Security Basics mailing list archives
RE: SAP information sniffing - need help
From: "Rivest, Philippe" <Rivestp () metro ca>
Date: Tue, 6 May 2008 08:24:17 -0400
Many thanks ! Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee mistake :) I know that in your email/paper you said that theres not a lot of information out there for SAP vuln/pen-test, but are you aware of any "white-paper" that i could read that explains the details of DIAG, i really would like to go deeper in this issue. Many thanks for the great white-paper & support you offered thru these emails, appreciated! Have a good day! -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de Mariano Nuñez Di Croce Envoyé : vendredi 2 mai 2008 17:54 À : Rivest, Philippe Cc : security-basics () securityfocus com Objet : Re: SAP information sniffing - need help Hi Philippe, Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client (SAPGUI) and a remote SAP Application Server. In the paper you have read I have described the possibility of uncovering the credentials used in communications performed using the RFC (Remote Function Call) protocol. The communication between the SAPGUI and an SAP AS is done mostly through the DIAG protocol, which sends the information compressed in what seems to be a variation of the LZ algorithm, thus you won't get any cleartext or obfuscated credentials despite not using SNC. However, if you are sure SNC is not being used, try to sniff communication between different SAP systems (and with external systems) and you may be able to prove your point. Cheers, ----------------------------------------- Mariano Nuñez Di Croce CYBSEC S.A. Security Systems Email: mnunez () cybsec com Tel/Fax: (54-11) 4371-4444 Web: http://www.cybsec.com PGP: http://www.cybsec.com/pgp/mnunez.txt -----------------------------------------
----- Original Message ----- From: rivestp () metro ca To: security-basics () securityfocus com Sent: Tue Apr 29 14:09 Subject: Fwd: SAP information sniffing - need help Hello, This question is from a previous post i got that sent me to this interesting web page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf. <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the document, it shows a sniffing result and tells us about the username/password of SAP. I have tried to reproduce this with Wireshark, filtering the traffic from my SAP server (using the ip as filter). I cant find the username, client_id or anything related to authentification. I would then think we are using SNC, but in fact we are not (i check the proprieties of the
client).
Anyone who can give me links or a way to identify the username/client_id or password (that i will XOR) would greatly help me get SNC activated here (and also get rid of telnet & ftp :)) Appreciated Philippe Rivest, Certified Ethical Hacker
Attachment:
smime.p7s
Description:
Current thread:
- Re: Fwd: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
- <Possible follow-ups>
- Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 05)
- RE: SAP information sniffing - need help Rivest, Philippe (May 06)
- Re: SAP information sniffing - need help Mariano Nuñez Di Croce (May 07)
- RE: SAP information sniffing - need help Rivest, Philippe (May 06)