/SAPKiln

OWASP SAPKiln is a graphical user interface (GUI) tool designed to facilitate securing and auditing SAP systems effectively.

Primary LanguagePythonMIT LicenseMIT

OWASP SAPKiln SAPKiln

SAPiln Version

The world 🌎 of SAP is very vast and unique. SAP has multiple products to tackle various problems as well as multiple technology platforms such as NetWeaver etc. SAPKiln is an open-source GUI tool 💻 designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface✨.

Powered 🔋 by saplogon.exe and SAP scripting in its backend, SAPKiln executes automated checks in the SAP system. The current version (v1.0) boasts a comprehensive array of over 70+ checks ❗ divided into 10 modules. Beyond its built-in checks, SAPKiln provides flexibility with dynamic checks, accommodating custom user inputs. By automating security assessments, SAPKiln effectively bridges the knowledge gap for security researchers 👮 compared to SAP domain experts👓.

Modules Included 🌀

  • Attempt Login with Default SAP Credentials
  • Enumerate for Accessible T-Codes
  • Enumerate for Accessible Tables
  • Enumerate for Usage of SAP_ALL Profile
  • Enumerate Password Policies
  • Enumerate Weak Password Hashes (Users)
  • Enumerate Weak Password Hashes (Hashes)
  • OS Commands Execution - RSBDCOS0
  • OS Commands Execution - SAPXPG
  • Enumerate Instances for Lateral Movement

Installation 🛠️

git clone https://github.com/alexdevassy/SAPkiln.git
cd SAPKiln
pip install -r requirements.txt

*SAPKiln v1.0 is only supported in windows due to its dependency with pywin32 library. Its tested in windows 10 with python 3.10.11.

Prerequisites 🚧

Before executing SAPKiln make sure below prerequisite is met.

  • SAP scripting is enabled in backend SAP system
    • To enable SAP scripting, execute T-Code "RZ11", search for "sapgui/user_scripting", change its value from "False" to "True".

Optional prerequisites

  • SAP scripting options are unchecked in SAP GUI
    • Navigate to "Options" within SAP GUI, inside options navigate to "Accessibility & Scripting" -> "Scripting". And uncheck below options
      • "Notify when a script attaches to SAP GUI"
      • "Notify when a script opens a connection"

Usage 👾

python .\SAPKiln.py
OWASP.SAPKiln.Demo.mp4