Independent SAP Services
This Section includes information and details about independent SAP Services like SAPRouter, SAP Cloud Connector, etc.
SAPRouter is a reverse proxy for the SAP proprietary RFC protocol. An insecurely configured SAProuter can allow an attacker to discover SAP installations behind the reverse proxy and force unencrypted communication. Unpatched versions are known to be vulnerable to denial of service attacks and compromise of configuration CVE overview.
3299/tcp
port:3299 !HTTP Network packet too bigport:3299 product:"SAProuter"
ip.port=="3299"&&protocol=="saprouter"
Replace the
<Target Address(es)/Domain Name>with the IP addresses e.g. discovered via Shodan
nmap -sSVC -n -Pn -p3299 <Target Address(es)/Domain Name>- Only service discovery
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l
nuclei -t nuclei-sap-templates/saprouter/sap-router.yaml -u <Target Address/Domain Name>
- Check for SAPROUTTAB Connection Table leak
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l
nuclei -t nuclei-sap-templates/saprouter/sap-router-info-leak.yaml -u <Target Address/Domain Name>
- Use Nuclei workflow to combine above scans for bulk scanning
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l
nuclei -w nuclei-sap-templates/workflow-saprouter.yaml -u <Target Address/Domain Name>In order to manually test if the service on the given port is an SAPRouter, the following command can help:
Replace the <Target Address/Domain Name> with the IP addresses.
ncat <Target Address/Domain Name> 3299This will result in returning some encoded data including strings like "NI (network interface)" or "SAProuter 38.9 on 'sandbox'". Only using this information, you can conclude the following:
- validate that the service is SAPRouter
- SAPRouter Version
- Hostname of the System running SAPRouter
In order to further test the SAPRouter and determine whether access is allowed or denied, you will require to download the SAPRouter utilities from the SAP download manager using your S-USER. (The S-USER is given to organizations that have deployed or is currently implementing any SAP applications)
In order to determine whether access is allowed or not, use the below command.
Replace the <Target Address/Domain Name> with the IP addresses.
saprouter -L -H <Target Address/Domain Name>Example if Access is denied:
Example if Access is allowed:
The above reply shows the SAProuter connection list, this information can be very critical as it may allow routing from the internet to the internal local network, this information is usually available in and can be retrieved from the SAPROUTTAB file.
auxiliary/scanner/sap/sap_router_info_requestauxiliary/scanner/sap/sap_router_portscanner
The SAP Cloud Connector is a component of the SAP Business Technology Platform (BTP) that enables secure connectivity between on-premises systems and various cloud services and applications within the SAP BTP ecosystem. It plays a crucial role in integrating and extending on-premises business processes with cloud-based solutions and services while ensuring data security and compliance. This includes to allow to access sensitive information from within SAP BTP which are stored within the e.g. on-prem SAP System. Due to the sensitivity and criticality of the information, it is important to protect the SAP Cloud Connector in particular from unauthorized access.
-
8443/tcp(HTTPs)
title:"Login" port:8443 product:"Apache Tomcat/Coyote JSP engine" http.component:"OpenUI5"title:"Login" port:8443 product:"Apache Tomcat/Coyote JSP engine" http.favicon.hash:-425273705
web.title="Login" and protocol=="https" and web.body="sccLogin" and ip.port=="8443"
Replace the
<Target Address(es)/Domain Name>with the IP addresses e.g. discovered via Shodan
nmap -sSVC -n -Pn -p8443 <Target Address(es)/Domain Name>
- Only service discovery
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l There is no need to specify the Port but it is required to provide an URL as input e.g. https://<IP/Hostname>
nuclei -t nuclei-sap-templates/sap_cloud_connector/sap-cloud-connector-detection.yaml -u <Target URL>
- Check for use of the default Credentials (
Administrator/manage)
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l It is required to provide an URL including the port as input e.g. https://<IP/Hostname>:8443
nuclei -t nuclei-sap-templates/sap_cloud_connector/sap-cc-default-credentials.yaml -u <Target URL with Port>
- Use Nuclei workflow to combine above scans for bulk scanning
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l It is required to provide an URL including the port as input e.g. https://<IP/Hostname>:8443
nuclei -w nuclei-sap-templates/workflow-sap-cc.yaml -u <Target URL>The SAP Web Dispatcher is a reverse proxy solution from SAP. It is commonly located between the Isternet and the SAP Systems. SAP Web Dispatcher allows to loadbalance incomming http traffic between multiple SAP Application server, includes capabilities to filter for specific url paths and allow or reject session in general. The http access logging contains more details compared to the SAP Internet Communication Manager (ICM) itself.
SAP Web Dispatcher provides it's own administrative http portal which can be a hughe security risk when exposed to the broad internet.
SAP Web Dispatcher allows to configure the ports and has no static predefined ports. See below examples of common and often used http/s ports used with SAP.
80/tcp443/tcp8000/tcpany other potential port which hosts a webservice
If SAP Web Dispatcher is used together with SAP HANA, the following ports are used by the service.
xx = Instance Number of the correlating SAP Instance Number
-
80xx/tcp(as part of SAP HANA) -
43xx/tcp(as part of SAP HANA)
"server: Web Dispatcher"
web.body="SAP Web Dispatcher"&&header="sap"-
header="Server: Web Dispatcher"(newer releases > 7.77)
Replace the
<Target Address(es)/Domain Name>with the IP addresses e.g. discovered via Shodan/Hunter.how and<Port>with the identified port or just do a generic without the-poption.
nmap -sSVC -n -Pn -p<Port> <Target Address(es)/Domain Name>
- Only service discovery
Replace the <Target Address/Domain Name> with the IP addresses. Alternatively, specify a list of Domains/IP Addresses using option -l There is no need to specify the Port but it is required to provide a URL as input e.g. https://<IP/Hostname>
nuclei -t nuclei-sap-templates/sap_web_dispatcher/sap-web-dispatcher-detection.yaml -u <Target URL>
- Discovery of Admin Web interface
Replace the <Target Address/Domain Name> with the IP addresses. Alternatively, specify a list of Domains/IP Addresses using option -l There is no need to specify the Port but it is required to provide a URL as input e.g. https://<IP/Hostname>
nuclei -t nuclei-sap-templates/sap_web_dispatcher/sap-web-dispatcher-admin-portal.yaml -u <Target URL>
- Use Nuclei workflow to combine above scans for bulk scanning
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l It is required to provide an URL including the port as input e.g. https://<IP/Hostname>:8443
nuclei -w nuclei-sap-templates/workflow-sap-web-dispatcher.yaml -u <Target URL>- scan for CVE-2022-22536 vulnerability
Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l It is required to provide an URL including the port as input e.g. https://<IP/Hostname>:8443
nuclei -t https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/main/http/cves/2022/CVE-2022-22536.yaml -u <Target URL>