SAP PENETRATION TESTING

pfchina
8 ℃
2016-04-09

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

SAPPENETRATIONTESTINGSAPPENETRATIONTESTINGSAPPENETRATIONTESTINGSAPPENETRATIONTESTING©2009CybsecS.A.-AllRightsReservedAbstractPenetrationTestinghasbecomeanindustry-proveneffectivemethodologytoanalyzethesecuritylevelofinformationsystemsplatforms.However,duetothelackofpracticalknowledge,fearofservicedisruptionandabsenceofpropertools,SAPsystemshavealwaysbeenexcludedfromthiskindofassessments.AsimplementingSAPinacompanyissuchacomplexandlongprocess,securitysettingsareoftenpostponedorunattended.Moreover,manyofthesesettingshaveunsafevaluesbydefault.ThecombinationofthistwofactsresultsinmanyinsecureSAPplatforms,exposedtohighriskthreats.Thispublicationdescribestheuseofsapyto,anSAPPenetrationTestingFramework,whichassistssecurityprofessionalsinassessingthesecurityoftheirSAPplatforms.sapytowillhelpthemdetectexistingvulnerabilitiesandincreasetheoverallsecurityleveloftheimplementation,protectingthecompany’scriticalbusinessinformation.April16,2009withsapyto(v1.00)ACYBSEC-LabsPublicationbyMarianoNuñezDiCroce1SAPPENETRATIONTESTINGwithsapyto(v1.00)TableofContents1.Introduction.......................................................................................................22.MethodologyandGoals....................................................................................23.SettinguptheAssessmentPlatform.................................................................34.sapyto:TheSAPPenetrationTestingFramework............................................44.1.Installation..................................................................................................44.1.1.TheSAPRFCLibrary..........................................................................44.1.2.InstallationonLinuxsystems...........................................................54.1.3.InstallationonWindowssystems.....................................................74.2.Architecture................................................................................................84.2.1.ConnectorsandTargets..................................................................84.2.2.Plugins.............................................................................................94.2.3.Shells...............................................................................................94.2.4.sapytoAgents.................................................................................104.2.5.Tools..............................................................................................104.3.Usingsapyto.............................................................................................104.3.1.TheConsoleInterface....................................................................104.3.2.TheGraphicalUserInterface.........................................................144.4.PluginsDetailed.......................................................................................144.4.1.DiscoveryPlugins..........................................................................144.4.2.AuditPlugins..................................................................................164.4.3.ExploitPlugins...............................................................................194.5.ShellsDetailed.........................................................................................224.6.sapytoAgentsDetailed..............................................................................234.7.ToolsDetailed..........................................................................................235.Conclusions....................................................................................................246.References......................................................................................................242SAPPENETRATIONTESTINGwithsapyto(v1.00)1.IntroductionForyears,whenauditorsandsecurityprofessionalsreferredto“SAPsecurity”,theyweremostlymeaning“securityoftheSAPAuthorizationsubsystem–roles&profiles”.Thiskindofanalysisinmainlyfocusedinanalyzingusers’authorizations,withthepurposeofdetectingandshrinkingwideandincompatibleprivilegesthatcouldresultinbusinessfrauds.ThiskindofassessmentiscompulsoryformanycompaniesbecauseofregulationslikeSarbanes-Oxley(SOX),amongothers.WhiletheauthorizationandSegregationofDuties(SoD)reviewsareimportant,sofarthesecuritycommunityhasbeenoverlookinganequallysignificantareaintheSAPsecuritymatter:thetechnicalsecurity,or“greyarea”.Thisareainvolvesallthetechnicalaspectsandcomponentsthatserveasthebaseframeworkforrunningthebusinessmodulesandiscriticalforthesecurityoftheplatform:abreachinmanyofthesecomponentswouldalsoresultintheabilityofcarryingoutbusinessfrauds,eventhoughtheauthorizationsystemisabsolutelylockeddown.Therefore,inordertodevelopacompleteassessment,securityprofessionalsneedtofullyunderstandandanalyzethesethreats.Penetrationtestinghasbecomeanindustry-provenmethodologytoeffectivelyanalyzethesecuritylevelofcompanies’informationsystems.Thiskindofassessmentprovidesauniqueperspectiveoverthecurrentsecuritystateofth