Perfect SAP Penetration Testing: Threat Modeling
A penetration test is the practice of attacking an IT infrastructure to evaluate its security and determine whether malicious actions are possible. Although it's a typical task, the nature and methodology of a penetration test is largely dependent on the scope, aims, specifics of a client company, and many other factors.
Once, ERPScan team was conducting a penetration test in a large manufacturing organization. The task was not so ordinary and easy because the number of systems in the scope was huge and little time was allotted. That's why it was necessary to perform Threat Modelling before diving into the process of hacking. Here we decided to describe this case study in detail. This series of articles is intended to explain what SAP Penetration testing is.
What should you learn next?
The first step of every successful penetration testing is Threat Modelling. At this stage, a cybersecurity professional gets an understanding of business processes of a typical manufacturing company, identifies the most critical assets and associated risks. The gathered information helps a penetration tester to decide what to focus on. Before reading this article, I also recommend learning what SAP Security is.
Analyzing Risks for manufacturing industry
Manufacturing companies are an attractive target for different kind of cyber attackers (state-sponsored hackers, hacktivists, terrorists, malicious insiders). Such companies are responsible for a great part of some countries' economy. Any interference in their work can stop processes and, as a result, deprive company and country of revenue. Just to give you an insight, in 2015, the United States exported approximately 2.6 million vehicles valued at $65 billion.
The manufacturing industry is on the radar of cyber criminals indeed. For example, the cyberattack against a steel mill in Germany [1] hit the headlines in 2015, as it has caused confirmed physical damage.
In case of cyberattack, a manufacturing company may face the following consequences:
- Plant Sabotage/Shutdown
- Equipment damage
- Production Disruption (Stop or pause production)
- Product Quality (Quality degradation)
- Compliance violation (Such as pollution)
- Safety violation (Death or injury)
When we know what are the most important risks for manufacturing industry, the next step is to get to know whether it is possible to cause these risks by accessing SAP systems and that exactly an attacker should exploit to cause them.
SAP systems are widely used in the Manufacturing industry, and there are even specific SAP modules for Manufacturing. Cyberattacks on SAP systems (regardless of the industry) can be critical itself, as they can lead to espionage, sabotage or fraud. However, they are even more lethal for the Manufacturing because of trust connections in SAP systems that are responsible for asset management and technology networks (e.g. plant floor).
Identifying the most important assets in SAP landscape
A typical manufacturing company's infrastructure consists of multiple business applications and industry-specific modules. Primarily, it's ERP, but there are also others. Here is an incomplete list of the applications which are most frequently can be found in typical manufacturing company:
- Enterprise Resource Planning (ERP)
- Manufacturing Execution system (MES)
- Asset Lifecycle Management (ALM)
- Manufacturing Integration (xMII)
- Other standard systems: HR, CRM, PLM, SRM, BI/BW, SCM
Some of those systems such as xMII or ALM can be connected with Industrial Control Systems or plant floor, so a single vulnerability there may pose the risk for the entire company.
Uncovering SAP Platforms for the most critical assets
SAP systems can be based on different platforms. Basically, it's ABAP, JAVA, and HANA.
The main SAP platform is SAP NetWeaver, the enabling foundation for SAP and non-SAP applications. The first version of SAP NetWeaver saw the release in 2004. After that, SAP has introduced several new versions of the platform and new modules to extend functionality. As of today, the latest version is SAP NetWeaver 7.5 (the first release in October 2015).
One of the main parts of SAP NetWeaver is SAP NetWeaver Application Server (AS). SAP NetWeaver AS includes the application server ABAP and JAVA. As its name implies, the main programming language for SAP NetWeaver AS ABAP platform is ABAP and for SAP NetWeaver AS JAVA is JAVA programming language.
Returning to our case, the most critical application which is linked to the production network is SAP xMII (SAP xApp Manufacturing Integration and Intelligence). It is based on the JAVA platform.
SAP xMII is often used in industrial enterprises to manage and automate the processes. This module extends the functionality of SAP NetWeaver AS JAVA to use it in production. SAP xMII provides a direct connection between shop-floor systems and business operations. It ensures that all data related to manufacturing is visible in real time. SAP customers can also link their enterprise processes and master data to manufacturing processes to run their business based on a single version.
Vulnerabilities in SAP xMII are particularly hazardous because this solution is a kind of a bridge between ERP (Enterprise Resource Planning), other enterprise applications and plant floor as well as OT (Operational Technology) devices. Any vulnerability affecting SAP xMII can be used as a starting point of a multi-stage attack aiming to get control over plant devices and manufacturing systems.
A brief look at public sources indicates that there are a couple of notable vulnerabilities in the SAP xMII component (e.g. Reflected XSS vulnerability [2] and directory traversal vulnerability [3].
Sounds great, now we know what the risks are, which systems are the most important and what platform we need to analyze regarding security first of all.
