Pentesting SAP Applications

This highly-practical course will teach attendees not only the fundamentals on how to pentest SAP systems, but also the latest techniques and procedures.

Students will be guided through a variety of scenarios designed to walk them through all the phases involved in an SAP penetration testing:

  • Landscape discovery
  • System mapping
  • Vulnerability assessment
  • System exploitation
  • Privilege escalation
  • Lateral movement

Attendees will start from a black-box perspective and end up digging in the heart of the system learning how to spot and leverage most common misconfigurations and vulnerabilities. Common attack patterns and high impact vulnerabilities such as CVE-2020-6286 (RECON) or CVE-2022-22536 (ICMAD), will be analyzed, along with brand new techniques to escalate privileges, establish persistence and move laterally across the landscape.

No previous SAP experience required.

During this training attendees will be guided through a complete Offensive approach for SAP systems.

At the beginning, students will learn the basics of SAP systems: which components are running, how the SAP architecture is, how the communication among these components is being carried out, etc. Once the basic knowledge is known by everyone the fun begins.

During the second part of the first day and a big part of the second, students will go through all the different phases of a pentest targeting SAP systems, including implementing techniques, procedures and knowledge developed by the Onapsis Research Labs.

They will start learning how to perform SAP systems discovery and mapping (reconnaissance) using common industry techniques but also specific SAP trickery. Later, they will learn how to find and leverage different vulnerabilities and security misconfigurations to gain access to the affected SAP systems. In order to carry out this, students will be injected with a dose of technical information about how each component works and details about the protocol they speak. Once access is gained, they will perform post-exploitation activities to further increase its initial compromise.

Because we believe the best way to learn is by doing things hands-on, we prepared a big laboratory with several SAP systems and environments (with all the necessary tools) where users will login to solve a series of exercises.

More than 15 challenges were specially designed to mimic a CTF game, but striving to keep the realism as much as possible. Attendees will need to find flags and submit them to gain points. The complexity is increased in small steps giving students the chance to get used to the overall idea and to have fun while learning, progressing to highly technical and demanding challenges towards the core chapters.

In order to solve these challenges, students will make use of several open-source / free tools such as Metasploit, Pysap, Custom Python scripts, John the Ripper, and more.

About the Speaker