2. • Company specialised in securing SAP systems and infrastructures
• SAP Security consulting
• Regular presenters on SAP Security in Security conferences
• Research: In worldwide top 5 for found SAP Security vulnerabilities
• Developer Protect4S - Security Analyser for SAPTM
• SAP Development Partner
• Our mission is to raise the security of mission–critical SAP platforms with
minimal impact on day–to–day business.
Joris van de VisFred van de Langenberg Robin Vleeschhouwer
ERP Security
4. Collective hack = Grouphack ≠ Grouphug
What are we going to do…
Hack a SAP system collectively
5. But wait…
Isn’t that illegal?
Yes (in many cases) it is. Hence the disclaimer:
Hacking is illegal and very naughty. This presentation is not aiming to stimulate or approve
hacking. This presentation is meant for academic and educational purposes only.
Find the Get-out-of-jail-free card here:
I herewith approve all participants of SitNL#16
to hack my SAP system on host XXX
Only on November 26 2016.
6. <TIP>During this presentation QR codes will be
shown to simplify calling long URLS’s.
You might want to consider installing an App
on your mobile phone called a QR code
scanner to prevent typing really long URL’s.
</TIP>
Handy…
7. Anatomy of a hack…
We will go through some common steps of a a hack / penetration test
Step 1 – Reconnaissance
Gathering of data about the target.
Step 2 – Scanning / enumeration
Scan the perimeter internally and externally for vulnerabilities.
Step 3 – Gain access
Use the gathered info retrieved from previous steps to gain access to the target.
Step 4 – Keep access / go further
To successfully perform an attack access must be maintained over a certain period of time. Also further
penetration of the target might be needed to go for the targets crown jewels.
Step 5 – Delete tracks
Be cautious, don’t get noticed or caught. Make sure to delete your tracks, logs, tooling, created users, etc, etc.
8. Step 1: Reconnaissance
Step 1 - Reconnaissance
Try to gather a much information as possible on the business and way of working of the
target. Find information like how they operate, type of used systems, procedures, IP-
range, domain names, mail serves, dns, etc, etc..
Tooling: social media, (Facebook, linkedin), Google and for example shodan and censys
http://whois.domaintools.com/erp-sec.com https://www.shodan.io/search?query=sap+netweaver
10. Step 2: Scanning
Step 2 – Scanning / enumeration
Scan the environment internally and externally to get a clear image of the target.
Scanning is done to find open ports with behind them hopefully vulnerable services.
Scanning is most often done on network level, think about portscans, scans for specific
services, firewall scans, scans to detect Operating Systeem version, etc.
Tooling: network scanning- and other scanning tools like NMAP, responder.py, network
sniffing tools like Wireshark, keyloggers, etc, etc (Really too many to name)
13. Step 3: Gaining access
Step 3 – Gaining access
Try to gain access to 1 or more systems using information gathered before. From there
extract valuable information or further penetrate the landscape.
Tooling: Create your own, use exploitation tools to exploit vulnerabilities via SQL
injection, xss, csrf, RCE, directory traversal, code injection, verb tampering, etc. Again,
too many to name. Use social engineering to hack the human.
http://<XXXXXXXX>:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?
param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ls
http://XXXXXXXXXXXXXXX:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=c
om.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=cat%20supergeheimen.txt
15. Towards solutions
- There is no silver bullet solution
- SAP (Platform) security goes beyond team boundaries. Involve:
- SAP Basis team
- SAP Authorisations team
- Database team
- Operating system team
- Network team
- Involve management, not a pure technical party
- Create a Security process, instead of a onetime project
- You might consider using tooling to support
this process.