Security Basics mailing list archives
Re: SAP information sniffing - need help
From: Mariano Nuñez Di Croce <mnunez () cybsec com>
Date: Fri, 02 May 2008 18:53:57 -0300
Hi Philippe, Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client (SAPGUI) and a remote SAP Application Server. In the paper you have read I have described the possibility of uncovering the credentials used in communications performed using the RFC (Remote Function Call) protocol. The communication between the SAPGUI and an SAP AS is done mostly through the DIAG protocol, which sends the information compressed in what seems to be a variation of the LZ algorithm, thus you won't get any cleartext or obfuscated credentials despite not using SNC. However, if you are sure SNC is not being used, try to sniff communication between different SAP systems (and with external systems) and you may be able to prove your point. Cheers, ----------------------------------------- Mariano Nuñez Di Croce CYBSEC S.A. Security Systems Email: mnunez () cybsec com Tel/Fax: (54-11) 4371-4444 Web: http://www.cybsec.com PGP: http://www.cybsec.com/pgp/mnunez.txt -----------------------------------------
----- Original Message ----- From: rivestp () metro ca To: security-basics () securityfocus com Sent: Tue Apr 29 14:09 Subject: Fwd: SAP information sniffing - need help Hello, This question is from a previous post i got that sent me to this interesting web page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf. <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nunez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the document, it shows a sniffing result and tells us about the username/password of SAP. I have tried to reproduce this with Wireshark, filtering the traffic from my SAP server (using the ip as filter). I cant find the username, client_id or anything related to authentification. I would then think we are using SNC, but in fact we are not (i check the proprieties of the client). Anyone who can give me links or a way to identify the username/client_id or password (that i will XOR) would greatly help me get SNC activated here (and also get rid of telnet & ftp :)) Appreciated Philippe Rivest, Certified Ethical Hacker
Current thread:
- Re: Fwd: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
- <Possible follow-ups>
- Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
- RE: SAP information sniffing - need help Rivest, Philippe (May 06)
- Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 07)
- RE: SAP information sniffing - need help Rivest, Philippe (May 06)