SAP CTF Pentest : From Outside To Company Salaries Tampering (closed)

Presented at DeepSec 2017 „Science First!“, Unknown date/time (Unknown duration).

SAP is no longer an unknown black box for the security community and SAP products appear more and more often in audit requests. This training is focused on SAP Netweaver. Because we can't cover seriously all SAP software in two days, we decided to work on the most frequent vulnerabilities we faced during our pentests. We'll provide different SAP Systems with different configuration issues in 'realistic' environment, and also a pre-configured attacker VM with all tools required to perform training activities. Few slides, lots of practice, that's the leitmotiv of this course. SAP knowledge is not required. Prerequisites: General knowledge on pentesting. SAP knowledges is NOT required. Target audience: Pentesters or security professional. Anyone interested to learn about SAP Security Requirements / Material to bring by attendees: A laptop capable of running virtual machine, with 10G free disk space and 1GB Ram for VM. Similar works: This course is an improved version of the training done during the Hack In Paris 2017 Conference. I've created two  'easy' SAP challenges for the free security platform ‘root-me': https://www.root-me.org/en/Challenges/Realist/SAP-Pentest-007 https://www.root-me.org/en/Challenges/Realist/SAP-Pentest-000 These challenges are not the same than the ones in this course. Agenda: Detailed presentation material will be provided to attendees at the start of course. Please find the course outline below:  Day 1 Introduction Introduction to the world of SAP SAP? SAP in numbers SAP Netweaver ABAP? Global technical concept Technical component SAP as user Introduction to SAP Security Latest changes in SAP Security The SAP security parts SAP Security Notes Attack surface Risks Training infrastructure Overview and warning Kali-SAP     Hands-on : Tools, installation, setup SAP cheatsheets for pentesters SAProuter What is SAProuter? How SAProuters work SAProuter vulnerabilities    Hands-on : Discover internal SAP, discover SAP port, forward port Remediation SAP Gui Overview & How to    Hands-on : Moving around SAP Gui SAP Gui information gathering SAP Gui shortcut vulnerability     Hands-on : Retreive information, crack user password Lastest vulnerabilities found Remediation SAP Netweaver ABAP Overview SAP authorization Password and default accounts     Hands-on : Find default account and password of target  SAP Message Server     Hands-on : Playing with Message Server SAP ICM     Hands-on : Playing with ICM SAP MMC     Hands-on : Playing with MMC SAP RFC Gateway     Hands-on : RCE through SAP Gateway Remediation Day 2 SAP Secure Store Overview ABAP Secure Storage    Hands-on : Decrypt ABAP Secure Storage Secure Storage in File System    Hands-on : Decrypt SSFS Remediation Database level security Overview Focusing on Oracle Oracle OPS$ attack     Hands-on : Retrieve SAP database schema password Remediation SAP Horizontal movement Concept in SAP RFC hardcoded credential     Hands-on : Get access to trusted SAP system with diaglog user     Hands-on : Get access to trusted SAP system with no-diaglog user Pivot with SAP RFC Gateway    RCE to trusted RFC SAP system Remediation SAP Vertical movement Concept in SAP     Hands-on : SAP to OS     Hands-on : OS to database     Hands-on : SAP to database     Hands-on : Database to SAP Remediation ABAP Code vulnerability (Overview) Introduction ABAP Minimum basis ABAP injection    Hands-on : Exploit abap injection OS Command injection    Hands-on : Exploit OS injection Native SQL Injection    Hands-on : Exploit SQLiAuthorization bypass    Hands-on : Bypass authorization example Directory traversal    Hands-on : Exploit directory traversalCross client access    Hands-on : Cross client access example Understand SAP OSS Security Patch    Hands-on : From SAP Security Patch to bind shell Remediation CTF 5 Categories for 20+ tasks     Hands-on : CTF time ! Correction References Conclusion & Questions

Presenters:

• Yvan Genuer - Devoteam
  Yvan has nearly 15 years of experience in SAP. He started out as a SAP basis administrator for various well-known French companies. Since 5 years, he focuses on SAP Security and is now the head of SAP assessment and pentesting at Devoteam security team. Although being a very discreet person, he received official acknowledgements from SAP AG for vulnerabilities he's reported. Furthermore, he is a longtime member of the Grehack conference organization committee and has conducted a SAP pentest workshop at Clusir 2017, as well as a full training at Hack In Paris 2017.

Links:

• https://deepsec.net/archive/2017.deepsec.net/speaker.html#WSLOT315

Similar Presentations:

• DEF CON 20 (2012) / Uncovering SAP Vulnerabilities: Reversing and Breaking the Diag Protocol
• TROOPERS17 (2017) / SAP strikes back. Your SAP server now counter-attacks
• DeepSec 2018 „I like to mov &6974,%bx“ / ERP Security: Assess, Exploit and Defend SAP Platforms