SAP NetWeaver Services

This Section includes information and details about Services provided by SAP NetWeaver deployments. This includes Services like SAP RFC Gateway, SAP Message Server, SAP Internet Communication Manager, etc.

SAP Dispatcher (Disp+Work)

An SAP System consists of one dispatcher per instance, that just handles the communication to the frontends (eg. SAP GUI) and many work processes, that get the "work" dispatched from the dispatcher connected to the database, and process all the ABAP coding. The protocol used by SAP GUI to connect to the SAP Dispatcher is called SAP DIAG. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. Besides vulnerabilities within the process binary, exposing the port can lead to brute force or man-in-the-middle attacks. By default, access to the dispatcher via the SAP DIAG does not require any encrypted communication. Communication encryption has to be set up by the use of SNC (Secure Network Communication). By default, SAP DIAG is compressed and not encrypted which allows to easily sniff end decompress traffic on the wire.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number Note - SAP Enqueue Server is also using a port in the range of 3200-3298!

• 32xx

Discovery

Shodan queries

At the time of writing the section, Shodan does not scan ports which are used by this service. Therefore, no information/queries are available.

Hunter.how queries

• protocol=="sapdisp" or protocol=="sapgui" or protocol=="sapdisp/sapgui"

Nmap

• Scan for SAP Dispatcher port

nmap -sV -R -p3200-3298 -Pn <Target Address(es)/Domain Name>

• Scan all ports using NMAP ERPscan probes service probes

nmap -sSVC -n -Pn -p3200-3298 --datadir . <Target Address(es)/Domain Name>

Nuclei

• SAP Dispatcher service discovery & identification

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t /tools/nuclei-sap-templates/sap_dispatcher/sap-dispatcher-detect.yaml -u <Target Address/Domain Name>

• SAP Dispatcher service instance information extraction

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t /tools/nuclei-sap-templates/sap_dispatcher/sap-dispatcher-login-info.yaml -u <Target Address/Domain Name>

Additional Information & Tools

• CVE-2012-2611
• SNCscan Tool for analyzing SAP Secure Network Communications (SNC)
• Wireshark SAP Dissection Plugin

Metasploit Framework Modules

• exploit/windows/misc/sap_netweaver_dispatcher

SAP RFC Gateway

SAP RFC Gateway is a gateway service which standalone, or as part of an SAP ABAP system provides service for the proprietary RFC protocol. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. By default, the RFC protocol is not encrypted. Communication encryption has to be set up by the use of SNC (Secure Network Communication).

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 33xx (unencrypted communication)
• 48xx (encrypted communication (SNC enabled))

Discovery

Shodan queries

At the time of writing the section, Shodan does not scan ports which are used by this service. Therefore, no information/queries are available.

Hunter.how queries

• protocol=="sapgateway"

Nmap

• Scan for RFC Gateway port

nmap -sV -R -p3300-3399 -Pn <Target Address(es)/Domain Name>

• Scan for SNC enabled RFC Gateway port

nmap -sV -R -p4800-4899 -Pn <Target Address(es)/Domain Name>

• Scan all potential ports using NMAP ERPscan probes service probes

nmap -sSVC -n -Pn -p3300-3399,4800-4899 --datadir . <Target Address(es)/Domain Name>

SAP Internet Graphic Server (IGS)

To quote SAP "The Internet Graphics Service (IGS) constitutes the infrastructure to enable the application developers to display graphics in an Internet browser with a minimum of effort. The IGS has been integrated in the different SAP UI technologies from HTML GUI to Web Dynpro ABAP/Java and provides a server architecture where data from an SAP system or another source can be used to generate graphical or non-graphical output." When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 4xx00 (Internet Graphics Server Multiplexer)
• 4xx01 - 4xx79 (Internet Graphics Server Portwatcher)
• 4xx80 - 4xx99 (Internet Graphics Server HTTP service)

Discovery

Shodan queries

• "Server: SAP Internet Graphics Server"

Hunter.how queries

• web.body="SAP IGS"&&header.server="SAP Internet Graphics Server"

