Sapyto SAP pentest updated to v0.98

SAPYTO is a SAP Penetration Testing Framework. It enables security professionals to perform security assessments of different components of SAP R/3 deployments. Presented at Blackhat Europe 2007, it was shipped with many plugins to analyze the security of the RFC interface implementation of SAP systems. The plugin-based architecture enables users to develop their own plugins, extending functionality and allowing the framework to detect new vulnerabilities.

This version is mainly a complete re-design of sapyto’s core and
architecture to support future releases. Some of the new features now
available are:

  • Target configuration is now based on "connectors", which represent
    different ways to communicate with SAP services and components. This
    makes the
    framework extensible to handle new types of connections to SAP platforms.
  • Plugins are now divided in three categories:
  • Discovery: Try to discover new targets from the configured/already-discovered ones.
  • Audit: Perform some kind of vulnerability check over configured targets.
  • Exploit: Are used as proofs of concept for discovered vulnerabilities.
  • Exploit plugins now generate shells and/or sapytoAgent objects.
  • New plugins!: User account bruteforcing, client enumeration, SAProuter assessment, and more...
  • Plugin-developer interface drastically simplified and improved.
  • New command switches to allow the configuration of targets/scripts/output independently.
  • Installation process and general documentation improved.
  • Many (*many*) bugs fixed. :P

Post scriptum

Compliance Mandates

  • Application Scanner :

    PCI/DSS 6.3, SOX A12.4, GLBA 16 CFR 314.4(b) and (2), HIPAA 164.308(a)(1)(i), FISMA RA-5, SA-11, SI-2, ISO 27001/27002 12.6, 15.2.2


Related Articles

Application Scanner
Sapyto