SAP Penetration Testing MasterClass

What is SAP?

SAP also known as Systems, Application and Products in Data Processing owned by German company that have devoted to the business solutions development. More than 41,600 customers in more than 120 countries have used the SAP system.

The SAP been used by Enterprise Company and is normally internal to the company.

Why need SAP penetration testing?

Normally penetration testing is been done to help the user to aware of the weakness of the system and the impact of the real attack into the system.

When installing the SAP, security configuration will be left as default. Direct access to the database in the SAP will totally compromise the SAP system. Mostly the SAP user will configure the system via FTP which can be insecure due to a weak password (this is because of FTP normally use cleartext)

Pentesting SAP from Rapid7 WhiteBoard (Source:


Tools that use for the SAP pentest will be list down as below:

  • NMAP
  • Nessus
  • Burpsuite
  • Hydra

Step on SAP Penetration Testing

Discovery Phase

In this phase, the tester need to discover a few thing such as SAP port scanning, Traffic sniffing and checking SAP configuration.

For those are familiar with SAP, they should be aware of the “fixed range of ports” that SAP is using. Most of the ports that SAP use will usually follow certain formatting such as “PREFIX + SYS. Number”

Common ports are such as 32XX, 33XX, 36XX,39XX,2399, 81XX and so on

Nmap –T3  <ip address>

Exploration Phase

In this phase, the tester can use metasploit script to get SAP Application Servers information.

Metasploit Script for SAP Penetration Testing Usage

How to countermeasure this issue is that “Restrict all the connection to SAP system at the network level.

The SAP administration is alos need to restrict connection only from SAP related systems and users to the shared resources. This is to avoid other user to compromise the SAP system.

Vulnerability Assessment phase

Nowadays, it’s very easy to an outsider to get information the Default Users.

My recommendation is that SAP Administration need to deactivate the SAP* and other default user must be protected like restrict the default user access

SAP Password need to have Max Length more than 40 Character and the Case should be Sensitive. Besides, the username should locked after failed login for three times.

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *