Attacking Sap Users Using Sapsploit Extended presented at HITBSecConf Malaysia 2010

by Alexander mikhailovich Polyakov (Digital Security ),

Tags: Security Business

URL : http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=992

Summary : SAP security is becoming a popular topic and clientside security of ERP systems is not well described in Internet So methodology and tools for assessing SAP frontend security must be known for security community

In this talk we will show how to attack SAP clients and get access to internal resources of company and then to SAP environment with examples of real pentests. Then we will focus on client-side vulnerabilities and will show all current methods and new attacks on different client applications and protocols that use in SAP environment showing some new applications not mentiond in first talk. Then we will show sapsploit and saptrojan that can make many of the described things automatically and will show the way how can break the corporate network and steal corporate data using these tools. At the end of talk we will present new web service (with interesting details of his work) which will help users to assess level of their SAP frontend security level without exploiting them and publish some statistics.