1/3/2018 New version of sapyto - SAP Penetration Testing Framework

(http://w
ww.sap.c
Products
om/) (https://www.sap.com/products.html)

Industries (https://www.sap.com/industries.html)
Support Support (https://www.sap.com/support.html)

Training (https://www.sap.com/training-certi cation.html)

Community (https://www.sap.com/community.html)

Developer Partner
(https://www.sap.com/developer.html) Partner (https://www.sap.com/partner.html)

About (https://www.sap.com/corporate/en.html)

Home (https://www.sap.com) / Community (https://www.sap.com/community.html) / Archives (/) / Discussions + Actions

Archive (/discussions) / Security (/discussions/space/security)

Archived discussions are read-only. Learn more about SAP Q&A

(https://go.sap.com/community/about/questions-and-answers.html)

New version of sapyto - SAP

Penetration Testing Framework
Hello list,

I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.

You can download it by accessing the following link: http://www.cybsec.com/EN/research/sapyto.php

News in this version:

https://archive.sap.com/discussions/thread/1170521 1/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

This version is mainly a complete re-design of sapyto's core and architecture to support future releases.
Some of the new features now available are:

. Target configuration is now based on "connectors", which represent different ways to communicate with
SAP services and components. This makes the

framework extensible to handle new types of connections to SAP platforms.

. Plugins are now divided in three categories:

. Discovery: Try to discover new targets from the configured/already-discovered ones.

. Audit: Perform some kind of vulnerability check over configured targets.

. Exploit: Are used as proofs of concept for discovered vulnerabilities.

. Exploit plugins now generate shells and/or sapytoAgent objects.

. New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...

. Plugin-developer interface drastically simplified and improved.

. New command switches to allow the configuration of targets/scripts/output independently.

. Installation process and general documentation improved.

. Many (many) bugs fixed. :P

Enjoy!

Cheers,

Mariano

(https://people.sap.com/mariano.nuezdicroce)

Mariano Nuñez Di Croce (https://people.sap.com/mariano.nuezdicroce)

April 24, 2015 at 23:11 PM
1 Likes

looking for? View more on this topic (https://go.sap.com/community/tag.html?

67247446167091106425) or

https://answers.sap.com/questions/ask.html?primaryTagId=49511061904067247446167091106425)

11 replies

(https://people.sap.com/julius.vondembussche)

https://archive.sap.com/discussions/thread/1170521 2/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

Julius von dem Bussche (https://people.sap.com/julius.vondembussche)replied

December 17, 2008 at 23:14 PM

Hi Mariano,

Thanks for the update.

We implemented secinfo restrictions 5 years ago, but used a

rather complicated approach. We did some tests today (the
"local" setting works okay so far) and will continue tomorrow.

We now use the HOST and USER-HOST set to "local" and let
the application security deal with who-can-do-what and this
works quite well; though we have encountered some external
3rd party server programs in some cases. It seems to be
popular amongst the business folks and some of the products
use the gateway monitor to comunicate with the SAP system
to find out when it has completed processing.

I think this is a design error, but they of course think otherwise

What was interesting to note, was that we locked ourselves

out of an unprotected system. We changed the gw/monitor
from 2 to 1 in a test. This worked. But then the gwmon cannot
be used to change it back to 2! To we tried RZ11, and
experienced the same. So we changed it to 0 in a test, and
then 1 was blocked as well. This appears to be implemented
in the kernel, as even hobbling the application coding does
not help. The parameter is only dynamic when decreasing the
value and increasing the security.

We had to restart the whole system for the instance profile to

take effect again. Rather noisy and a few developers could

take an additional 10 minute coffee break as a result

We are testing this on 3 different releases with different config:

- 4.6C (46D)

- 6.40

- 7.00

The different config relates to:

- gw/sec_info

- gw/monitor

- auth/rfc_authority_check

https://archive.sap.com/discussions/thread/1170521 3/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

Our intention behind this is to improve baseline security and

harden some special systems further.

Cheers,

Julius

0 likes
(https://people.sap.com/mariano.nuezdicroce)

Mariano Nuñez Di Croce (https://people.sap.com/mariano.nuezdicroce)replied

December 18, 2008 at 14:55 PM

Hello Julius,

Thanks for your response.

I'm glad you take care of secinfo a long time ago. It is a real
critical issue.

Regarding the gw monitor, I started laughing when I read "I

think this is a design error, but they of course think otherwise".
I couldn't agree more. The availability of the gateway monitor
to external users (gw/monitor=2) implies a security risk for the
platform and should not be possible.

I have also had the problem of the dynamic modification of the

gw/monitor parameter in the past. Actually, this behaviour is
documented in the SAP Library:
http://help.sap.com/saphelp_nw04/helpdata/EN/e0/fa07c9918
c4062974b95b6fbb0c179/content.htm.

I guess at least developers liked you more

If you are using 7.00, you can also take a look at the
gw/reg_info profile, to provide a better protection for
Registered RFC Servers operation.

Cheers,

Mariano

0
likes
(https://people.sap.com/julius.vondembussche)

https://archive.sap.com/discussions/thread/1170521 4/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

Julius von dem Bussche (https://people.sap.com/julius.vondembussche)replied

December 19, 2008 at 17:54 PM

> Regarding the gw monitor, I started laughing when I read "I
think this is a design error, but they of course think otherwise".
I couldn't agree more.

One thing which I am very happy about is that the default

parameter is now rolled out of the "factory" with the value = 1
(local only setting). This is a great improvement, as you need
to be proactively insecure and not just ignorantly insecure. I
have noticed that SAP has done this to a number of security
related parameters, which are then improved for new
installations and some at upgrades. Hat's off to SAP for that!

