Presentation Title Attacking SAP Users Using sapsploit Extended
Presentation Abstract
SAP security is becoming a popular topic and clientside security of ERP systems is not well described in Internet So methodology and tools for assessing SAP frontend security must be known for security community
In this talk we will show how to attack SAP clients and get access to internal resources of company and then to SAP environment with examples of real pentests. Then we will focus on client-side vulnerabilities and will show all current methods and new attacks on different client applications and protocols that use in SAP environment showing some new applications not mentiond in first talk. Then we will show sapsploit and saptrojan that can make many of the described things automatically and will show the way how can break the corporate network and steal corporate data using these tools. At the end of talk we will present new web service (with interesting details of his work) which will help users to assess level of their SAP frontend security level without exploiting them and publish some statistics.
About Alexander Polyakov
Alexander Polyakov is the CTO of The Digital Security Company. His expertise covers enterprise applications and database security. He found a lot of vulnerabilities in the products of such vendors as SAP and Oracle, and has made a lot of projects focused on special applications security in oil and gas, retail and banking sphere. He is the author of a book titled “Oracle Security from the Eye of the Auditor. Attack and Defense (in Russian). He is also the head of Digital Security Research Group (dsecrg.com), Expert Council member of PCIDSS.RU association, QSA and PA-QSA auditor. Speaker: HITB, Troopers10,T2.fi,Infosecurity Russia, Ruscrypto and PCIDSSRUSSIA2010