Attacking an ERP with Open Source Software
DOI:
https://doi.org/10.29019/enfoqueute.v9n1.253Keywords:
Pentesting, IT Security, Hacking, ERP, APEXAbstract
Information security is a growing concern in companies and organizations, being even higher when linked to financial platforms where sensitive information exists. This article explains the techniques used in the pentesting performed on the ERP software developed in APEX 5 by the University of Azuay. To achieve this goal, six stages has been considered for perform a penetration test: I) Conceptualization, where is defined the scope of the tests to be performed. II) Preparation of the laboratory, which identifies some of the tools used to initiate the safety tests. III) Obtaining of information, where the possible objects are recognized and scanned in greater depth to identify intrinsic characteristics for subsequently exploit them. IV) Analysis of the vulnerabilities found in the previous stage. V) Exploitation of vulnerabilities; and VI) post-exploitation, a stage that contemplates the destruction of evidence of the attack and the conservation of the connection and the accesses obtained to extract information. All these stages were carried out within the facilities of the “Universidad del Azuay”, considering the development environment in which this software is currently located.
Downloads
References
Caballero, A. (2015). Hacking con Kali Linux. Lima.
Chakrabarti, S., Chakraborty, M., & Mukhopadhyay, I. (2010). Study of snort-based IDS. ACM, 43-47.
Crespo, E. (15 de 01 de 2017). ECU@Risk. Metodología de Seguridad de la información para la gestión del riesgo informático aplicable a MPYMES. Cuenca, Azuay, Ecuador.
Gallo, F. (2011). Inseguridad Informática. España.
Hernández, A. (2007). Fuzzing para pruebas de seguridad en software. brainoverflow.org.
Mansoor, A., Muthuprasanna, M., & Vijay, K. (2006). High Speed Pattern Matching for Network IDS/IPS. IEEE Xplore.
Microsoft. (2017). SDL Threat Modeling Tool. Obtenido de https://www.microsoft.com/en-us/sdl/adopt/threatmodeling.aspx
NMAP. (19 de 04 de 2017). Resumen de Opciones. Obtenido de https://nmap.org/man/es/man-briefoptions.html
Rocha, L. (29 de Mayo de 2014). Count Upon Security. Obtenido de Incident Handling and Hacker Techniques: https://countuponsecurity.com/2014/05/29/simple-and-practical-attack-part-2/
Security, O. (2017). Kali Tools. Recuperado el 31 de 07 de 2017, de https://tools.kali.org/tools-listing
Spendolini, S. (2016). Expert Oracle Application Express Security. Apress.
Stallman, R. (2004). Software libre para una sociedad libre. Madrid: Traficantes de sueños.
The OWASP Project. (2017). OWASP Testing Guide 4.0. N/E: The OWASP Project.
UNAM-CERT. (25 de Mayo de 2016). Aspectos Básicos de la Seguridad en Aplicaciones Web. Recuperado el 14 de 07 de 2017, de https://www.seguridad.unam.mx/historico/documento/index.html-id=17
University of Adelaide. (2015). The Risk Management Handbook. Sydney: Legal and risk.
Weidman, G. (2014). Penetration Testing, A Hands-On Introduction to Hacking (1). EEUU: No Starch Press.
Published
How to Cite
Issue
Section
License
The authors retain all copyrights ©.
- The authors retain their trademark and patent rights, as well as rights to any process or procedure described in the article.
- The authors retain the right to share, copy, distribute, perform, and publicly communicate the article published in Enfoque UTE (for example, post it in an institutional repository or publish it in a book), provided that acknowledgment of its initial publication in Enfoque UTE is given.
- The authors retain the right to publish their work at a later date, to use the article or any part of it (for example, a compilation of their work, lecture notes, a thesis, or for a book), provided that they indicate the source of publication (authors of the work, journal, volume, issue, and date).