Skip to content

SAP NetWeaver Services

randomstr1ng edited this page Dec 17, 2023 · 41 revisions

This Section includes information and details about Services provided by SAP NetWeaver deployments. This includes Services like SAP RFC Gateway, SAP Message Server, SAP Internet Communication Manager, etc.

SAP RFC Gateway

SAP RFC Gateway is a gateway service which standalone, or as part of an SAP ABAP system provides service for the proprietary RFC protocol. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. By default, the RFC protocol is not encrypted. Communication encryption has to be set up by the use of SNC.

Port Used Tools Additional Notes
3300 NMAP, NMAP erpscan

If the initial scan has not identified any open ports for the SAP Gateway, you can try to scan with the below command specifying the SAP Gateway port if it is not the default one.

nmap -sV -R -p 3300 -Pn <target>

To automate the process for better detection you can use the files found in the 3300 zip file found here. Using the Python script found in the files, read the SAP info where possible (from a Windows machine and adjust in script sysnr=XX to correct system number):

py.exe SAPinfo_WIN_v2.py <filename_with_ip_addresses>

To check whether the gateway is vulnerable use the Gateway_Scanner_RESEARCH_V0.1.py file found here

py.exe Gateway_Scanner_RESEARCH_V0.1.py <filename_with_ip_addresses>

SAP Internet Graphic Server (IGS)

SAP Internet Graphic Server (IGS) provides services to generate web graphics. It can run standalone or intergrated in an SAP system. When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service.

Port Used Tools Additional Notes
40080 NMAP, NMAP erpscan

If the initial scan has not identified any open ports for the SAP Internet Graphic Server, you can try to scan with the below command specifying the SAP Internet Graphic Server port if it is not the default one.

nmap -sV -R -p 40080 -Pn <target>

SAP Message Server

SAP Message Server Internal Port provides cluster management services between the application servers of an SAP system cluster. When exposed to malicious actors it can be misused to bypass protection configurations of the SAP RFC Gateway to allow full system compromise even when the gateway is properly configured.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

  • 36xx (External communication)
  • 39xx (Internal communication)
  • 81xx (HTTP)
  • 444xx (HTTPs)

Discovery

Shodan queries

  • "SAP Message Server, release" (HTTP/s service)

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

  • Scan for Internal Message Server port
nmap -sV -R -p3900-3999 -Pn <Target Address(es)/Domain Name>
  • Scan for External Message Server port
nmap -sV -R -p3600-3699 -Pn <Target Address(es)/Domain Name>
  • Scan for HTTP/s Message Server ports
nmap -sV -R -p8100-8199,44400-44499 -Pn <Target Address(es)/Domain Name>
nmap -sSVC -n -Pn -p3900-3999,3600-3699,8100-8199,44400-44499 --datadir . <Target Address(es)/Domain Name>

Nuclei

  • HTTP service discovery & identification

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-http-detection.yaml -u <Target Address/Domain Name>
  • HTTP service instance information extraction

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-instance-information-leak.yaml -u <Target Address/Domain Name>
  • TCP service discovery & identification (internal and external port)

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-tcp-service-detection.yaml -u <Target Address/Domain Name>
  • TCP service get message server acl info

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-internal-service-aclinfo-dump.yaml -u <Target Address/Domain Name>
  • TCP service get message server monitoring mode status

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-check-monitor-status.yaml -u <Target Address/Domain Name>
  • TCP service get message server admin port config

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_message_server/sap-message-server-check-admin-port.yaml -u <Target Address/Domain Name>

Background

The SAP Message Server runs a separat process as part of the SCS (SAP Central Services)/ASCS (ABAP SCS) and is used to distrubute traffic according to the load of the SAP application Server. There is only one Message Server per SAP System. In addtion to the loadbalancing, the Message Server is also used for internal communication (i.e. between instances) and the distribution of logon/logongroups for SAP GUI, SAP RFC and HTTP traffic.

Due to security rewuirements, the internal and external communication is split between two separat ports (internal and external port).

  • The internal port is used for the inter-SAP-System communication and allows to read and write data.
  • The external port is used for the distribution of logins and allows read-only access only!

