What is SAP?
SAP also known as Systems, Application and Products in Data Processing owned by German company that have devoted to the business solutions development. More than 41,600 customers in more than 120 countries have used the SAP system.
The SAP been used by Enterprise Company and is normally internal to the company.
Why need SAP penetration testing?
Normally penetration testing is been done to help the user to aware of the weakness of the system and the impact of the real attack into the system.
When installing the SAP, security configuration will be left as default. Direct access to the database in the SAP will totally compromise the SAP system. Mostly the SAP user will configure the system via FTP which can be insecure due to a weak password (this is because of FTP normally use cleartext)
Tools that use for the SAP pentest will be list down as below:
Step on SAP Penetration Testing
In this phase, the tester need to discover a few thing such as SAP port scanning, Traffic sniffing and checking SAP configuration.
For those are familiar with SAP, they should be aware of the “fixed range of ports” that SAP is using. Most of the ports that SAP use will usually follow certain formatting such as “PREFIX + SYS. Number”
Common ports are such as 32XX, 33XX, 36XX,39XX,2399, 81XX and so on
Nmap –T3 <ip address>
In this phase, the tester can use metasploit script to get SAP Application Servers information.
How to countermeasure this issue is that “Restrict all the connection to SAP system at the network level.
The SAP administration is alos need to restrict connection only from SAP related systems and users to the shared resources. This is to avoid other user to compromise the SAP system.
Vulnerability Assessment phase
Nowadays, it’s very easy to an outsider to get information the Default Users.
My recommendation is that SAP Administration need to deactivate the SAP* and
SAP Password need to have Max Length more than 40 Character and the Case should be Sensitive. Besides, the username should locked after failed login for three times.