SAP NetWeaver Services

This Section includes information and details about Services provided by SAP NetWeaver deployments. This includes Services like SAP RFC Gateway, SAP Message Server, SAP Internet Communication Manager, etc.

SAP RFC Gateway

SAP RFC Gateway is a gateway service which standalone, or as part of an SAP ABAP system provides service for the proprietary RFC protocol. Unpatched, or misconfigured installations can yield to full system compromise. Up to unauthenticated remote code execution vulnerabilities. By default, the RFC protocol is not encrypted. Communication encryption has to be set up by the use of SNC.

Port	Used Tools	Additional Notes
3300	NMAP, NMAP erpscan

If the initial scan has not identified any open ports for the SAP Gateway, you can try to scan with the below command specifying the SAP Gateway port if it is not the default one.

nmap -sV -R -p 3300 -Pn <target>

To automate the process for better detection you can use the files found in the 3300 zip file found here. Using the Python script found in the files, read the SAP info where possible (from a Windows machine and adjust in script sysnr=XX to correct system number):

py.exe SAPinfo_WIN_v2.py <filename_with_ip_addresses>

To check whether the gateway is vulnerable use the Gateway_Scanner_RESEARCH_V0.1.py file found here

py.exe Gateway_Scanner_RESEARCH_V0.1.py <filename_with_ip_addresses>

SAP Internet Graphic Server (IGS)

SAP Internet Graphic Server (IGS) provides services to generate web graphics. It can run standalone or intergrated in an SAP system. When certain patches are missing the IGS can be vulnerable to various attacks yielding for example to arbitrary remote file manipulation or denial of service.

Port	Used Tools	Additional Notes
40080	NMAP, NMAP erpscan

If the initial scan has not identified any open ports for the SAP Internet Graphic Server, you can try to scan with the below command specifying the SAP Internet Graphic Server port if it is not the default one.

nmap -sV -R -p 40080 -Pn <target>

SAP Message Server

SAP Message Server Internal Port provides cluster management services between the application servers of an SAP system cluster. When exposed to malicious actors it can be misused to bypass protection configurations of the SAP RFC Gateway to allow full system compromise even when the gateway is properly configured.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 36xx (External communication)
• 39xx (Internal communication)
• 81xx (HTTP)
• 444xx (HTTPs)

Discovery

Shodan queries

• "SAP Message Server, release"

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

• Scan for Internal Message Server port

nmap -sV -R -p3900-3999 -Pn <Target Address(es)/Domain Name>

• Scan for External Message Server port

nmap -sV -R -p3600-3699 -Pn <Target Address(es)/Domain Name>

• Scan for HTTP/s Message Server ports

nmap -sV -R -p8100-8199,44400-44499 -Pn <Target Address(es)/Domain Name>

• Scan all potential ports using NMAP ERPscan probes service probes

nmap -sSVC -n -Pn -p3900-3999,3600-3699,8100-8199,44400-44499 --datadir . <Target Address(es)/Domain Name>

Nuclei

Background

Additional Information & Tools

SAP Internet Communication Manager (ICM)

--Work in progress--

SAP Start Service

The SAP start service is a key element of SAP systems as of SAP Systems. The process is called sapstartsrv.exe on Windows, and sapstartsrv on UNIX/Linux platforms. There is a separate sapstartsrv process for each instance, which is responsible for starting, stopping, and monitoring the instance. Other Products & Solutions like the SAP Host Agent or the SAP HANA Database Server has their own SAP Start Service. By default, critical functions are protected before they can be used (like Restart an Instance) but not all services are protected by default. This allows to retrieve critical information and details about the Instances. The SAP Start Service is used by SAP MC and SAP MMC.

Used Network Ports

xx = Instance Number of the correlating SAP Instance Number

• 5xx13/tcp (HTTP)
• 5xx14/tcp (HTTPs)

Discovery

Shodan queries

At the time of writing the section, Shodan does not scan ports which are used by this service. Therfore, no information/queries are availible.

Nmap

Replace the <Target Address(es)/Domain Name> with the IP addresses e.g. discovered via Shodan

nmap -sSVC -n -Pn -p50013-59914 <Target Address(es)/Domain Name>

Using the NMAP ERPscan probes allows to be more accurate for the Service identification

nmap -sSVC -n -Pn -p50013-59914 --datadir . <Target Address(es)/Domain Name>

Example:

Nuclei

• Only service discovery

Replace the <Target Address/Domain Name> with the IP addresses. Alternative, specify a list of Domains/IP Addresses using option -l

nuclei -t nuclei-sap-templates/sap_start_service/sap-start-service-detect.yaml -u <Target Address/Domain Name>

Background

SAP Start Service offers various web methods as SOAP web services to control the SAP instances. By default, some of the web methods are accessible without authentication. This allows anyone with access to the SAP Start Service ports to call these web methods. This can have a critical impact for the security of the systems. SAP note 1439348 describes, how web methods can be protected and the access can be adjusted to provide more security.

To enumerate the unprotected web methods the sapstartsrv-enumeration tool can be used. The tool can be found here: https://github.com/randomstr1ng/sapstartsrv-enumeration

Example to retrieve a list of unprotected methods:

$ python3 sapstartsrv-enum.py -t <Target Address> -p <Service Port> --methods

[*] Target URL: http://192.168.77.6:50013/?wsdl
[+] Unprotected WebMethods:
+------------+-----------------------------------------------------------------------------------------------------+
|  Instance  |                                               Methods                                               |
+------------+-----------------------------------------------------------------------------------------------------+
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
| vhcala4hci | GetSystemInstanceList,AccessCheck,GetInstanceProperties,GetProcessList,GetNetworkId,GetSecNetworkId |
+------------+-----------------------------------------------------------------------------------------------------+

For more details on e.g. how to install and use the tool, take a look on the sapstartsrv-enumeration README.

Additional Information & Tools

• sapstartsrv-enumeration tool
• SAP Support Wiki - Protected web methods of sapstartsrv
• Securing the SAP Instance Agent / SAP Start Service
• SAP Notes:
  • 1439348 - Extended security settings for sapstartsrv
  • 927637 - Web service authentication in sapstartsrv as of Release 7.00

Metasploit Framework Modules

• auxiliary/scanner/sap/sap_mgmt_con_getaccesspoints
• auxiliary/scanner/sap/sap_mgmt_con_brute_login
• auxiliary/scanner/sap/sap_mgmt_con_extractusers
• auxiliary/scanner/sap/sap_mgmt_con_abaplog
• auxiliary/scanner/sap/sap_mgmt_con_getlogfiles
• auxiliary/scanner/sap/sap_mgmt_con_getprocessparameteress
• auxiliary/scanner/sap/sap_mgmt_con_getprocesslist
• auxiliary/scanner/sap/sap_mgmt_con_instanceproperties
• auxiliary/scanner/sap/sap_mgmt_con_listconfigfiles
• auxiliary/scanner/sap/sap_mgmt_con_listlogfiles
• auxiliary/admin/sap/sap_mgmt_con_osexec
• exploit/multi/sap/sap_mgmt_con_osexec_payload
• auxiliary/scanner/sap/sap_mgmt_con_version
• auxiliary/scanner/sap/sap_mgmt_con_getenv
• auxiliary/scanner/sap/sap_mgmt_con_startprofile