Onapsis - Attacking & Securing SAP Applications: 2023 Edition (On Site)

May 23 & 24, 2023

Course Abstract

This highly-practical course will teach attendees not only the fundamentals on how to pentest and secure SAP systems, but also the latest techniques and procedures.

Students will be guided through a variety of scenarios designed to walk them through all the phases involved in an SAP penetration testing:

  • Landscape discovery
  • System mapping
  • Vulnerability assessment
  • System exploitation
  • Privilege escalation
  • Lateral movement
  • Forensics

Attendees will start from a black-box perspective and end up digging in the heart of the system learning how to spot and leverage every misconfiguration or vulnerability. Common attack patterns and high impact vulnerabilities such as CVE-2020-6286 (RECON) or CVE-2022-22536 (ICMAD), will be analyzed, along with brand new techniques to escalate privileges, establish persistence and move laterally across the landscape.

Throughout these phases, attendees will also switch hats and put on their defenders’ shoes, learning how to secure and how to analyze compromised SAP systems.

No previous SAP experience required.

Outline

This training will follow the format of a typical pentest. Attendees will start first learning how to perform recon against SAP systems in order to later execute several exploitation and post-exploitation techniques. During this journey, students will also review which measures should be taken in order to be protected against the aforementioned attacks. Finally, by the end

of the course, a summary of data sources that can be used to perform forensics analysis tasks in order to detect compromise of systems. To accomplish all this, we will work with a laboratory of VM’s hosting SAP systems and platforms where each attendee will have the necessary tools to successfully complete all the hands-on exercises.

Day 1

  1. General introduction Before starting with the actual content, we’ll set up the accounts and explain to the attendees the architecture of the laboratory as they will use it several times during the whole training.

  2. Introduction to SAP systems This chapter will introduce the audience to the basic yet most important concepts of SAP: Architecture, components and proprietary concepts. For those who know about SAP, this will be an intense refresh. For those who have never or know just a bit of SAP this will set the bases to fully understand the rest of the training.

  3. Discovery & System mapping Beginning with the pentesting format, in this chapter we are going to introduce attendees to different techniques aimed to do recognition against the SAP system. a. Discovering an SAP system is running is a particular host. b. How to identify components running behind open ports. c. Recognize particular SAP products. (SAP SolMan, SAP Gateway, SAP Message Server, SAP Start Service) d. List what tools are available to perform these actions. e. Understand the attack surface.

  4. Attacking & Securing SAP As the main chapter, this is where most of the time will be spent. Once attendees learn how to discover the running components, it’s time to know how to attack and secure them. In this section we will go through the most important components and layers running inside an SAP system and for each of them we will: a. Describe it (why is there? How is it used? How can somebody speak with it?, etc) b. Present known attacks (vulnerabilities, misconfigurations, ways to exploit them). To mention a few of them, attendees will learn how to leverage vulnerabilities such as: iRECON (CVE-2020-6286) ii. Solution Manager EEM (CVE-2020-6207) iii. Misconfigured SAP Gateways iv. Misconfigured SAP Start Service v. Java invoker servlet vi. Message server vulnerabilities (10kBlaze) c. Recommended configurations (what to do to avoid being attacked?)

Day 2

  1. Privilege Escalation: Gaining Further Access At this point, attendees will know how to get access to the SAP system. This chapter will focus on techniques to perform either vertical or lateral movement. What can an attacker perform once it got access?: a. Abusing secure store files. b. Hashed passwords c. Leveraging misconfigured relationships among SAP systems. Additionally, for each of them, attendees will learn how to set the correct configurations to avoid this kind of abuse.

  2. Maintaining Access Putting us in the shoes of the attacker, once we got access it would be desired to keep leaving the door open for whenever we want to come back. This is the focus on this section. Is it possible to leave hard detectable backdoors in SAP systems? Yes it’s possible!

  3. Forensics and Audit Review Changing our shoes to the defender’s, are we able to detect all these attacks? How?. This last unit focuses on reviewing the most interesting and valuable log files from the system. The following, are just a few questions that we will going to answer in this section: a. How to configure them? b. How to read them? c. What can we detect?

  4. Wrapping up & Conclusions After four days full of content, it’s time to make a quick review of our journey. Here we integrate all knowledge learnt and discuss the techniques and potential combinations of them. Finally we end up with some conclusions.

Who Should Attend

  • Basic usage of the command line and Linux/Windows is expected.
  • Basic knowledge of Python is desirable, but not required.
  • During the training we are going to use a few classical offensive tools (metasploit, john the ripper) and techniques (port forwarding, revershell). Even if we are going to explain these basics, having these skills is an advantage.
  • NO PREVIOUS SAP KNOWLEDGE REQUIRED.

What You Need

The only necessary requirements are:

  • SSH Client.
  • Permissions to install software on the OS
  • Optional : SAPGui client

Bio

Yvan Genuer Security Researcher at Onapsis.,

Yvan Genuer is a Security Researcher at Onapsis. He has over 20 years of SAP experience. He has been delivering consultancy services around SAP Security as well as researching for vulnerabilities into SAP products, resulting in SAP AG official acknowledgements he has received, for several vulnerabilities he originally reported. Furthermore, he has also conducted both training and talks about this topic in conferences.

Ignacio D. Favro Security Researcher at Onapsis.,

Ignacio Favro is Security Research at Onapsis. He loves researching and exploring new technologies, and thinking about potential new vulnerabilities and exploitation vectors. Always with a curious spirit, Ignacio enjoys jumping between projects involving different programming languages, network protocols or research methodologies. Before joining Onapsis, he worked as a security consultant with activities such as pentesting, which he began to specialize in SAP when he joined the company, as well as teaching the SAP security course.

Return to training sessions