SAP PENETRATION TESTING

SAPPENETRATIONTESTINGSAPPENETRATIONTESTINGSAPPENETRATIONTESTINGSAPPENETRATIONTESTING©2009CybsecS.A.-AllRightsReservedAbstractPenetrationTestinghasbecomeanindustry-proveneffectivemethodologytoanalyzethesecuritylevelofinformationsystemsplatforms.However,duetothelackofpracticalknowledge,fearofservicedisruptionandabsenceofpropertools,SAPsystemshavealwaysbeenexcludedfromthiskindofassessments.AsimplementingSAPinacompanyissuchacomplexandlongprocess,securitysettingsareoftenpostponedorunattended.Moreover,manyofthesesettingshaveunsafevaluesbydefault.ThecombinationofthistwofactsresultsinmanyinsecureSAPplatforms,exposedtohighriskthreats.Thispublicationdescribestheuseofsapyto,anSAPPenetrationTestingFramework,whichassistssecurityprofessionalsinassessingthesecurityoftheirSAPplatforms.sapytowillhelpthemdetectexistingvulnerabilitiesandincreasetheoverallsecurityleveloftheimplementation,protectingthecompany’scriticalbusinessinformation.April16,2009withsapyto(v1.00)ACYBSEC-LabsPublicationbyMarianoNuñezDiCroce1SAPPENETRATIONTESTINGwithsapyto(v1.00)TableofContents1.Introduction.......................................................................................................22.MethodologyandGoals....................................................................................23.SettinguptheAssessmentPlatform.................................................................34.sapyto:TheSAPPenetrationTestingFramework............................................44.1.Installation..................................................................................................44.1.1.TheSAPRFCLibrary..........................................................................44.1.2.InstallationonLinuxsystems...........................................................54.1.3.InstallationonWindowssystems.....................................................74.2.Architecture................................................................................................84.2.1.ConnectorsandTargets..................................................................84.2.2.Plugins.............................................................................................94.2.3.Shells...............................................................................................94.2.4.sapytoAgents.................................................................................104.2.5.Tools..............................................................................................104.3.Usingsapyto.............................................................................................104.3.1.TheConsoleInterface....................................................................104.3.2.TheGraphicalUserInterface.........................................................144.4.PluginsDetailed.......................................................................................144.4.1.DiscoveryPlugins..........................................................................144.4.2.AuditPlugins..................................................................................164.4.3.ExploitPlugins...............................................................................194.5.ShellsDetailed.........................................................................................224.6.sapytoAgentsDetailed..............................................................................234.7.ToolsDetailed..........................................................................................235.Conclusions....................................................................................................246.References......................................................................................................242SAPPENETRATIONTESTINGwithsapyto(v1.00)1.IntroductionForyears,whenauditorsandsecurityprofessionalsreferredto“SAPsecurity”,theyweremostlymeaning“securityoftheSAPAuthorizationsubsystem–roles&profiles”.Thiskindofanalysisinmainlyfocusedinanalyzingusers’authorizations,withthepurposeofdetectingandshrinkingwideandincompatibleprivilegesthatcouldresultinbusinessfrauds.ThiskindofassessmentiscompulsoryformanycompaniesbecauseofregulationslikeSarbanes-Oxley(SOX),amongothers.WhiletheauthorizationandSegregationofDuties(SoD)reviewsareimportant,sofarthesecuritycommunityhasbeenoverlookinganequallysignificantareaintheSAPsecuritymatter:thetechnicalsecurity,or“greyarea”.Thisareainvolvesallthetechnicalaspectsandcomponentsthatserveasthebaseframeworkforrunningthebusinessmodulesandiscriticalforthesecurityoftheplatform:abreachinmanyofthesecomponentswouldalsoresultintheabilityofcarryingoutbusinessfrauds,eventhoughtheauthorizationsystemisabsolutelylockeddown.Therefore,inordertodevelopacompleteassessment,securityprofessionalsneedtofullyunderstandandanalyzethesethreats.Penetrationtestinghasbecomeanindustry-provenmethodologytoeffectivelyanalyzethesecuritylevelofcompanies’informationsystems.Thiskindofassessmentprovidesauniqueperspectiveoverthecurrentsecuritystateofth