Attack & Secure SAP: 2022 Edition (On-site Training)

This highly-practical course will teach attendees not only the fundamentals on how to pentest and secure SAP systems, but also the latest techniques and procedures.

Students will be guided through a variety of scenarios designed to walk them through all the phases involved in an SAP penetration testing or forensic project:

Landscape discovery System mapping Vulnerability assessment System exploitation Privilege escalation Lateral movement Forensics

Attendees will start from a black-box perspective and end up digging in the heart of the system learning how to spot and leverage every misconfiguration or vulnerability. Common attack patterns and high impact vulnerabilities such as CVE-2020-6286 (RECON), will be analyzed, along with brand new techniques to escalate privileges, establish persistence and move laterally across the landscape.

Throughout these phases, attendees will also switch hats and put on their defenders’ shoes, learning how to secure and how to analyze compromised SAP systems.

No previous SAP experience required.

During this training attendees will be guided through a complete approach for both Offensive and Defensive of SAP systems.

Students will learn technical concepts that work as building blocks; components of a SAP Landscape, architecture, protocols and communications and others. These core concepts will provide students with the necessary tools to properly understand complex attack scenarios that will be presented during the rest of the course.

During the second part of the first day and a big part of the second one, students will go through all the different phases of a pentest targeting SAP systems, including implementing techniques, procedures and knowledge developed by the Onapsis Research Labs.

Attendees will start learning how to perform SAP systems discovery and mapping (reconnaissance) using common industry techniques but also specific SAP trickery. Later, they will learn how to find and leverage different vulnerabilities and security misconfigurations to gain access to the affected SAP systems. In order to carry out this, students will be injected with a dose of technical information about how each component works and details about the protocol they speak. Once access is gained, they will perform post-exploitation activities to further increase its initial compromise.

For each step of the aforementioned journey, students will also play the defender’s role, learning how to be protected against these attacks. In this part we will especially focus on the necessary configurations and tweaks that should be performed.

An SAP Forensics part is also dedicated during the end of the last day. Students will receive different sources of information that can be queried in order to detect attacks along with what tools they have available in the systems to aid the forensics process.

Because we believe the best way to learn is by doing things hands-on, we prepared a big laboratory with several SAP systems and environments (with all the necessary tools) where users will login to solve a series of exercises.

More than 15 challenges were specially designed to mimic a CTF game, but striving to keep the realism as much as possible. Attendees will need to find flags and submit them to gain points. The complexity is increased in small steps giving students the chance to get used to the overall idea and to have fun while learning, progressing to highly technical and demanding challenges towards the core chapters.

In order to solve these challenges, students will make use of several open-source / free tools such as Metasploit, Pysap, Custom Python scripts, John the Ripper, Hydra, among others.