SAP Penetration Test

Service Overview ⫘

The objective of SAP Penetration Test is to demonstrate if and/or how SAP systems, or the data residing on them, can be compromised. Testing includes the discovery of services on the target SAP systems, as well as exploitation of vulnerable services and configuration weaknesses. In the event of compromise, privilege escalation and lateral movement attempts throughout the SAP landscape will also be made. The goal is to identify any attack vectors that may lead to the compromise of these systems and uncover security flaws or weaknesses not demonstrated by vulnerability assessments and audits.

Testing will be performed using a Remote Testing Appliance (RTA) that is placed on the internal network where target SAP systems are reachable. A Windows host with SAP GUI installed and pre-configured with relevant connections should also be provided that consultants can remotely connect into.

Service Methodology ⫘

Information Gathering and Discovery

Secureworks will examine the available internal network to discover SAP related systems and services through banner grabbing and other information disclosure vulnerabilities. This includes, but is not limited to:

Gathering information about SAP Application Servers.
Identifying the available SAP clients, including default clients (000,001, and 066).
Identifying any shared resources that may be accessible.
Attempting to identify users of the SAP systems and their workstations.

Vulnerability Assessment and Exploitation

Secureworks will perform unauthenticated vulnerability assessment and exploitation of in-scope SAP systems. Assessments will include the use of tools that leverage the RFC protocol for information gathering and exploitation of configuration weaknesses. Other testing may be conducted, but is not limited to:

Testing for weak and default credentials.
Analyzing network traffic to discover sensitive information that may be transmitted in plaintext.
Testing for access control and authorization issues that may lead to unintended access to data or backend systems.
Exploitation of unpatched vulnerabilities that are known to the public.

Post Exploitation and Escalation of Privileges

After gaining a foothold on the target SAP system(s), Secureworks will attempt to identify issues that would enable privilege escalation and/or lateral movement within the SAP landscape. The following techniques may be attempted to escalate privileges and demonstrate impact:

Access sensitive transactions within SAP such as SE16 and SE38.
Exfiltrate the USR02 table followed by the recovery of plaintext passwords via brute-force.
Test for reuse of compromised credentials across SAP systems and clients.
Decrypt ABAP, AS JAVA, and SMDAgent secure stores.
Evaluate RFC destinations for weaknesses that may allow for lateral movement.

Alternatively, clients can provide an SAP testing account that can be used in the event that no compromise has been made during testing, otherwise known as "assumed breach".

Outcome ⫘

Presentation of findings and deliverables compiled by Secureworks will be provided to you in the form of a report. The report will include the following:

Executive summary
Methods, detailed findings, narratives, and recommendations if any
Attachments as needed for relevant details and supporting data

Customer shall have one (1) week from delivery of the report to provide comments to be included in the final report. If there are no comments received from Customer before the expiration of the review period, the report will be deemed final.

Upon completion of the Services, the Customer-designated contact will receive a secure/encrypted email confirmation from Secureworks. Unless otherwise notified in writing to the contrary by the Customer designated contact, within five (5) business days of such email confirmation, the Services and this SOW shall be deemed complete.

Scoping Information ⫘