RE: SAP information sniffing - need help



Many thanks !

Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee
mistake :) I know that in your email/paper you said that theres not a lot of
information out there for SAP vuln/pen-test, but are you aware of any
"white-paper" that i could read that explains the details of DIAG, i really
would like to go deeper in this issue.


Many thanks for the great white-paper & support you offered thru these
emails, appreciated!

Have a good day!



-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
la part de Mariano Nuñez Di Croce
Envoyé : vendredi 2 mai 2008 17:54
À : Rivest, Philippe
Cc : security-basics@xxxxxxxxxxxxxxxxx
Objet : Re: SAP information sniffing - need help

Hi Philippe,

Please let me know if I'm wrong, but I understand that you are
sniffing the traffic between your client (SAPGUI) and a remote SAP
Application Server.
In the paper you have read I have described the possibility of uncovering
the credentials used in communications performed using the RFC (Remote
Function Call) protocol.

The communication between the SAPGUI and an SAP AS is done mostly
through the DIAG protocol, which sends the information compressed in what
seems to be a variation of the LZ algorithm, thus you won't get any
cleartext or obfuscated credentials despite not using SNC.

However, if you are sure SNC is not being used, try to sniff
communication between different SAP systems (and with external systems) and
you may be able to prove your point.

Cheers,

-----------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez@xxxxxxxxxx
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------


----- Original Message -----
From: rivestp@xxxxxxxx
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Tue Apr 29 14:09
Subject: Fwd: SAP information sniffing - need help


Hello,


This question is from a previous post i got that sent me to this
interesting web
page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf.
<parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun
ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the
document, it shows a sniffing result and tells us about the
username/password of SAP.


I have tried to reproduce this with Wireshark, filtering the traffic
from my SAP server (using the ip as filter). I cant find the username,
client_id or anything related to authentification. I would then think
we are using SNC, but in fact we are not (i check the proprieties of the
client).


Anyone who can give me links or a way to identify the
username/client_id or password (that i will XOR) would greatly help me
get SNC activated here (and also get rid of telnet & ftp :))



Appreciated


Philippe Rivest, Certified Ethical Hacker



Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages

  • Re: SAPGUI SSO for HP-UX 11.23
    ... You should be aware that SAP have a certification program for software ... vendors who have products that use the SNC interface. ... In summary - SAP do not support Kerberos on UNIX, but other vendors do. ...
    (comp.sys.hp.hpux)
  • Re: Fwd: SAP information sniffing - need help
    ... Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client (SAPGUI) and a remote SAP Application Server. ... However, if you are sure SNC is not being used, try to sniff communication between different SAP systems and you may be ...
    (Security-Basics)
  • Re: SAP information sniffing - need help
    ... Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client (SAPGUI) and a remote SAP Application Server. ... However, if you are sure SNC is not being used, try to sniff communication between different SAP systems and you may be ...
    (Security-Basics)
  • Re: Kerberos GSS-API library for UNIX (running SAP)
    ... SAP does not officialy offer gss-api libraries to systems other then ... There was a product call BC SNC adapter, ... To use SSO with application servers on Unix and Windows 2000 front ends ...
    (comp.protocols.kerberos)
  • Re: Kerberos GSS-API library for UNIX (running SAP)
    ... SAP does not officialy offer gss-api libraries to systems other then ... There was a product call BC SNC adapter, ... To use SSO with application servers on Unix and Windows 2000 front ends ...
    (comp.protocols.kerberos)