SAP Application Security Assessments - Part 1: Setting Up Your Testing Environment
"Can you take a look at the security for our new SAP application?"
Maybe you are already familiar with penetration testing Germany based enterprise software vendor SAP AG (System, Application and Products in Data Processing) and their infinitely customizable enterprise resource planning applications. If that is the case, then stop reading.
If you are still here, that means you have probably accepted, or had forced upon you, the task of assessing the security of an SAP application. This blog series will hopefully give you a decent idea of what tools are available and what to start looking for.
This series will assume you have Linux already installed. Many of the tools will also work in a Windows environment, but a few have additional functionality that is only available in Linux.
We'll start by installing some basic tools and then grab some of the more SAP specific offerings.
$ sudo apt-get install nmap
$ sudo apt-get install wireshark
$ sudo apt-get install libssh-dev $ sudo apt-get install libgtk2.0-dev $ wget -c http://www.thc.org/releases/hydra-7.2-src.tar.gz $ wget -c http://www.libssh.org/files/0.5/libssh-0.5.0.tar.gz $ tar -xvzf libssh-0.5.0.tar.gz $ cd libssh-0.5.0/ $ mkdir build $ cd build $ sudo apt-get install cmake $ cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=debug .. $ make $ sudo make install $ cd ../.. $ tar -xvzf hydra-7.1-src.tar.gz $ cd hydra-7.1-src $ ./configure $ make $ sudo make install $ cd hydra-gtk $ ./configure $ make $ sudo make install
SAP RFC SDK Library
This software is required for some of the later tools to operate properly. Another catch is that you must have valid credentials for the SAP Service Marketplace. Hopefully the team you are working with to assess this app can provide you with the SAP RFC SDK. If not, they are really setting you up to fail.
To download the SAP RFC SDK:
- Go to http://service.sap.com/swdc
- From the menu on the left, select "SAP Software Distribution Center > Download > Support Packages and Patches > Entry by Application Group > Additional Components"
- Select SAP RFC SDK 7.11 (Non-Unicode) for Linux/Windows
To install the SAP RFC SDK:
$ unzip rfcsdk.zip
Bizploit is a penetration testing tool developed by Onapsis. You can select whether you want to download the Linux or Windows version here. You do have to register on the site, but once that is complete they will send you a link to download Bizploit.
Once your download is complete run the following:
$ tar -xzf Onapsis-bizploit.tgz
Next, you will have to include the rfcsdk/lib folder in the LD_LIBRARY_PATH environment variable:
export LD_LIBRARY_PATH='<full path to>/rfcsdk/lib'
Next, you will need to install libstdc++5:
sudo apt-get install libstdc++5
Alright! That should be it. To confirm that everything was installed correctly and I did not lead you astray, try the following command:
We have run through this install before, back in the Android Application Security Assessments series. When it comes to Java, I like the official JDK from Oracle. OpenJDK is probably sufficient, if you feel so inclined.
Start by determining the currently available version of java:
$ apt-cache search jdk | grep sun
Next, download and install java:
$ apt-get install sun-java6-jdk sun-java6-jre
Confirm your install has completed successfully:
$ java -version
This step is optional, but for ease of use let's set the JAVA_HOME environment variable:
$ sudo nano /etc/environment
Add the following line:
Or whatever the path is to your Java folder. Don't forget to save your changes.
OK, ideally your client will be able to provide you with their version of the SAP GUI. Personally, I prefer this method, because it allows us to find out what version of the GUI they are running and if they are missing any patches.
If they won't/can't provide you with the SAP GUI, then you can obtain the latest version from http://www.sdn.sap.com/irj/sdn/sap-gui. Scroll down to the "Downloads" section and select the SAP GUI for Java from the "Installations" column. This is another instance where you will need authentication credentials.
Once you have a local copy of the JAR file, double-click it to start the install.
Select the installation Folder:
Now your testing environment is ready. In the next post we will take a look at the ports utilized by your SAP application.