Security Basics mailing list archives

Re: SAP information sniffing - need help

From: Mariano Nuñez Di Croce <mnunez () cybsec com>
Date: Fri, 02 May 2008 18:53:57 -0300

Hi Philippe,

        Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client 
(SAPGUI) and a remote SAP Application Server.
In the paper you have read I have described the possibility of uncovering the credentials used in communications 
performed using the RFC (Remote
Function Call) protocol.
        
        The communication between the SAPGUI and an SAP AS is done mostly through the DIAG protocol, which sends the 
information compressed in what seems to
be a variation of the LZ algorithm, thus you won't get any cleartext or obfuscated credentials despite not using SNC.

        However, if you are sure SNC is not being used, try to sniff communication between different SAP systems (and 
with external systems) and you may be
able to prove your point.

        Cheers, 
        
-----------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez () cybsec com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------

----- Original Message -----
From: rivestp () metro ca
To: security-basics () securityfocus com
Sent: Tue Apr 29 14:09
Subject: Fwd: SAP information sniffing - need help

Hello,

This question is from a previous post i got that sent me to this interesting web 
page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf. 
<parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nunez-di-croce-WP_paper.pdf.> 
Basicly if you look at page 6 of the document, it shows a sniffing result and 
tells us about the username/password of SAP.

I have tried to reproduce this with Wireshark, filtering the traffic from my SAP 
server (using the ip as filter). I cant find the username, client_id or anything 
related to authentification. I would then think we are using SNC, but in fact we 
are not (i check the proprieties of the client).

Anyone who can give me links or a way to identify the username/client_id or 
password (that i will XOR) would greatly help me get SNC activated here (and 
also get rid of telnet & ftp :))

Appreciated

Philippe Rivest, Certified Ethical Hacker

Current thread:

Re: Fwd: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
- <Possible follow-ups>
- Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
  - RE: SAP information sniffing - need help Rivest, Philippe (May 06)
    - Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 07)