12-17-2008 11:18 AM
Hello list,
I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.
You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php
News in this version:
This version is mainly a complete re-design of sapyto's core and architecture to support future releases. Some of the new features now available are:
. Target configuration is now based on "connectors", which represent different ways to communicate with SAP services and components. This makes the
framework extensible to handle new types of connections to SAP platforms.
. Plugins are now divided in three categories:
. Discovery: Try to discover new targets from the configured/already-discovered ones.
. Audit: Perform some kind of vulnerability check over configured targets.
. Exploit: Are used as proofs of concept for discovered vulnerabilities.
. Exploit plugins now generate shells and/or sapytoAgent objects.
. New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...
. Plugin-developer interface drastically simplified and improved.
. New command switches to allow the configuration of targets/scripts/output independently.
. Installation process and general documentation improved.
. Many (many) bugs fixed. 😛
Enjoy!
Cheers,
Mariano
12-17-2008 10:14 PM
Hi Mariano,
Thanks for the update.
We implemented secinfo restrictions 5 years ago, but used a rather complicated approach. We did some tests today (the "local" setting works okay so far) and will continue tomorrow.
We now use the HOST and USER-HOST set to "local" and let the application security deal with who-can-do-what and this works quite well; though we have encountered some external 3rd party server programs in some cases. It seems to be popular amongst the business folks and some of the products use the gateway monitor to comunicate with the SAP system to find out when it has completed processing.
I think this is a design error, but they of course think otherwise
What was interesting to note, was that we locked ourselves out of an unprotected system. We changed the gw/monitor from 2 to 1 in a test. This worked. But then the gwmon cannot be used to change it back to 2! To we tried RZ11, and experienced the same. So we changed it to 0 in a test, and then 1 was blocked as well. This appears to be implemented in the kernel, as even hobbling the application coding does not help. The parameter is only dynamic when decreasing the value and increasing the security.
We had to restart the whole system for the instance profile to take effect again. Rather noisy and a few developers could take an additional 10 minute coffee break as a result
We are testing this on 3 different releases with different config:
- 4.6C (46D)
- 6.40
- 7.00
The different config relates to:
- gw/sec_info
- gw/monitor
- auth/rfc_authority_check
Our intention behind this is to improve baseline security and harden some special systems further.
Cheers,
Julius
12-18-2008 1:55 PM
Hello Julius,
Thanks for your response.
I'm glad you take care of secinfo a long time ago. It is a real critical issue.
Regarding the gw monitor, I started laughing when I read "I think this is a design error, but they of course think otherwise". I couldn't agree more. The availability of the gateway monitor to external users (gw/monitor=2) implies a security risk for the platform and should not be possible.
I have also had the problem of the dynamic modification of the gw/monitor parameter in the past. Actually, this behaviour is documented in the SAP Library: http://help.sap.com/saphelp_nw04/helpdata/EN/e0/fa07c9918c4062974b95b6fbb0c179/content.htm.
I guess at least developers liked you more
If you are using 7.00, you can also take a look at the gw/reg_info profile, to provide a better protection for Registered RFC Servers operation.
Cheers,
Mariano
12-19-2008 4:53 PM
> Regarding the gw monitor, I started laughing when I read "I think this is a design error, but they of course think otherwise". I couldn't agree more.
One thing which I am very happy about is that the default parameter is now rolled out of the "factory" with the value = 1 (local only setting). This is a great improvement, as you need to be proactively insecure and not just ignorantly insecure. I have noticed that SAP has done this to a number of security related parameters, which are then improved for new installations and some at upgrades. Hat's off to SAP for that!
It would be nice to see the same for the secinfo with a default "local" setting.
Cheers, merry christmas and may all your return codes be 107 in the new year when you try to change the param
Julius
12-19-2008 5:28 PM
I also agree completely. By analizing default configurations from 6.20 (and before) to 7.00 one can quickly notice that security settings (eg: gwmon, password policy parameters) are delivered with more secure levels, which make default installations safer. I think this is the right move and SAP is doing a good work by going in this road.
What I can also tell you, that many people don't know, is that they do a great work dealing with newly reported security vulnerabilities, managing them professionally and in short time frames.
Merry Christmas to you too and have a great 2009!
Cheers,
Mariano.
12-22-2008 2:29 PM
>
> It would be nice to see the same for the secinfo with a default "local" setting.
I agree - that's a good default setting.
According to the feedback of some consultants, more than 99% all (intended) connections are initiated from the ABAP server. So, (only) allowing "local" gateway connections (ABAP -> Gateway -> RFC server programs) by default, sounds like a good idea. In order to grant also external client calls, an ACL file (secinfo, reginfo) would (still) be required.
I'll discuss this proposal with the responsible development group (in 2009, after returning from vacation).
Merry Christmas and a Happy New Year 2009,
Wolfgang
12-18-2008 12:24 PM
Hi,
>You can download it by accessing the following link
Is this a free software ? I don't want to give personal information in order to download the software just to discover that I can't use it....
Regards,
Olivier
12-18-2008 12:49 PM
You don't need to give your real name, do you? Any name should do... as long as the e-mail address works. For these matters, it's sometimes convenient to set up a generic no-sense gmail account...
Trond
12-18-2008 2:02 PM
Hi Olivier,
I should have make it clear in the previous post: sapyto is an opensource SAP Penetration Testing Framework, designed to help security professionals detect and fix security vulnerabilities in SAP implementations, increasing the security level of the plaform.
You can download it for free at the following link: http://www.cybsec.com/EN/research/sapyto.php.
While of course it's not mandatory to complete with your real information, you will need to provide a valid email address for the download link. Bear in mind, that you can also specify if you want to be registered to stay updated with the outcome of new research on SAP security.
Cheers,
Mariano
12-19-2008 1:09 PM
Hi Mariano,
Thank you very much for this answer and for providing OpenSource software.
I have no problem to provide my real information as I know I will not be called by some marketing guy.
I will download and try your tool !
Regards,
Olivier
04-23-2015 11:06 PM
Hi there.
I've been trying to download sapyto. I filled al fields including the captcha but the dialog said "Sorry, the code you entered was invalid. Go back to try again". I've tried several times without any result. How can I fill the captcha to get sapyto?
Regards,
Carlos Bermúdez
04-24-2015 10:11 PM
As far as I know the age old instinct not to die was applied here -> the developers of the open source software realized that if you are good at something, then you should not do it for free.
Your should also distinguish between free software and open source software projects / repositories.
As far as I know this is no longer open source software. But you might be able to download the free sources and maintain it for newer releases of SAP for yourself or create a real open source platform for the software.
I will lock this thread now as it is old and not available anymore.
Cheers,
Julius