Wednesday, September 4, 2013

SAP ERP Penetration Testing framework / Tools List

SAP ERP Penetration Testing framework / Tools List :

  • Bizploit By Onapsis
  • Sapyto By Cyber System Security
  • ERPScan’s By SAP AG

Bizploit :
            is the first Opensource SAP ERP Penetration Testing framework. Developed by the Onapsis Research Labs, Bizploit assists security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of specialized ERP Penetration Tests.

Currently, Bizploit is shipped with many plugins to assess the security of SAP business platforms. Plugins for other popular ERPs will be included in the short term.

  • Download Bizploit v1.50-rc1 for Windows  
  • Download Bizploit v1.50-rc1 for Linux

  • Sapyto:
               is the first SAP Penetration Testing Framework. Fully developed at CYBSEC-Labs, sapyto provides support to information security professionals in SAP platform discovery, investigation and exploitation activities.

              Sapyto is periodically updated with the outcome of the deep research constantly carried out by CYBSEC-Labs on the various security aspects in SAP systems.

              Although sapyto is a versatile and powerful tool, it is of major importance for it to be used by consultants who are highly skilled and specialized in its usage, preventing any interference with your organization’s usual SAP operation.

               To obtain further information about specific SAP security services, please visit our SAP Security section.

    The following versions of sapyto are available at this moment:

    Sapyto Public Edition (v0.99) for Windows [DOWNLOAD]
    Sapyto Public Edition (v0.99) for Linux [DOWNLOAD]

                     SAP Pentesting Tool is NOT a demo or part of professional product called ERPScan Security Scanner it is just a number of perl scripts for penetration testers.
    ERPScan's SAP Pentesting Tool is a freeware tool that is intended for penetration testers and security officers for vulnerability assessment of SAP systems using Black Box testing methodologies. It means that you do not need to know any information about the target system or have a legal account in it. All the information will be collected by SAP Pentesting tool.

    Updated release 0.6 from 01.10.2012

    - Total 31 modules
    - 18 Information gathering
    - 3 Command execution
    - 8 Aux
    - 4 DoS
    - Exploit for Verb Tampering (add user and add role)
    - P4 password decryptor plugin
    - ~40 default public ICM pages scan

    Using ERPScan's SAP Pentesting Tool you can:
    • Obtain information using information disclosure vulnerability;
    • Exploit potential vulnerabilities;
    • Collect business critical data or the data for conducting other attacks
    If you want to test professional product please fill this form.