Nmap

• Scan for Internet Graphics Server HTTP port

replace xx with the corresponding instance number

nmap -sV -R -p4xx80-4xx99 -Pn <Target Address(es)/Domain Name>

• Scan all potential ports using NMAP ERPscan probes service probes

Replace <port/<portrange> with the identified port(s)

nmap -sSVC -n -Pn -p<port/portrange> --datadir . <Target Address(es)/Domain Name>

Nuclei

• HTTP service discovery & identification

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_internet_graphics_server/sap-igs-detection.yaml -u <Target Address/Domain Name>

Background

The SAP Internet Graphics Server (IGS) provides services to generate web graphics. It can run standalone or integrated in an SAP system. When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service. In the last years, various vulnerabilities have been identified which can cause critical damage to the SAP system or lead to a full system compromise. Besides generating web graphics, IGS can be also used for generating compressed archives and much more. At Troopers 18, a talk has been given about a more in depth research on the service and the impact of the vulnerabilities. The talk can be found here.

With IGS 6.40 >= Patch 16 or IGS 7.00 >= Patch 4 SAP has disabled the HTTP based administration commands by default. With the profile parameter igs/listener/http = 4$(SAPSYSTEM)80,administration the HTTP based administration commands can be enabled. The HTTP based administration commands are not protected by any authentication mechanism. Due to a misconfiguration or manipulation of the system, the administrative commands could be still enabled.

Additional Information & Tools

• SAP IGS : The 'vulnerable' forgotten component
• CVE-2018-239
• IGS HTTP administration commands
• IGS HTTP administration is not possible

Metasploit Framework Modules

• auxiliary/admin/sap/sap_igs_xmlchart_xxe

SAP Message Server

SAP Message Server Internal Port provides cluster management services between the application servers of an SAP system cluster. When exposed to malicious actors it can be misused to bypass protection configurations of the SAP RFC Gateway to allow full system compromise even when the gateway is properly configured.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 36xx (External communication)
• 39xx (Internal communication)
• 81xx (HTTP)
• 444xx (HTTPs)

Discovery

Shodan queries

• "SAP Message Server, release" (HTTP/s service)

Hunter.how queries

• header="SAP Message Server, release"&&protocol=="http" (HTTP/s service)
• protocol=="sapms" (Internal & External service)

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

• Scan for Internal Message Server port

nmap -sV -R -p3900-3999 -Pn <Target Address(es)/Domain Name>

• Scan for External Message Server port

nmap -sV -R -p3600-3699 -Pn <Target Address(es)/Domain Name>

• Scan for HTTP/s Message Server ports

nmap -sV -R -p8100-8199,44400-44499 -Pn <Target Address(es)/Domain Name>

• Scan all potential ports using NMAP ERPscan probes service probes

nmap -sSVC -n -Pn -p3900-3999,3600-3699,8100-8199,44400-44499 --datadir . <Target Address(es)/Domain Name>

Nuclei

• HTTP service discovery & identification

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-http-detection.yaml -u <Target Address/Domain Name>

• HTTP service instance information extraction

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-instance-information-leak.yaml -u <Target Address/Domain Name>

• TCP service discovery & identification (internal and external port)

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-tcp-service-detection.yaml -u <Target Address/Domain Name>

• TCP service get message server acl info

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-internal-service-aclinfo-dump.yaml -u <Target Address/Domain Name>

• TCP service get message server monitoring mode status

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-check-monitor-status.yaml -u <Target Address/Domain Name>

• TCP service get message server admin port config

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-check-admin-port.yaml -u <Target Address/Domain Name>

Background

The SAP Message Server runs a separat process as part of the SCS (SAP Central Services)/ASCS (ABAP SCS) and is used to distrubute traffic according to the load of the SAP application Server. There is only one Message Server per SAP System. In addtion to the loadbalancing, the Message Server is also used for internal communication (i.e. between instances) and the distribution of logon/logongroups for SAP GUI, SAP RFC and HTTP traffic.

Due to security rewuirements, the internal and external communication is split between two separat ports (internal and external port).