It would be nice to see the same for the secinfo with a default
"local" setting.

Cheers, merry christmas and may all your return codes be

107 in the new year when you try to change the param

Julius

0
likes
(https://people.sap.com/mariano.nuezdicroce)

Mariano Nuñez Di Croce (https://people.sap.com/mariano.nuezdicroce)replied

December 19, 2008 at 20:13 PM

I also agree completely. By analizing default configurations
from 6.20 (and before) to 7.00 one can quickly notice that
security settings (eg: gwmon, password policy parameters)
are delivered with more secure levels, which make default
installations safer. I think this is the right move and SAP is
doing a good work by going in this road.

What I can also tell you, that many people don't know, is that
they do a great work dealing with newly reported security
vulnerabilities, managing them professionally and in short time
frames.

Merry Christmas to you too and have a great 2009!

Cheers,

Mariano.

0
likes
https://archive.sap.com/discussions/thread/1170521 5/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

(https://people.sap.com/wolfgang.janzen)

Wolfgang Janzen (https://people.sap.com/wolfgang.janzen)replied December 22, 2008 at 15:30 PM

>

> It would be nice to see the same for the secinfo with a default "local" setting.

I agree - that's a good default setting.

According to the feedback of some consultants, more than 99% all (intended) connections
are initiated from the ABAP server. So, (only) allowing "local" gateway connections (ABAP
-> Gateway -> RFC server programs) by default, sounds like a good idea. In order to grant
also external client calls, an ACL file (secinfo, reginfo) would (still) be required.

I'll discuss this proposal with the responsible development group (in 2009, after returning
from vacation).

Merry Christmas and a Happy New Year 2009,

Wolfgang

0
likes
(https://people.sap.com/olivier.chretien)

Olivier CHRETIEN (https://people.sap.com/olivier.chretien)replied December 18, 2008 at 13:24 PM

Hi,

>You can download it by accessing the following link

Is this a free software ? I don't want to give personal information in order to download the
software just to discover that I can't use it....

Regards,

Olivier
https://archive.sap.com/discussions/thread/1170521 6/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

likes
(https://people.sap.com/trond.stroemme)

Trond Stroemme (https://people.sap.com/trond.stroemme)replied December 18, 2008 at 13:49 PM

You don't need to give your real name, do you? Any name should do... as long as the e-
mail address works. For these matters, it's sometimes convenient to set up a generic no-
sense gmail account...

Trond

0
likes
(https://people.sap.com/mariano.nuezdicroce)

Mariano Nuñez Di Croce (https://people.sap.com/mariano.nuezdicroce)replied

December 18, 2008 at 15:02 PM

Hi Olivier,

I should have make it clear in the previous post: sapyto is an

opensource SAP Penetration Testing Framework, designed to
help security professionals detect and fix security
vulnerabilities in SAP implementations, increasing the security
level of the plaform.

You can download it for free at the following link:

http://www.cybsec.com/EN/research/sapyto.php.

While of course it's not mandatory to complete with your real

information, you will need to provide a valid email address for
the download link. Bear in mind, that you can also specify if
you want to be registered to stay updated with the outcome of
new research on SAP security.

Cheers,

Mariano

0
likes
https://archive.sap.com/discussions/thread/1170521 7/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

(https://people.sap.com/olivier.chretien)

Olivier CHRETIEN (https://people.sap.com/olivier.chretien)replied December 19, 2008 at 14:09 PM

Hi Mariano,

Thank you very much for this answer and for providing OpenSource software.

I have no problem to provide my real information as I know I will not be called by some
marketing guy.

I will download and try your tool !

Regards,

Olivier

0
likes
(https://people.sap.com/cgbermudezp.genica)

Carlos Bermudez (https://people.sap.com/cgbermudezp.genica)replied April 24, 2015 at 00:06 AM

Hi there.

I've been trying to download sapyto. I filled al fields including the captcha but the dialog
said "Sorry, the code you entered was invalid. Go back to try again". I've tried several times without any
result. How can I fill the captcha to get sapyto?

Regards,

Carlos Bermúdez

0
likes
(https://people.sap.com/julius.vondembussche)

Julius von dem Bussche (https://people.sap.com/julius.vondembussche)replied

April 24, 2015 at 23:11 PM

As far as I know the age old instinct not to die was applied here ->
the developers of the open source software realized that if you are
good at something, then you should not do it for free.

Your should also distinguish between free software and open

source software projects / repositories.

https://archive.sap.com/discussions/thread/1170521 8/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework

As far as I know this is no longer open source software. But you

might be able to download the free sources and maintain it for
newer releases of SAP for yourself or create a real open source
platform for the software.

I will lock this thread now as it is old and not available anymore.

Cheers,

Julius

0
likes
Share & Follow
(https://www.facebook.com/sapcommunity) (https://twitter.com/SAPCommunity)
(https://www.youtube.com/c/SAPCommunities) (https://www.linkedin.com/company/sap)
(https://plus.google.com/+SAPCommunities) (https://instagram.com/sap/) (http://www.slideshare.net/SAP)

Privacy (http://go.sap.com/about/legal/privacy.html) Terms of Use (http://go.sap.com/corporate/en/legal/terms-of-use.html)

Legal Disclosure (http://go.sap.com/about/legal/impressum.html) Copyright (http://go.sap.com/about/legal/copyright.html)
Trademark (http://go.sap.com/about/legal/trademark.html) Sitemap (http://www.sap.com/sitemap/index.html) Newsletter
(https://go.sap.com/registration/newsletter.html)

https://archive.sap.com/discussions/thread/1170521 9/9