any information in line to the above request.
>
> Cheers
> Mahendra.

Hi,

I don't remember the specifics, but at one time, SAP installed with
several default users and well know default passwords.

Also, some of the ERP packages require certain administrative logins to
be present -- often with well known passwords required -- to be able to
run the software update functions. At least one of the packages also
required a default DB administrative user/password to be able to update
the database schema.

If I was looking into hacking an ERP package, that is where I would start.

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklfP0sACgkQUVxQRc85QlMZHgCfYUArExCDRQbF6sLPIVzNrlom
/dEAn3tb0mpxoBb7NE1wCVQTXEGFVl4y
=+EYA
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.