• The internal port is used for the inter-SAP-System communication and allows to read and write data.
• The external port is used for the distribution of logins and allows read-only access only!

If an attacker is able to access the internal Message Server port due to missing security controls (i.e. missing ACL, missing Host/Network Firewall), the following attack scenarios can be possible (any many more):

• The attack allows to register a new Application Server to Mitm user sessions and capture credentials
• The attack allows to register a new Appliaction Server which then bypassed i.e. RFC Gateway ACL (10KBlaze/Betrusted attack)
• The attack allows to change update message server parameters like enable the administrative port (ms/admin_port) which then allows to have full permission to adjust the SAP System configuration through the administrative port.

An public demonstration of the abilities to attack an SAP System trough the SAP Message Server can be found at the OPCDE talk from 2019 by by Mathieu Geli, Dmitry Chastuhin

Additional Information & Tools

• SAP Message Server Security Research (10KBlaze)
• OPCDE talk from 2019 by by Mathieu Geli, Dmitry Chastuhin
• Security Settings for the SAP Message Server
• SAP Notes:
  • 821875 - Security settings in the message server

SAP Internet Communication Manager (ICM)

The SAP Internet Communication Manager (aka SAP ICM) ensures that communication between the SAP System (NetWeaver Application Server) and the outside world via HTTP, HTTPS, and SMTP protocols works properly. To accomplish this task, the SAP ICM provides a web server that serves as the foundation for web-based SAP technologies like Fiori, WebDynpro, or Business Server Pages (BSP). The SAP ICM comes with many security-relevant configurations for SSL encryption, cookie handling, authentication requests (HTTP) and even provides a dedicated security log.

SAP ICM increases the attack surface for common Web Application vulnerabilites like the OWASP Top 10 including like Cross-Site-Scripting (XSS), SQL Injection or Broken Authentication. There are some well known attacks like the Request Smuggling attack (aka ICMAD) or a Broken Authentication identified within the RFC protocol but also affected Websocket RFC connections.

Used Network Ports

Any common HTTP Port can be configured to be used by SAP ICM

• Example of common used SAP HTTP(s) ports:
  • 8000
  • 8001
  • 8443
  • 44300

Discovery

Shodan queries

• "sap-server: true"
• "sap-server: true" "SAP NetWeaver Application Server / ABAP"

Hunter.how queries

• header="sap-server: true" or header="SAP NetWeaver Application Server / ABAP" or header="sap-perf-fesrec"

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

As the SAP ICM can be configured to use any common HTTP port, it is recommended to scan for common HTTP ports like 80, 443, 8080, 8443, etc. to identify the SAP ICM service.

• Simple scan for HTTP(s) ports

nmap -sV -R -p<Port(s)> -Pn <Target Address(es)/Domain Name>

• Simple scan using also NMAP ERPscan probes for better Service identification

nmap -sV -R -p<Port(s)> --datadir . -Pn <Target Address(es)/Domain Name>

Nuclei

• Only service discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_internet_communication_manager/sap-netweaver-icm-detect.yaml -u <Target Address/Domain Name>

• SAP Fiori Launchpad discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_internet_communication_manager/sap-netweaver-fiori-launchpad.yaml -u <Target Address/Domain Name>

• SAP WebGUI discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_internet_communication_manager/sap-netweaver-webgui.yaml -u <Target Address/Domain Name>

• SAP Public information disclosure (Url path: /sap/public/info)

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_internet_communication_manager/sap-netweaver-info-leak.yaml -u <Target Address/Domain Name>

Background

SAP ICM provides a huge amount of different web services and applications.This also includes customer developed services or web applications. Therefore it is not easy to specify a simple template to scan for all the different flavours and applications. Within the Nuclei section we have provided some templates for the most common services.

Service / Endpoint enumeration

The SAP ICM provides a lot of different webservices and api endpoints. Some are well protected and some are not. The following tools can be used to enumerate the different services and endpoints to get an overview of the exposed services.

