Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

RE: Pen-Testing SAP
From: Renaud Bidou <rbidou () denyall com>
Date: Tue, 6 Jan 2009 08:51:50 +0100
Has anybody already tested SAPyto ? 
http://www.cybsec.com/EN/research/sapyto.php

Renaud Bidou
R&D Manager
Deny All

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Mike Duncan
Envoyé : lundi 5 janvier 2009 15:02
À : Andrew Johns
Cc : 'mahendra_yn () yahoo com'; 'pen-test () securityfocus com'
Objet : Re: Pen-Testing SAP

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Additionally, for SAP, I have found in the past a lot of
authentication/authorization issues with RFC's. These can allow someone
to execute function calls or BAPIs within SAP without proper controls.

You should look to the SAP RFC library for more information.

Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center


Andrew Johns wrote:

From experience it pays to examine the db config well - it used to be the case that eg: jd edwards installed oracle 
silently during the install with a known password - ChangeOnInstall - for the sysdba a/c. Thereby leaving the db wide 
open to abuse...

All too many sites do not have the qualified oracle dba's and so the password is never/rarely changed. YMMV



--------------------------
Sent using BlackBerry


----- Original Message -----
From: listbounce () securityfocus com <listbounce () securityfocus com>
To: pen-test () securityfocus com <pen-test () securityfocus com>
Sent: Wed Dec 31 18:09:17 2008
Subject: Pen-Testing SAP

Hi,

Lemme wish to the members of this list a"Happy New Year" for 2009.

I was wondering about the security of Packaged solutions like SAP,Siebel & Peoplsoft with regards to pentesting them.
Are there any speciffice tests for these packages,apart from the generic set pentests which we do on the normal web 
applications ?

Please let me know if there is any information in line to the above request.

Cheers
Mahendra.


      Add more friends to your messenger and enjoy! Go to http://messenger.yahoo.com/invite/

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkliEtkACgkQnvIkv6fg9hau6QCdGYUwXHfHjLoCqX9ALbD0ppo5
yaIAnjzw/mkX6XAFR0Z7Kjiu3i5TfFlS
=vPBB
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]