Goal
This page is a mix of reference material and brain dump for SAP security audit / pentest.
Special thanks to @nitbx for training me! I hope to be as good as he is some day.
OOP
CLI
Launching SAP GUI
&"C:\Program Files (x86)\SAP\FrontEnd\SapGui\SAPgui.exe" "/H/192.168.0.2/S/3201"Network Reconnaissance
Scan the hosts using https://github.com/gelim/nmap-sap
nmap -n --open --datadir . -sV -p $(./sap_ports.py) -iL ../hosts.list --open -oA ../nmap/sap_servicesUse the MSF module auxiliary/scanner/sap/sap_service_discovery
Take note of the SAP services identified.
Login screen information retrieval (32NN)
parallel --col-sep ':' diag_login_screen_info.py -d {1} -p {2} :::: hosts_v1.list | tee login_screen/output_1Client ID discovery (bruteforce)
diag_login_brute_force.py --discovery --discovery-range 000-999 -d 192.168.224.219Known SAP URL bruteforce
Combine the wordlists into a single file
parallel ffuf -w wordlists/sap.list -u {1}/FUZZ -r -v -of all -o ffuf/{#} :::: pdiscovery/sap_services.httpxSAP Router
If a host has port 3299 open -> Check if it's running the Router service.
Then use sap_router_info_request to get the connection table.
Use sap_router_portscanner after.
Default Credentials
Spray default credentials with
diag_login_brute_force.py -p 3200 -d RHOST -c default_sap_credentials --verbose | tee ./default_creds_spray_RHOST_3200.outputSpray the web interface of SAP GUI with metasploit scanner/sap/sap_web_gui_brute_login module.
Default credentials are stored in sap_default.txt.
Quick script to run the job with GNU parallel
#!/bin/bash
set -xe
host=$1
port=$2
if [[ -z "${1}" ]]
then
echo "missing host"
exit 1
fi
if [[ -z "${2}" ]]
then
echo "missing port"
exit 1
fi
mkdir -pv ./brute_output
diag_login_brute_force.py -d "${1}" -p "${2}" -c ./default_sap_credentials --discovery --discovery-range 000-999 --verbose | tee -a "./brute_output/${1}_${2}.output"Configuration Audit
Security policy settings
/nSA38withRSPARAM
Metasploit modules
auxiliary/scanner/sap/sap_service_discovery
scanner/sap/sap_icm_urlscan
scanner/sap/sap_router_info_request (3299)
auxiliary/scanner/http/sap_businessobjects_user_enum (/dswsbobje/services/BICatalog?wsdl)
References
Repositories
https://github.com/Jean-Francois-C/SAP-Security-Audit/
https://github.com/gelim/nmap-sap
https://github.com/OWASP/pysap
https://github.com/shipcod3/mySapAdventures
https://github.com/damianStrojek/SAPPV
Articles
https://www.anvilsecure.com/blog/introducing-hanalyzer.html
https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-sap.html
https://help.sap.com/docs/SUPPORT_CONTENT/security/3362974401.html
https://www.rapid7.com/blog/post/2014/01/09/piercing-saprouter-with-metasploit/
https://labs.withsecure.com/publications/run-sap-run
https://c22blog.wordpress.com/2011/12/11/seczone-2011-sap-insecurity-slides/
http://spl0it.org/files/talks/source_barcelona10/Hacking SAP BusinessObjects.pdf
Wordlists
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/URLs/urls-SAP.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/CMS/SAP.fuzz.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/sap-analytics-cloud.txt
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/SAP-NetWeaver.txt
https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/sap_icm_paths.txt
https://github.com/rapid7/metasploit-framework/blob/master/data/wordlists/sap_default.txt
Documentation
All SAP ports: https://help.sap.com/docs/Security/575a9f0e56f34c6e8138439eefc32b16/616a3c0b1cc748238de9c0341b15c63c.html