SAP Application Security Assessments - Part 1: Setting Up Your Testing Environment
"Can you take a look at the security for our new SAP application?"
- Client
"Sure..."
- You
Maybe you are already familiar with penetration testing Germany based enterprise software vendor SAP AG (System, Application and Products in Data Processing) and their infinitely customizable enterprise resource planning applications. If that is the case, then stop reading.
If you are still here, that means you have probably accepted, or had forced upon you, the task of assessing the security of an SAP application. This blog series will hopefully give you a decent idea of what tools are available and what to start looking for.
Testing Environment
This series will assume you have Linux already installed. Many of the tools will also work in a Windows environment, but a few have additional functionality that is only available in Linux.
We'll start by installing some basic tools and then grab some of the more SAP specific offerings.
Nmap
$ sudo apt-get install nmap
Wireshark
$ sudo apt-get install wireshark
Hydra
$ sudo apt-get install libssh-dev $ sudo apt-get install libgtk2.0-dev $ wget -c http://www.thc.org/releases/hydra-7.2-src.tar.gz $ wget -c http://www.libssh.org/files/0.5/libssh-0.5.0.tar.gz $ tar -xvzf libssh-0.5.0.tar.gz $ cd libssh-0.5.0/ $ mkdir build $ cd build $ sudo apt-get install cmake $ cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=debug .. $ make $ sudo make install $ cd ../.. $ tar -xvzf hydra-7.1-src.tar.gz $ cd hydra-7.1-src $ ./configure $ make $ sudo make install $ cd hydra-gtk $ ./configure $ make $ sudo make install
SAP RFC SDK Library
This software is required for some of the later tools to operate properly. Another catch is that you must have valid credentials for the SAP Service Marketplace. Hopefully the team you are working with to assess this app can provide you with the SAP RFC SDK. If not, they are really setting you up to fail.
To download the SAP RFC SDK:
- Go to http://service.sap.com/swdc
- From the menu on the left, select "SAP Software Distribution Center > Download > Support Packages and Patches > Entry by Application Group > Additional Components"
- Select SAP RFC SDK 7.11 (Non-Unicode) for Linux/Windows
To install the SAP RFC SDK:
$ unzip rfcsdk.zip
Bizploit
Bizploit is a penetration testing tool developed by Onapsis. You can select whether you want to download the Linux or Windows version here. You do have to register on the site, but once that is complete they will send you a link to download Bizploit.
Once your download is complete run the following:
$ tar -xzf Onapsis-bizploit.tgz
Next, you will have to include the rfcsdk/lib folder in the LD_LIBRARY_PATH environment variable:
export LD_LIBRARY_PATH='<full path to>/rfcsdk/lib'
Next, you will need to install libstdc++5:
sudo apt-get install libstdc++5
Alright! That should be it. To confirm that everything was installed correctly and I did not lead you astray, try the following command:
./bizploit -c
Java
We have run through this install before, back in the Android Application Security Assessments series. When it comes to Java, I like the official JDK from Oracle. OpenJDK is probably sufficient, if you feel so inclined.
Start by determining the currently available version of java:
$ apt-cache search jdk | grep sun
Next, download and install java:
$ apt-get install sun-java6-jdk sun-java6-jre
Confirm your install has completed successfully:
$ java -version
This step is optional, but for ease of use let's set the JAVA_HOME environment variable:
$ sudo nano /etc/environment
Add the following line:
JAVA_HOME="/usr/lib/jvm/java-6-sun-1.6.0.26"
Or whatever the path is to your Java folder. Don't forget to save your changes.
SAP GUI
OK, ideally your client will be able to provide you with their version of the SAP GUI. Personally, I prefer this method, because it allows us to find out what version of the GUI they are running and if they are missing any patches.
If they won't/can't provide you with the SAP GUI, then you can obtain the latest version from http://www.sdn.sap.com/irj/sdn/sap-gui. Scroll down to the "Downloads" section and select the SAP GUI for Java from the "Installations" column. This is another instance where you will need authentication credentials.
Once you have a local copy of the JAR file, double-click it to start the install.
Click Next:
Select the installation Folder:
Click OK:
Now your testing environment is ready. In the next post we will take a look at the ports utilized by your SAP application.
About What's@Stake
This is where you will find thought leadership in the areas of Security Strategy and Security Assessment by Symantec’s Security Business Practice. Through the acquisition of @stake in late 2004, Symantec has become the leader in third-party security assessment services such as Penetration Testing, Vulnerability Assessment, and Security Program Assessment. Now combined with a premiere team of CISO-level Security Strategists, this team offers their insights on the latest security trends, strategies to address them, and the latest research on the vulnerabilities and attack methods used in their assessments.
Frequently Used Documents
PCI Assessment Services
Penetration Testing and Vulnerability Assessment Services
Mobile Security Assessment Services
Security Program Assessment