If an attacker is able to access the internal Message Server port due to missing security controls (i.e. missing ACL, missing Host/Network Firewall), the following attack scenarios can be possible (any many more):

  • The attack allows to register a new Application Server to Mitm user sessions and capture credentials
  • The attack allows to register a new Appliaction Server which then bypassed i.e. RFC Gateway ACL (10KBlaze/Betrusted attack)
  • The attack allows to change update message server parameters like enable the administrative port (ms/admin_port) which then allows to have full permission to adjust the SAP System configuration through the administrative port.

An public demonstration of the abilities to attack an SAP System trough the SAP Message Server can be found at the OPCDE talk from 2019 by by Mathieu Geli, Dmitry Chastuhin

Additional Information & Tools

SAP Internet Communication Manager (ICM)

--Work in progress--

SAP Start Service

The SAP start service is a key element of SAP systems as of SAP Systems. The process is called sapstartsrv.exe on Windows, and sapstartsrv on UNIX/Linux platforms. There is a separate sapstartsrv process for each instance, which is responsible for starting, stopping, and monitoring the instance. Other Products & Solutions like the SAP Host Agent or the SAP HANA Database Server has their own SAP Start Service. By default, critical functions are protected before they can be used (like Restart an Instance) but not all services are protected by default. This allows to retrieve critical information and details about the Instances. The SAP Start Service is used by SAP MC and SAP MMC.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

  • 5xx13/tcp (HTTP)
  • 5xx14/tcp (HTTPs)

Discovery

Shodan queries

At the time of writing the section, Shodan does not scan ports which are used by this service. Therfore, no information/queries are availible.

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

nmap -sSVC -n -Pn -p50013-59914 <Target Address(es)/Domain Name>

Using the NMAP ERPscan probes allows to be more accurate for the Service identification

nmap -sSVC -n -Pn -p50013-59914 --datadir . <Target Address(es)/Domain Name>

Example: NMAP ERPscan service identification

Nuclei

  • Only service discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_start_service/sap-start-service-detect.yaml -u <Target Address/Domain Name>

Nuclei example of SAP Start Service discovery

Background

SAP Start Service offers various web methods as SOAP web services to control the SAP instances. By default, some of the web methods are accessible without authentication. This allows anyone with access to the SAP Start Service ports to call these web methods. This can have a critical impact for the security of the systems. SAP note 1439348 describes, how web methods can be protected and the access can be adjusted to provide more security.

To enumerate the unprotected web methods the sapstartsrv-enumeration tool can be used. The tool can be found here: https://github.com/randomstr1ng/sapstartsrv-enumeration or within the provided container image: /tools/sapstartsrv-enumeration/sapstartsrv-enum.py

Example to retrieve a list of unprotected methods:

$ python3 sapstartsrv-enum.py -t <Target Address> -p <Service Port> --methods
[*] Target URL: http://192.168.77.6:50013/?wsdl
[+] Unprotected WebMethods:
+------------+-----------------------------------------------------------------------------------------------------+
|  Instance  |                                               Methods                                               |
+------------+-----------------------------------------------------------------------------------------------------+
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
+------------+-----------------------------------------------------------------------------------------------------+

For more details on e.g. how to install and use the tool, take a look on the sapstartsrv-enumeration README.

Additional Information & Tools

Metasploit Framework Modules

  • auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
  • auxiliary/scanner/sap/sap_mgmt_con_brute_login
  • auxiliary/scanner/sap/sap_mgmt_con_extractusers
  • auxiliary/scanner/sap/sap_mgmt_con_abaplog
  • auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
  • auxiliary/scanner/sap/sap_mgmt_con_getprocessparameteress
  • auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
  • auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
  • auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
  • auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
  • auxiliary/admin/sap/sap_mgmt_con_osexec
  • exploit/multi/sap/sap_mgmt_con_osexec_payload
  • auxiliary/scanner/sap/sap_mgmt_con_version
  • auxiliary/scanner/sap/sap_mgmt_con_getenv
  • auxiliary/scanner/sap/sap_mgmt_con_startprofile