SAP is one of the world\'s largest software companies. SAP offers approx. 40 products in the categories of "Business Solutions", "Industry Solutions" and "Solutions for Small and Midsize Enterprises" as well as approx. 8 interactive platforms and frameworks. The latest offering is "Business ByDesign" - a software as a service (SaaS) offering. SAP basically has an incomprehensibly massive attack surface, is a core component of many, many business operations and yet when talking with other \'pentesters\', I have found many shy away from assessing these systems for fear of the unknown. There are also very few open source assessment tool kits and/or methodologies available to pentesters. In reality SAP is no different than any other interconnected business system. Traditional network and application testing tool sets/methodologies are just as applicable and; network and application security best practices/principals are just as relevant. This talk will not provide a deep understanding of SAP, nor will it provide you with the abilities to perform in depth, effective and comprehensive security assessments of SAP landscapes (did I mention massive attack surface?). The audience will however leave with just enough information to go from zer0 to her0 in as short a time as is possible when encountering SAP systems during engagements. Several Metasploit modules will be demoed during the presentation that can be used to form the base of an open source SAP assessment toolkit. The modules can be used to achieve complete compromise of insecure and misconfigured SAP environments. Its all just pushing buttons really ;)