Professional Documents
Culture Documents
(http://w
ww.sap.c
Products
om/) (https://www.sap.com/products.html)
Industries (https://www.sap.com/industries.html)
Support Support (https://www.sap.com/support.html)
Community (https://www.sap.com/community.html)
Developer Partner
(https://www.sap.com/developer.html) Partner (https://www.sap.com/partner.html)
About (https://www.sap.com/corporate/en.html)
I'm glad to let you know that a new version of sapyto, the SAP Penetration Testing Framework, is available.
This version is mainly a complete re-design of sapyto's core and architecture to support future releases.
Some of the new features now available are:
. Target configuration is now based on "connectors", which represent different ways to communicate with
SAP services and components. This makes the
. New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...
Enjoy!
Cheers,
Mariano
(https://people.sap.com/mariano.nuezdicroce)
https://answers.sap.com/questions/ask.html?primaryTagId=49511061904067247446167091106425)
11 replies
(https://people.sap.com/julius.vondembussche)
https://archive.sap.com/discussions/thread/1170521 2/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
We now use the HOST and USER-HOST set to "local" and let
the application security deal with who-can-do-what and this
works quite well; though we have encountered some external
3rd party server programs in some cases. It seems to be
popular amongst the business folks and some of the products
use the gateway monitor to comunicate with the SAP system
to find out when it has completed processing.
- 4.6C (46D)
- 6.40
- 7.00
- gw/sec_info
- gw/monitor
- auth/rfc_authority_check
https://archive.sap.com/discussions/thread/1170521 3/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
Cheers,
Julius
0 likes
(https://people.sap.com/mariano.nuezdicroce)
I'm glad you take care of secinfo a long time ago. It is a real
critical issue.
If you are using 7.00, you can also take a look at the
gw/reg_info profile, to provide a better protection for
Registered RFC Servers operation.
Cheers,
Mariano
0
likes
(https://people.sap.com/julius.vondembussche)
https://archive.sap.com/discussions/thread/1170521 4/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
It would be nice to see the same for the secinfo with a default
"local" setting.
107 in the new year when you try to change the param
Julius
0
likes
(https://people.sap.com/mariano.nuezdicroce)
What I can also tell you, that many people don't know, is that
they do a great work dealing with newly reported security
vulnerabilities, managing them professionally and in short time
frames.
Cheers,
Mariano.
0
likes
https://archive.sap.com/discussions/thread/1170521 5/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
(https://people.sap.com/wolfgang.janzen)
>
> It would be nice to see the same for the secinfo with a default "local" setting.
According to the feedback of some consultants, more than 99% all (intended) connections
are initiated from the ABAP server. So, (only) allowing "local" gateway connections (ABAP
-> Gateway -> RFC server programs) by default, sounds like a good idea. In order to grant
also external client calls, an ACL file (secinfo, reginfo) would (still) be required.
I'll discuss this proposal with the responsible development group (in 2009, after returning
from vacation).
Wolfgang
0
likes
(https://people.sap.com/olivier.chretien)
Hi,
Is this a free software ? I don't want to give personal information in order to download the
software just to discover that I can't use it....
Regards,
Olivier
https://archive.sap.com/discussions/thread/1170521 6/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
likes
(https://people.sap.com/trond.stroemme)
You don't need to give your real name, do you? Any name should do... as long as the e-
mail address works. For these matters, it's sometimes convenient to set up a generic no-
sense gmail account...
Trond
0
likes
(https://people.sap.com/mariano.nuezdicroce)
Cheers,
Mariano
0
likes
https://archive.sap.com/discussions/thread/1170521 7/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
(https://people.sap.com/olivier.chretien)
Hi Mariano,
Thank you very much for this answer and for providing OpenSource software.
I have no problem to provide my real information as I know I will not be called by some
marketing guy.
Regards,
Olivier
0
likes
(https://people.sap.com/cgbermudezp.genica)
Hi there.
I've been trying to download sapyto. I filled al fields including the captcha but the dialog
said "Sorry, the code you entered was invalid. Go back to try again". I've tried several times without any
result. How can I fill the captcha to get sapyto?
Regards,
Carlos Bermúdez
0
likes
(https://people.sap.com/julius.vondembussche)
https://archive.sap.com/discussions/thread/1170521 8/9
1/3/2018 New version of sapyto - SAP Penetration Testing Framework
I will lock this thread now as it is old and not available anymore.
Cheers,
Julius
0
likes
Share & Follow
(https://www.facebook.com/sapcommunity) (https://twitter.com/SAPCommunity)
(https://www.youtube.com/c/SAPCommunities) (https://www.linkedin.com/company/sap)
(https://plus.google.com/+SAPCommunities) (https://instagram.com/sap/) (http://www.slideshare.net/SAP)
https://archive.sap.com/discussions/thread/1170521 9/9