This post is the first in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.

This year 2013 disclosure of a banking Trojan modified to look for SAP GUI installations has harisen. A concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the crosshairs of hackers that know just how much sensitive data ERP systems house.  With more than 248,500 customers in 188 countries, SAP may see an increase of attacks and their customers face the threat of data theft, fraud and sabotage.

This trend is not really surprising, given that financial, customer, employee and production data reside in a company's enterprise resource planning (ERP) systems—and they are juicy targets for all sorts of malicious hackers. What's worse, these systems have often organically grown over decades and are so complex that few people understand their organization's entire ecosystem, let alone some of SAP's protocols and components that are not publicly documented. This year, we've made significant effort to make of Metasploit a better SAP pentesting platform, due in a large part to an awesome community we should thank again! (and again, and again...). Because of their awesome work, now there are more than 50 SAP related modules into the framework. So, if you meet some of these guys, stop them and say thank you!

Name Twitter handler Web Page
Chris John Riley @ChrisJohnRiley Cатсн²² (in)sесuяitу / ChrisJohnRiley | Because we're damned if we do, and we're damned if we don't!
Dave Hartley @nmonkee
Bruno Morisson @morisson http://genhex.org/~mori/
Andras Kabai
Thanks to all of them, the most important SAP infrastructure components are now covered by Metasploit, including:
  • DIAG/RFC communications, with support for the nwrfc wrapper on the Q Metasploit Repository.
  • The SAP Router.
  • The SAP Management Console.
  • The SAP Internet Communication Manager and the SAP Internet Communication Framework.
  • The J2EE Engine.

Not only code has been added to Metasploit. All of these capabilities, and how to use them have been covered on a free research paper which you can download here: “SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data”. And we have published several webcasts where you can learn more about SAP exploitation with Metasploit from the authors:

So, there are no excuses to not take into account SAP infrastructures when planning the 2014's pentest engagements. The tools are out there!