RE: SAP information sniffing - need help
- From: "Rivest, Philippe" <Rivestp@xxxxxxxx>
- Date: Tue, 6 May 2008 08:24:17 -0400
Many thanks !
Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee
mistake :) I know that in your email/paper you said that theres not a lot of
information out there for SAP vuln/pen-test, but are you aware of any
"white-paper" that i could read that explains the details of DIAG, i really
would like to go deeper in this issue.
Many thanks for the great white-paper & support you offered thru these
emails, appreciated!
Have a good day!
-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
la part de Mariano Nuñez Di Croce
Envoyé : vendredi 2 mai 2008 17:54
À : Rivest, Philippe
Cc : security-basics@xxxxxxxxxxxxxxxxx
Objet : Re: SAP information sniffing - need help
Hi Philippe,
Please let me know if I'm wrong, but I understand that you are
sniffing the traffic between your client (SAPGUI) and a remote SAP
Application Server.
In the paper you have read I have described the possibility of uncovering
the credentials used in communications performed using the RFC (Remote
Function Call) protocol.
The communication between the SAPGUI and an SAP AS is done mostly
through the DIAG protocol, which sends the information compressed in what
seems to be a variation of the LZ algorithm, thus you won't get any
cleartext or obfuscated credentials despite not using SNC.
However, if you are sure SNC is not being used, try to sniff
communication between different SAP systems (and with external systems) and
you may be able to prove your point.
Cheers,
-----------------------------------------
Mariano Nuñez Di Croce
CYBSEC S.A. Security Systems
Email: mnunez@xxxxxxxxxx
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------
----- Original Message -----client).
From: rivestp@xxxxxxxx
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Tue Apr 29 14:09
Subject: Fwd: SAP information sniffing - need help
Hello,
This question is from a previous post i got that sent me to this
interesting web
page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf.
<parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun
ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the
document, it shows a sniffing result and tells us about the
username/password of SAP.
I have tried to reproduce this with Wireshark, filtering the traffic
from my SAP server (using the ip as filter). I cant find the username,
client_id or anything related to authentification. I would then think
we are using SNC, but in fact we are not (i check the proprieties of the
Anyone who can give me links or a way to identify the
username/client_id or password (that i will XOR) would greatly help me
get SNC activated here (and also get rid of telnet & ftp :))
Appreciated
Philippe Rivest, Certified Ethical Hacker
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- Follow-Ups:
- Re: SAP information sniffing - need help
- From: Mariano Nuñez Di Croce
- Re: SAP information sniffing - need help
- References:
- Re: SAP information sniffing - need help
- From: Mariano Nuñez Di Croce
- Re: SAP information sniffing - need help
- Prev by Date: WEP cracking
- Next by Date: Re: WEP cracking
- Previous by thread: Re: SAP information sniffing - need help
- Next by thread: Re: SAP information sniffing - need help
- Index(es):
Relevant Pages
|