The final preparation step is to find out the most important vulnerabilities in this platform, how common are them, and what versions are the most widespread. All these factors influence on chances of successfully performing a penetration test. Such analysis will show us if we need to add additional resources to the team such as researchers who will look for 0-day vulnerabilities in the platforms in case if information about those SAP systems is not available (this situation is rather common when we deal with SAP Pentesting).
How vulnerable are these platforms?
According to information from our latest SAP Cybersecurity in figures report, 3662 vulnerabilities in different SAP products were fixed in total (as for mid-2016). 548 of them affect JAVA stack and 2585 ABAP.
We have scanned the entire range of IP addresses on the Internet and revealed that an overwhelming number of SAP servers available on the Internet have version 7.3 (7.3 - 626, 7.3 EHP 1 - 851) and 7.4. So, it means that we will likely meet these versions while conducting penetration testing. These versions are more secure; there are not any old security issues of the 7.2 version. Thus, we will need to find 0-day vulnerabilities. Well, the task isn't simple anymore.
Since we are almost sure that we will need to find some new vulnerabilities, let's look at the most common types of issues patched in SAP Netweaver JAVA platform. This information, as well as other interesting details, are available in our latest SAP Cybersecurity Threat Report
From the graph above you can see that the most common vulnerability type is XSS, but we rarely exploit them during pentests as it is lame. Most probably, we will need to find information disclosure or configuration issue to break into the system.
Theoretically, such large number of the vulnerabilities in JAVA platform allows considering that conducting a penetration test is not a difficult task. In most cases, it is so; usually, it doesn't take a lot of time to break an SAP system as companies don't even implement patches for 3-years old vulnerabilities. But not this time, otherwise there would be no use to write this article. During our pentest, we faced some difficulties and uncommon tasks. So, if you want to learn more about SAP Penetration testing and its features, we strongly recommend that you read this series.
What should you learn next?
To see all new articles of the series, subscribe to our news or follow us on Twitter, Facebook, and LinkedIn.
Links
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Perfect SAP Penetration Testing: Threat Modeling
- Intelligence-led pentesting and the evolution of Red Team operations
- Red Teaming: Taking advantage of Certify to attack AD networks
- How ethical hacking and pentesting is changing in 2022
- Ransomware penetration testing: Verifying your ransomware readiness
- Red Teaming: Main tools for wireless penetration tests
- Fundamentals of IoT firmware reverse engineering
- Red Teaming: Top tools and gadgets for physical assessments
- Red teaming: Initial access and foothold
- Top tools for red teaming
- What is penetration testing, anyway?
- Red Teaming: Persistence Techniques
- Red Teaming: Credential dumping techniques
- Top 6 bug bounty programs for cybersecurity professionals
- Tunneling and port forwarding tools used during red teaming assessments
- SigintOS: Signal Intelligence via a single graphical interface
- Top tools for mobile android assessments
- Top tools for mobile iOS assessments
- Red Team: C2 frameworks for pentesting
- Inside 1,602 pentests: Common vulnerabilities, findings and fixes
- Red teaming tutorial: Active directory pentesting approach and tools
- Red Team tutorial: A walkthrough on memory injection techniques
- Python for active defense: Monitoring
- Python for active defense: Network
- Python for active defense: Decoys
- How to write a port scanner in Python in 5 minutes: Example and walkthrough
- Using Python for MITRE ATT&CK and data encrypted for impact
- Explore Python for MITRE ATT&CK exfiltration and non-application layer protocol
- Explore Python for MITRE ATT&CK command-and-control
- Explore Python for MITRE ATT&CK email collection and clipboard data
- Explore Python for MITRE ATT&CK lateral movement and remote services
- Explore Python for MITRE ATT&CK account and directory discovery
- Explore Python for MITRE ATT&CK credential access and network sniffing
- Top 10 security tools for bug bounty hunters
- Kali Linux: Top 5 tools for password attacks
- Kali Linux: Top 5 tools for post exploitation
- Kali Linux: Top 5 tools for database security assessments
- Kali Linux: Top 5 tools for information gathering
- Kali Linux: Top 5 tools for sniffing and spoofing
- Kali Linux: Top 8 tools for wireless attacks
- Kali Linux: Top 5 tools for penetration testing reporting
- Kali Linux overview: 14 uses for digital forensics and pentesting
- Top 19 Kali Linux tools for vulnerability assessments
- Explore Python for MITRE ATT&CK persistence
- Explore Python for MITRE ATT&CK defense evasion
- Explore Python for MITRE ATT&CK privilege escalation
- Explore Python for MITRE ATT&CK initial access
- Top 18 tools for vulnerability exploitation in Kali Linux
- Explore Python for MITRE PRE-ATT&CK, network scanning and Scapy
- Kali Linux: Top 5 tools for social engineering
- Basic snort rules syntax and usage [updated 2021]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Penetration testing
Intelligence-led pentesting and the evolution of Red Team operations
Penetration testing
Red Teaming: Taking advantage of Certify to attack AD networks
Penetration testing
Penetration testing
Ransomware penetration testing: Verifying your ransomware readiness