Using gobuster tool:

Replace the <Target Address/Domain Name> with the IP addresses/Domain name and Port for the ICM service.

gobuster dir -u <Target Address/Domain Name and Port> -w /tools/wordlists/sap_icm_paths.txt

Example:

You can specify a list of negative status codes to exclude from the output with the -b option. This can be useful to exclude common status codes like 400, 401, 403, 404, etc.

gobuster dir -u http://192.168.77.2:8000 -w /tools/wordlists/sap_icm_paths.txt -b 400,401,403,404

Using ffuf tool:

Replace the <Target Address/Domain Name> with the IP addresses/Domain name and Port for the ICM service.

ffuf -u <Target Address/Domain Name and Port>/FUZZ -w /tools/wordlists/sap_icm_paths.txt -mc 200,302

ffuf is an tool which can be used to fuzz endpoints and directories. The -mc option can be used to specify multiple status codes to match. This can be useful to exclude common status codes like 400, 401, 403, 404, etc.

Example:

Login Bruteforce (SAP WebGUI & Fiori Launchpad)

SAP provides to major ways for User to interact with SAP Applications - SAP Web GUI (Legacy/Old) and SAP Fiori Launchpad (Modern). Both of them are web-based and can be accessed via HTTP(s) and are therefore oft exposed to the internet. The SAP Web GUI is a web-based interface for accessing SAP applications and is based on the SAP GUI for Windows. The SAP Fiori Launchpad is the entry point to SAP Fiori apps on mobile and desktop devices. Its role is to host SAP Fiori apps and provide access to them in a consistent and well-organized manner. in the last couple of years, SAP has added CSRF protection mechanism as a default to their web Applications which prevents older tools from work.

Important: SAP allows a maximum of 99 Failed logins before a User get's locked out. By default this value is set to 5. Keep this in mind when running an Brute-Force attack.

There is a Bruteforce tool available for the SAP Web GUI and SAP Fiori Launchpad which can be found here. This tool supports the SAP CRSF mechanism. The Repository also includes a Metasploit Framework module which needs to be installed manually.

• Example of SAP Web GUI Bruteforce

./multi_brute_sap_webgui.py --sid FES --target 192.168.230.30 --user-file user.txt --pass-file passwords.txt

[*] Loading user wordlist...
[*] Loading password wordlist...
[+] Username/Password found: security:Security123

• Example of SAP Fiori Launchpad Bruteforce

Module options (auxiliary/sap/sap_web_bruteforce):

   Name        Current Setting                          Required  Description
   ----        ---------------                          --------  -----------
   BRUTE_MODE  fiori                                    no        Which endpoint you want to attack (webgui/fiori)
   PASS_FILE   /opt/wordlists_custom/sap_passwords.txt  yes       Wordlist with passwords
   RHOSTS      192.168.77.4                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file
                                                                  :<path>'
   RPORT       50001                                    yes       Target port
   SAP_CLIENT  001                                      no        Target SAP client
   SAP_SID     A4H                                      yes       Target SAP SID
   SSL         True                                     yes       use SSL (true/false)
   TARGETURI   /sap/bc/ui2/flp                          yes       The base path
   THREADS     1                                        yes       The number of concurrent threads (max one per host)
   USER_FILE   /opt/wordlists_custom/sap_users.txt      yes       Wordlist with usernames 

msf6 auxiliary(sap/sap_web_bruteforce) > run

[*] Running for 192.168.230.30...
[*] Valid credential ddic:Security123
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Additional Information & Tools

• CISA Alert regarding ICMAD vulnerability(CVE-2022-22536)
• CVE-2022-22536 - ICMAD scanner tool
• From RFC (Websocket RFC to RCE)
• Bruteforce for SAP Web GUI & SAP Fiori Launchpad

