Skip to content
/ SAPKiln Public

OWASP SAPKiln is a graphical user interface (GUI) tool designed to facilitate securing and auditing SAP systems effectively.

License

MIT license
26 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

OWASP/SAPKiln

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
Config
Config
 
 
Images
Images
 
 
Modules
Modules
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
SAPKiln.py
SAPKiln.py
 
 
leaders.md
leaders.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

OWASP SAPKiln SAPKiln

SAPiln Version

The world 🌎 of SAP is very vast and unique. SAP has multiple products to tackle various problems as well as multiple technology platforms such as NetWeaver etc. SAPKiln is an open-source GUI tool 💻 designed to empower security researchers in conducting efficient auditing and penetration testing of SAP systems through SAP Logon/GUI (desktop application). It caters to both experienced SAP professionals and those unfamiliar with the SAP environment, as it streamlines the process of performing security checks with a user-friendly interface✨.

Powered 🔋 by saplogon.exe and SAP scripting in its backend, SAPKiln executes automated checks in the SAP system. The current version (v1.0) boasts a comprehensive array of over 70+ checks ❗ divided into 10 modules. Beyond its built-in checks, SAPKiln provides flexibility with dynamic checks, accommodating custom user inputs. By automating security assessments, SAPKiln effectively bridges the knowledge gap for security researchers 👮 compared to SAP domain experts👓.

Modules Included 🌀

  • Attempt Login with Default SAP Credentials
  • Enumerate for Accessible T-Codes
  • Enumerate for Accessible Tables
  • Enumerate for Usage of SAP_ALL Profile
  • Enumerate Password Policies
  • Enumerate Weak Password Hashes (Users)
  • Enumerate Weak Password Hashes (Hashes)
  • OS Commands Execution - RSBDCOS0
  • OS Commands Execution - SAPXPG
  • Enumerate Instances for Lateral Movement

Installation 🛠️

git clone https://github.com/alexdevassy/SAPkiln.git
cd SAPKiln
pip install -r requirements.txt

*SAPKiln v1.0 is only supported in windows due to its dependency with pywin32 library. Its tested in windows 10 with python 3.10.11.

Prerequisites 🚧

Before executing SAPKiln make sure below prerequisite is met.

  • SAP scripting is enabled in backend SAP system
    • To enable SAP scripting, execute T-Code "RZ11", search for "sapgui/user_scripting", change its value from "False" to "True".

Optional prerequisites

  • SAP scripting options are unchecked in SAP GUI
    • Navigate to "Options" within SAP GUI, inside options navigate to "Accessibility & Scripting" -> "Scripting". And uncheck below options
      • "Notify when a script attaches to SAP GUI"
      • "Notify when a script opens a connection"

Usage 👾

python .\SAPKiln.py
OWASP.SAPKiln.Demo.mp4

About

OWASP SAPKiln is a graphical user interface (GUI) tool designed to facilitate securing and auditing SAP systems effectively.

Topics

auditing sap penetration-testing sapgui saplogon sapsecurity

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

26 stars

Watchers

4 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

Languages