Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

What's@Stake

SAP Application Security Assessments - Part 5: Other Tools and Random Musings
Christopher.Emerson | 12 Apr 2012 | 2 comments

Looks like we have wrapped up our initial series on SAP penetration testing. Hopefully you will now be able to take what you seen hear, expand on it, and share your knowledge with everyone else. Before we head out though, here are a few other resources and tools that you may find interesting.

 

Additional tools for your arsenal:

SAP Code Inspector is a tool for checking repository objects regarding performance,...

Read more
SAP Application Security Assessments - Part 4: Configuring and Running Bizploit plugins
Christopher.Emerson | 12 Apr 2012 | 0 comments

With the footprinting and enumeration complete, we can move onto configuring Bizploit and trying out so of the built in exploits!

Bizploit plugins are assigned to three categories, vulnerabilities (vulnassess), discovery and output. It is usually useful to take a quick peek at what the plugins are available:

bizploit/targets> back

bizploit> plugins

bizploit/plugins> list

 

The output category only comes with one plugin, "console". In a previous version of the application (called sapyto), there was a plugin to output the results to a file. That is no longer available with bizploit. Hopefully you ran the "script" command before you started bizploit. Otherwise, copying and pasting is your friend.

Anyway, you shouldn't have to change the...

Read more
SAP Application Security Assessments - Part 3: Footprinting and Enumerating your SAP Application with Bizploit
Christopher.Emerson | 12 Apr 2012 | 0 comments

Since we have already port scanned our target, we can move onto some more SAP specific reconnisance.  

SAP applications are a slightly different beast than most of us are used to. If they weren't, then you wouldn't be here. We can always run Nessus and Metasploit against the server (and you should).  Fortunately for us, someone else has blazed a trail and left behind a nice little path called Bizploit.

Bizploiting (a verb I just created but am certain will become part of the lexicon), involves the following:

  1. Start the Bizploit tool
  2. Configure the myriad of options
  4. Profit!

OK, so maybe it isn't quiet that easy, so let's take a more granular approach. Within your test environment, open up a terminal and navigate to your bizploit...

Read more
SAP Application Security Assessments - Part 2: Port Scanning Your SAP Application
Christopher.Emerson | 11 Apr 2012 | 0 comments

You are probably already familiar with Nmap and port scanning in general. I won't waste too much of your time walking through the ins and outs of Nmap, but we will take a look at some of the specific ports of interest for SAP applications.

First off, we need to run Nmap. I personally like to check all ports, as you never know what you will find.

$ nmap -vvv -A -oA <output filename> -p 1-65535 <target ip address>

Obviously, your results will vary from assessment to assessment. A full list of the ports used by SAP applications can be found at http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c280b?QuickLink=index&overridelayout=true....

Read more
SAP Application Security Assessments - Part 1: Setting Up Your Testing Environment
Christopher.Emerson | 02 Apr 2012 | 0 comments

"Can you take a look at the security for our new SAP application?"

     - Client

"Sure..."

     - You

Maybe you are already familiar with penetration testing Germany based enterprise software vendor SAP AG (System, Application and Products in Data Processing) and their infinitely customizable enterprise resource planning applications. If that is the case, then stop reading.

If you are still here, that means you have probably accepted, or had forced upon you, the task of assessing the security of an SAP application. This blog series will hopefully give you a decent idea of what tools are available and what to start looking for.

Testing Environment

This series will assume you have Linux already installed. Many of the tools will also work in a Windows environment, but a few have additional functionality that is only available in Linux.

We'll start by...

Read more
Android Application Security Assessments - Part 6: Other Tools and Random Musings
Christopher.Emerson | 31 Jan 2012 | 1 comment

We have come to the end of this series and you should now have an idea of how to start your own Android Application Security Assessment and even reverse engineer your app to source code.  Before we go, here are a few other mumblings that you may find useful. 

Additional tools for your arsenal:

Android Debug Bridge(ADB) is a command line client application that allows you to communicate with the emulator (or a connected Android device).  This came with the Android SDK and you already used this to install an...

Read more
Android Application Security Assessments - Part 5: Reverse Engineering The .apk File
Christopher.Emerson | 24 Jan 2012 | 2 comments

There are times in security engagements when having an application’s source code can make your life infinitely easier.  Fortunately, there are publicly available tools to make this a painless process.

If you you are looking for how to install apps into your environment, take a look here, or check here for a list of all the previous entries in this series.

 

Convert The Android Application Package File (.apk) File To A Java Archive (.jar)

Remember that copy of the .apk file that our project team gave us (or that we downloaded from the Marketplace)?  You are going to need that.

The Android .apk file is essentially a compressed file, containing the manifest file, certificates, resources, assets and the program code, compiled in the Dalvik Executable (.dex) format.

Converting your target .apk file into a .jar file is pretty simple.

...
Read more
Android Application Security Assessments - Part 4: Installing Applications In Your Emulator
Christopher.Emerson | 17 Jan 2012 | 0 comments

If you were using your Android device for testing, this could be as simple as visiting the Marketplace, searching for your app and pressing Install.  But we already went through the effort of setting up our testing environment, and the Android emulator cannot download apps directly, so we are going to have to jump through a few hoops to get your target application installed.

 

Obtain The Android Application Package File (.apk)

In most situations, you should simply ask your project contact “Hey, can you please send me the .apk file?”  Do not forget to say please!

If, for whatever reason, that is not an option for you, all hope is not lost.

  1. Download the target application from the marketplace to your physical Android...
Read more
Android Application Security Assessments - Part 3: Starting Your Emulator And Configuring Your Proxy
Christopher.Emerson | 10 Jan 2012 | 1 comment

You now should have a working test environment with all of the primary assessment tools.  Time to create our Android Virtual Device (AVD) and connect it via proxy!

Create an AVD

To start, you will want to run the android file (located in the ‘tools/’ directory).  This will launch the Android SDK and AVD Manager.

  • Linux: $ ./android
  • Windows: C:\>android

            Click on ‘Virtual Devices’ (if it is not already selected) in the menu on the left.

            On the far right, press the “New” button.

            Fill in the data for your new AVD (...

Read more
Android Application Security Assessments - Part 2: Setting Up Your Linux Testing Environment
Christopher.Emerson | 03 Jan 2012 | 1 comment

Last time we took a look and setting up our environment for Windows users.  Now let’s take a look at the setup for Ubuntu Linux users.

Java

If you need help installing Ubuntu, there are many useful sites to walk you through the process.  Once your OS is ready, you will need to install Java.  I personally prefer the official JDK from Oracle and I will show you how to install that.  If you choose to use OpenJDK, let me know how that goes for you.

Start by determining what the currently available version of java is:

        $ apt-cache search jdk | grep sun

Next, download and install java via apt-get:

        $ apt-get install sun-java6-jdk sun-java6-jre

Confirm your install has...

Read more

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
269,999