Metasploit Framework Modules

• auxiliary/scanner/sap/sap_soap_rfc_ping
• auxiliary/scanner/sap/sap_soap_rfc_read_table
• auxiliary/scanner/sap/sap_soap_rfc_system_info
• auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface
• auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec
• auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec
• auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec
• auxiliary/dos/sap/sap_soap_rfc_eps_delete_file
• auxiliary/scanner/sap/sap_soap_rfc_eps_get_directory_listing
• auxiliary/scanner/sap/sap_soap_rfc_pfl_check_os_file_existence
• auxiliary/scanner/sap/sap_soap_rfc_rzl_read_dir
• exploit/multi/sap/sap_soap_rfc_sxpg_call_system_exec
• auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec
• exploit/multi/sap/sap_soap_rfc_sxpg_command_exec
• auxiliary/scanner/sap/sap_soap_rfc_brute_login
• auxiliary/scanner/sap/sap_web_gui_brute_login
• auxiliary/scanner/sap/sap_icm_urlscan
• auxiliary/scanner/sap/sap_icf_public_info

SAP Start Service

The SAP start service is a key element of SAP systems as of SAP Systems. The process is called sapstartsrv.exe on Windows, and sapstartsrv on UNIX/Linux platforms. There is a separate sapstartsrv process for each instance, which is responsible for starting, stopping, and monitoring the instance. Other Products & Solutions like the SAP Host Agent or the SAP HANA Database Server has their own SAP Start Service. By default, critical functions are protected before they can be used (like Restart an Instance) but not all services are protected by default. This allows to retrieve critical information and details about the Instances. The SAP Start Service is used by SAP MC and SAP MMC.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 5xx13/tcp (HTTP)
• 5xx14/tcp (HTTPs)

Discovery

Shodan queries

At the time of writing the section, Shodan does not scan ports which are used by this service. Therefore, no information/queries are available.

Hunter.how queries

• web.title="SAP Management Console" and (protocol=="http" or protocol=="https")

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

nmap -sSVC -n -Pn -p50013-59914 <Target Address(es)/Domain Name>

Using the NMAP ERPscan probes allows to be more accurate for the Service identification

nmap -sSVC -n -Pn -p50013-59914 --datadir . <Target Address(es)/Domain Name>

Example:

Nuclei

• Only service discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_start_service/sap-start-service-detect.yaml -u <Target Address/Domain Name>

Background

SAP Start Service offers various web methods as SOAP web services to control the SAP instances. By default, some of the web methods are accessible without authentication. This allows anyone with access to the SAP Start Service ports to call these web methods. This can have a critical impact for the security of the systems. SAP note 1439348 describes, how web methods can be protected and the access can be adjusted to provide more security.

To enumerate the unprotected web methods the sapstartsrv-enumeration tool can be used. The tool can be found here: https://github.com/randomstr1ng/sapstartsrv-enumeration or within the provided container image: /tools/sapstartsrv-enumeration/sapstartsrv-enum.py

Example to retrieve a list of unprotected methods:

$ python3 sapstartsrv-enum.py -t <Target Address> -p <Service Port> --methods

[*] Target URL: http://192.168.77.6:50013/?wsdl
[+] Unprotected WebMethods:
+------------+-----------------------------------------------------------------------------------------------------+
|  Instance  |                                               Methods                                               |
+------------+-----------------------------------------------------------------------------------------------------+
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
+------------+-----------------------------------------------------------------------------------------------------+

For more details on e.g. how to install and use the tool, take a look on the sapstartsrv-enumeration README.

Additional Information & Tools

• sapstartsrv-enumeration tool
• SAP Support Wiki - Protected web methods of sapstartsrv
• Securing the SAP Instance Agent / SAP Start Service
• SAP Notes:
  • 1439348 - Extended security settings for sapstartsrv
  • 927637 - Web service authentication in sapstartsrv as of Release 7.00

Metasploit Framework Modules

• auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
• auxiliary/scanner/sap/sap_mgmt_con_brute_login
• auxiliary/scanner/sap/sap_mgmt_con_extractusers
• auxiliary/scanner/sap/sap_mgmt_con_abaplog
• auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_getprocessparameteress
• auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
• auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
• auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
• auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
• auxiliary/admin/sap/sap_mgmt_con_osexec
• exploit/multi/sap/sap_mgmt_con_osexec_payload
• auxiliary/scanner/sap/sap_mgmt_con_version
• auxiliary/scanner/sap/sap_mgmt_con_getenv
• auxiliary/scanner/sap/sap_mgmt_con_startprofile