New version of sapyto - SAP Penetration Testing Fr...

Former Member · ‎12-17-2008

Hello list,

I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.

You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php

News in this version:

This version is mainly a complete re-design of sapyto's core and architecture to support future releases. Some of the new features now available are:

. Target configuration is now based on "connectors", which represent different ways to communicate with SAP services and components. This makes the

framework extensible to handle new types of connections to SAP platforms.

. Plugins are now divided in three categories:

. Discovery: Try to discover new targets from the configured/already-discovered ones.

. Audit: Perform some kind of vulnerability check over configured targets.

. Exploit: Are used as proofs of concept for discovered vulnerabilities.

. Exploit plugins now generate shells and/or sapytoAgent objects.

. New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...

. Plugin-developer interface drastically simplified and improved.

. New command switches to allow the configuration of targets/scripts/output independently.

. Installation process and general documentation improved.

. Many (many) bugs fixed. 😛

Enjoy!

Cheers,

Mariano

Former Member · ‎12-17-2008

Hi Mariano,

Thanks for the update.

We implemented secinfo restrictions 5 years ago, but used a rather complicated approach. We did some tests today (the "local" setting works okay so far) and will continue tomorrow.

We now use the HOST and USER-HOST set to "local" and let the application security deal with who-can-do-what and this works quite well; though we have encountered some external 3rd party server programs in some cases. It seems to be popular amongst the business folks and some of the products use the gateway monitor to comunicate with the SAP system to find out when it has completed processing.

I think this is a design error, but they of course think otherwise

What was interesting to note, was that we locked ourselves out of an unprotected system. We changed the gw/monitor from 2 to 1 in a test. This worked. But then the gwmon cannot be used to change it back to 2! To we tried RZ11, and experienced the same. So we changed it to 0 in a test, and then 1 was blocked as well. This appears to be implemented in the kernel, as even hobbling the application coding does not help. The parameter is only dynamic when decreasing the value and increasing the security.

We had to restart the whole system for the instance profile to take effect again. Rather noisy and a few developers could take an additional 10 minute coffee break as a result

We are testing this on 3 different releases with different config:

- 4.6C (46D)

- 6.40

- 7.00

The different config relates to:

- gw/sec_info

- gw/monitor

- auth/rfc_authority_check

Our intention behind this is to improve baseline security and harden some special systems further.

Cheers,

Julius

Former Member · ‎12-18-2008

Hello Julius,

Thanks for your response.

I'm glad you take care of secinfo a long time ago. It is a real critical issue.

Regarding the gw monitor, I started laughing when I read "I think this is a design error, but they of course think otherwise". I couldn't agree more. The availability of the gateway monitor to external users (gw/monitor=2) implies a security risk for the platform and should not be possible.

I have also had the problem of the dynamic modification of the gw/monitor parameter in the past. Actually, this behaviour is documented in the SAP Library: http://help.sap.com/saphelp_nw04/helpdata/EN/e0/fa07c9918c4062974b95b6fbb0c179/content.htm.

I guess at least developers liked you more

If you are using 7.00, you can also take a look at the gw/reg_info profile, to provide a better protection for Registered RFC Servers operation.

Cheers,

Mariano

Former Member · ‎12-19-2008

> Regarding the gw monitor, I started laughing when I read "I think this is a design error, but they of course think otherwise". I couldn't agree more.

One thing which I am very happy about is that the default parameter is now rolled out of the "factory" with the value = 1 (local only setting). This is a great improvement, as you need to be proactively insecure and not just ignorantly insecure. I have noticed that SAP has done this to a number of security related parameters, which are then improved for new installations and some at upgrades. Hat's off to SAP for that!

It would be nice to see the same for the secinfo with a default "local" setting.

Cheers, merry christmas and may all your return codes be 107 in the new year when you try to change the param

Julius

Former Member · ‎12-19-2008

I also agree completely. By analizing default configurations from 6.20 (and before) to 7.00 one can quickly notice that security settings (eg: gwmon, password policy parameters) are delivered with more secure levels, which make default installations safer. I think this is the right move and SAP is doing a good work by going in this road.

What I can also tell you, that many people don't know, is that they do a great work dealing with newly reported security vulnerabilities, managing them professionally and in short time frames.

Merry Christmas to you too and have a great 2009!

Cheers,

Mariano.

WolfgangJanzen · ‎12-22-2008

>


> It would be nice to see the same for the secinfo with a default "local" setting.

I agree - that's a good default setting.

According to the feedback of some consultants, more than 99% all (intended) connections are initiated from the ABAP server. So, (only) allowing "local" gateway connections (ABAP -> Gateway -> RFC server programs) by default, sounds like a good idea. In order to grant also external client calls, an ACL file (secinfo, reginfo) would (still) be required.

I'll discuss this proposal with the responsible development group (in 2009, after returning from vacation).

Merry Christmas and a Happy New Year 2009,

Wolfgang

Former Member · ‎12-18-2008

Hi,

>You can download it by accessing the following link

Is this a free software ? I don't want to give personal information in order to download the software just to discover that I can't use it....

Regards,

Olivier

Former Member · ‎12-18-2008

You don't need to give your real name, do you? Any name should do... as long as the e-mail address works. For these matters, it's sometimes convenient to set up a generic no-sense gmail account...

Trond

Former Member · ‎12-18-2008

Hi Olivier,

I should have make it clear in the previous post: sapyto is an opensource SAP Penetration Testing Framework, designed to help security professionals detect and fix security vulnerabilities in SAP implementations, increasing the security level of the plaform.

You can download it for free at the following link: http://www.cybsec.com/EN/research/sapyto.php.

While of course it's not mandatory to complete with your real information, you will need to provide a valid email address for the download link. Bear in mind, that you can also specify if you want to be registered to stay updated with the outcome of new research on SAP security.

Cheers,

Mariano

Former Member · ‎12-19-2008

Hi Mariano,

Thank you very much for this answer and for providing OpenSource software.

I have no problem to provide my real information as I know I will not be called by some marketing guy.

I will download and try your tool !

Regards,

Olivier

former_member538723 · ‎04-23-2015

Hi there.

I've been trying to download sapyto. I filled al fields including the captcha but the dialog said "Sorry, the code you entered was invalid. Go back to try again". I've tried several times without any result. How can I fill the captcha to get sapyto?

Regards,

Carlos Bermúdez

Former Member · ‎04-24-2015

As far as I know the age old instinct not to die was applied here -> the developers of the open source software realized that if you are good at something, then you should not do it for free.

Your should also distinguish between free software and open source software projects / repositories.

As far as I know this is no longer open source software. But you might be able to download the free sources and maintain it for newer releases of SAP for yourself or create a real open source platform for the software.

I will lock this thread now as it is old and not available anymore.

Cheers,

Julius

New version of sapyto - SAP Penetration Testing Framework