Assessing the security of SAP ecosystems with bizploit: Discovery
Onapsis Bizploit is well known as the first open source ERP Penetration Testing framework, based on the Sapyto project. It allows us to discover, explore and perform the vulnerability and exploitation phases of specialized ERP Penetration Tests. Currently, Bizploit is shipped with many plug-ins to assess the security of ERP Platforms.
Inside Bizploit, we can find three kinds of plug-ins.
The Discovery plug-ins, they can be used to find information about the SAP infrastructure and potentially discover additional components, e.g. there are modules to find Application Servers connected to the Central Instance of an SAP System.
The Vulnassess plug-ins, these kind of modules try to gather in-depth information about the entire SAP Platform and to detect the presence of different kinds of vulnerabilities in the Application Servers.
The Exploit plug-ins, designed a proof-of-concept exploits for vulnerabilities found by Vulnassess modules to illustrate the risk and the impact they imply.
Bizploit is mainly used by pen-testers and security administrators, but it is very intuitive and it does not require specific knowledge about SAP Systems. This introduction will be enough to understand the attacks we are going to perform in the next posts and their impact.
An important note is that Bizploit uses RFC calls in some of its plug-ins, so it’s a requirement to install the RFCSDK in the host that is running Bizploit. This is not a free library, but all SAP Customers are able to download it from the SAP Marketplace. If we are in a Windows environment, we could also download SAP GUI (it is the SAP Front-End Client) and it automatically installs the RFC libraries Bizploit needs (librfc32.dll).
To begin with the assessment we only need one thing: a target IP address. With our approach, it’s the only information required to perform an SAP System Security Assessment. As we explained earlier in this post, an SAP System can be composed by a single Central Instance or also have dialog instances to improve scalability all having different IP addresses. In our sample assessment, we will be testing an SAP system running on Linux with an Oracle database. Let’s get started!
We will first execute Bizploit (for the purpose of this post we will use it in a Linux environment, but it is possible to perform the same activities in a Windows environment).
If we type "help", Bizploit will show us the possible commands under the current context. We can also press ’tab’ within the Bizploit environment and it always prompts some useful commands we can run (plus auto-completion).
Now, let’s start with the port scanning. Our sample SAP IP target address is: 192.168.0.151:
This means Bizploit has found something. These ports are specific open SAP ports, i.e. we have just found open and accessible services of the SAP System. The meaning of some of these services will be explained in upcoming posts.
The port mapping figure shows an open port called "Message Server", what this means is that the target we are scanning is an SAP Central Instance. We can also see the (default for SAP/Oracle) Oracle Database port. Now we are almost certain that this SAP System has an Oracle Database.
For each discovered port/service which protocols are supported by Bizploit, a proper Connector is instantiated. E.g. in port 3300/tcp we found the SAP Gateway service, among other things, responsible for the execution of RFC calls through the SAP RFC protocol. Bizploit has automatically instantiated an SAPRFC connector for us.
This is how simple is to discover an SAP ecosystem with bizploit. We are now ready to begin with the Vulnerability Assessment, stay tuned for the upcoming posts!