SAPKiln icon indicating copy to clipboard operation
SAPKiln copied to clipboard

verified publisher icon OWASP

Metadata

OWASP SAPKiln is a graphical user interface (GUI) tool designed to facilitate securing and auditing SAP systems effectively.

OWASP SAPKiln SAPKiln

SAPiln Version

The world :earth_americas: of SAP is very vast and unique. SAP has multiple products to tackle various problems as well as multiple technology platforms such as NetWeaver etc. SAPKiln is an open-source GUI tool :computer: designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface:sparkles:.

Powered :battery: by saplogon.exe and SAP scripting in its backend, SAPKiln executes automated checks in the SAP system. The current version (v1.0) boasts a comprehensive array of over 70+ checks :exclamation: divided into 10 modules. Beyond its built-in checks, SAPKiln provides flexibility with dynamic checks, accommodating custom user inputs. By automating security assessments, SAPKiln effectively bridges the knowledge gap for security researchers :cop: compared to SAP domain experts:eyeglasses:.

Modules Included :cyclone:

  • Attempt Login with Default SAP Credentials
  • Enumerate for Accessible T-Codes
  • Enumerate for Accessible Tables
  • Enumerate for Usage of SAP_ALL Profile
  • Enumerate Password Policies
  • Enumerate Weak Password Hashes (Users)
  • Enumerate Weak Password Hashes (Hashes)
  • OS Commands Execution - RSBDCOS0
  • OS Commands Execution - SAPXPG
  • Enumerate Instances for Lateral Movement

Installation :hammer_and_wrench:

git clone https://github.com/alexdevassy/SAPkiln.git
cd SAPKiln
pip install -r requirements.txt

*SAPKiln v1.0 is only supported in windows due to its dependency with pywin32 library. Its tested in windows 10 with python 3.10.11.

Prerequisites :construction:

Before executing SAPKiln make sure below prerequisite is met.

  • SAP scripting is enabled in backend SAP system
    • To enable SAP scripting, execute T-Code "RZ11", search for "sapgui/user_scripting", change its value from "False" to "True".

Optional prerequisites

  • SAP scripting options are unchecked in SAP GUI
    • Navigate to "Options" within SAP GUI, inside options navigate to "Accessibility & Scripting" -> "Scripting". And uncheck below options
      • "Notify when a script attaches to SAP GUI"
      • "Notify when a script opens a connection"

Usage :space_invader:

python .\SAPKiln.py

https://github.com/OWASP/OWASP-SAPKiln/assets/31893005/7a28e87c-3b40-4ea0-88cd-510088d5f392

Metadata

21
Stars
4
Forks
Watchers

Owner

verified publisher icon OWASP

Metadata

OWASP SAPKiln is a graphical user interface (GUI) tool designed to facilitate securing and auditing SAP systems effectively.

Back