Skip to content

Additional Tools & Helper

Jump to bottom
randomstr1ng edited this page Aug 23, 2024 · 8 revisions

nmap2nuclei-targets.py

This script will take the xml results of a nmap scan and convert it into a list of ip/hostname:service port pairs which can be used by tools like nuclei. If a hostname is used instead of an ip address, the script will prefere the hostname over the ip address

Location of the script: /tools/nmap2nuclei-targets.py

Setup

Install the requirements manually or use the requirements.txt which can be found within the /tools next to the script

python3 -m pip install -r requirements.txt

Usage

  • create a nmap xml result by using the option -oX <output file name> 
nmap -sSVC -oX scanresult.xml scanme.nmap.org
  • use the script by provide the input and output filename
python3 nmap2nuclei-targets.py -i scanresult.xml -o target-list.txt

by using the flag -v, the target list will be also printed on the screen.

Example

image

SAP Remote Function Module (RFM) enumeration report

This ABAP report can be used to enumerate all Remote Function Modules (RFM) in a SAP system. The report will list all RFMs which do not respond with a Authentication error. The source code can be found below. Credits: Joris van de Vis (@kloris)

Setup

  1. Setup a new RFC Destination of Type 3 in Transaction SM59 with the name of Z_TEST. Provide only the port and ip address/hostname of the system to scan but no username/password.
image image
  1. Create a new ABAP Report using Transaction SE38
image image
  1. When it asks to create a Object Directory entry you can choose Local Object
image
  1. Copy the below code and overwrite the existing content in the Window.
image
  1. Save and Activate the report

Usage

  1. Return to the intial screen of Transaction SA38 and execute the program
image
  1. Make sure that the previous added RFC destination is selected. The execute the program in the background
image
  1. It can take about 1h after the report has finished. The results can be viewed in the spool output via Transaction SP01 image

To scan another System, just change the connection information within the RFC destination added previous.

ABAP Code

This code is also avail as document within the tools folder in the Container/Repository.

*&---------------------------------------------------------------------*
*& Report ZZ_ENUMERATE_REMOTE_FUNCMODS
*&---------------------------------------------------------------------*
*& Author Joris van de Vis (@kloris)
*&---------------------------------------------------------------------*
REPORT ZZ_ENUMERATE_REMOTE_FUNCMODS.
 
PARAMETERS: P_RFCDES LIKE RFCDES-RFCDEST DEFAULT 'Z_TEST'.                   "This is a RFC dest in SM59 pointing to another SAP system with no user/pw in it
 
TYPES: BEGIN OF T_ITAB,
         FUNCNAME LIKE TFDIR-FUNCNAME,
       END OF T_ITAB.
 
DATA: LT_ITAB TYPE TABLE OF T_ITAB,
      LS_ITAB LIKE LINE OF LT_ITAB.
 
* Retreive remote enabled function modules from table TFDIR
SELECT FUNCNAME FROM TFDIR
INTO LS_ITAB
WHERE FMODE = 'R'.
* and put in itab
  APPEND LS_ITAB TO LT_ITAB.
ENDSELECT.
 
* Loop over itab
LOOP AT LT_ITAB INTO LS_ITAB.
* Call remote function in other SAP system and check if it is authenticated or not
  CALL FUNCTION LS_ITAB-FUNCNAME DESTINATION P_RFCDES
    EXCEPTIONS
      OTHERS = 2.
 
  IF SY-SUBRC <> 2.
* Implement suitable error handling here
    WRITE: / 'Unauthentcated RFC Enabled Function Module found:', LS_ITAB-FUNCNAME.
 
  ENDIF.
ENDLOOP.
Clone this wiki locally