Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Services

SAP Application Security Assessments - Part 1: Setting Up Your Testing Environment

Created: 02 Apr 2012 • Updated: 25 Apr 2012
Christopher.Emerson's picture
+1 1 Vote
Login to vote

"Can you take a look at the security for our new SAP application?"

     - Client

"Sure..."

     - You

Maybe you are already familiar with penetration testing Germany based enterprise software vendor SAP AG (System, Application and Products in Data Processing) and their infinitely customizable enterprise resource planning applications. If that is the case, then stop reading.

If you are still here, that means you have probably accepted, or had forced upon you, the task of assessing the security of an SAP application. This blog series will hopefully give you a decent idea of what tools are available and what to start looking for.

Testing Environment

This series will assume you have Linux already installed. Many of the tools will also work in a Windows environment, but a few have additional functionality that is only available in Linux.

We'll start by installing some basic tools and then grab some of the more SAP specific offerings.

Nmap

$ sudo apt-get install nmap

 

Wireshark

$ sudo apt-get install wireshark

 

Hydra

$ sudo apt-get install libssh-dev
$ sudo apt-get install libgtk2.0-dev

$ wget -c http://www.thc.org/releases/hydra-7.2-src.tar.gz
$ wget -c http://www.libssh.org/files/0.5/libssh-0.5.0.tar.gz

$ tar -xvzf libssh-0.5.0.tar.gz
$ cd libssh-0.5.0/

$ mkdir build
$ cd build

$ sudo apt-get install cmake

$ cmake -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=debug ..
$ make
$ sudo make install
$ cd ../..

$ tar -xvzf hydra-7.1-src.tar.gz
$ cd hydra-7.1-src
$ ./configure
$ make
$ sudo make install

$ cd hydra-gtk
$ ./configure
$ make
$ sudo make install

 

SAP RFC SDK Library

This software is required for some of the later tools to operate properly. Another catch is that you must have valid credentials for the SAP Service Marketplace. Hopefully the team you are working with to assess this app can provide you with the SAP RFC SDK. If not, they are really setting you up to fail.

To download the SAP RFC SDK:

  1. Go to http://service.sap.com/swdc
  2. From the menu on the left, select "SAP Software Distribution Center > Download > Support Packages and Patches > Entry by Application Group > Additional Components"
  3. Select SAP RFC SDK 7.11 (Non-Unicode) for Linux/Windows

To install the SAP RFC SDK:

$ unzip rfcsdk.zip

 

Bizploit

Bizploit is a penetration testing tool developed by Onapsis. You can select whether you want to download the Linux or Windows version here. You do have to register on the site, but once that is complete they will send you a link to download Bizploit.

Once your download is complete run the following:

$ tar -xzf Onapsis-bizploit.tgz

 

Next, you will have to include the rfcsdk/lib folder in the LD_LIBRARY_PATH environment variable:

export LD_LIBRARY_PATH='<full path to>/rfcsdk/lib'

 

Next, you will need to install libstdc++5:

sudo apt-get install libstdc++5

 

Alright! That should be it. To confirm that everything was installed correctly and I did not lead you astray, try the following command:

./bizploit -c

 

Java

We have run through this install before, back in the Android Application Security Assessments series. When it comes to Java, I like the official JDK from Oracle. OpenJDK is probably sufficient, if you feel so inclined.

Start by determining the currently available version of java:

$ apt-cache search jdk | grep sun

 

Next, download and install java:

$ apt-get install sun-java6-jdk sun-java6-jre

 

Confirm your install has completed successfully:

$ java -version

 

This step is optional, but for ease of use let's set the JAVA_HOME environment variable:

$ sudo nano /etc/environment

 

Add the following line:

JAVA_HOME="/usr/lib/jvm/java-6-sun-1.6.0.26"

 

Or whatever the path is to your Java folder. Don't forget to save your changes.

 

SAP GUI

OK, ideally your client will be able to provide you with their version of the SAP GUI. Personally, I prefer this method, because it allows us to find out what version of the GUI they are running and if they are missing any patches.

If they won't/can't provide you with the SAP GUI, then you can obtain the latest version from http://www.sdn.sap.com/irj/sdn/sap-gui. Scroll down to the "Downloads" section and select the SAP GUI for Java from the "Installations" column. This is another instance where you will need authentication credentials.

Once you have a local copy of the JAR file, double-click it to start the install.

Click Next:

Select the installation Folder:

Click OK:

Now your testing environment is ready. In the next post we will take a look at the ports utilized by your SAP application.

Blog Entry Filed Under: