Nmap Development mailing list archives

SAP services probes

From: Martin Gallo <mgallo () coresecurity com>
Date: Thu, 7 Aug 2014 10:05:59 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

Find attached service probes for some SAP services:

- - SAP Router:
  Improved the current SAP Router service probe to work with more
  versions. Uses the default NULL probe.

- - SAP Dispatcher/GUI:
  Moved the current sap-gui probe to a soft-match and added a new
  probe to grab kernel version, hostname and database instance name.

- - SAP Gateway:
  Added a new probe to confirm the service.

- - SAP Message Server:
  Added a new probe to grab release version, patch level, database
  version and system number on the MS internal port, and to confirm
  the service on the external port.

- - SAP Enqueue Server:
  Added a new probe to grab hostname and confirm the service.


The probes were built mostly from knowledge gained while reversing and
playing with the protocols. Details on each packet and how to generate
it are in the probes. General information about the protocols in [1].
Here's a sample output on some hosts:

[..]
PORT     STATE  SERVICE   VERSION
3200/tcp open   sap-gui   SAP Dispatcher release 7200, patch level 70,
database release 702 (DB name NSP)
3299/tcp open   saprouter SAP Router release 720, version 40.4
3300/tcp open   sapgw     SAP Gateway Service
3600/tcp closed sapms
3900/tcp open   sapms     SAP Message Server release 7200, patch level
52 (instance NSP)
Service Info: Host: sapnw702
[..]
PORT     STATE  SERVICE   VERSION
3200/tcp open   sap-gui   SAP Dispatcher release 7010, patch level 32,
database release 701 (DB name ECC)
3299/tcp closed saprouter
3300/tcp open   sapgw     SAP Gateway Service
3600/tcp open   sapms     SAP Message Server release 7010, patch level
11 (instance ECC)
3900/tcp open   sapms     SAP Message Server release 7010, patch level
11 (instance ECC)
Service Info: Host: sapecc
[..]
PORT     STATE  SERVICE   VERSION
3200/tcp open   sap-gui   SAP Enqueue Server
3299/tcp closed saprouter
3300/tcp closed sapgw
3600/tcp open   sapms     SAP Message Server release 7010, patch level
11 (instance ECC)
3900/tcp open   sapms     SAP Message Server release 7010, patch level
11 (instance ECC)
Service Info: Host: sapeccen
[..]


I've been testing and sharing this probes with other SAP security
folks since a few months, also already published at [2]. Any feedback
would be appreciated.


Thanks in advance !

Regards,
Martin.

[1]
http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=saps_network_protocols_revisited
[2]
http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=saps_network_protocols_revisited&file=nmap-service-probes


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iF4EAREIAAYFAlPjea4ACgkQk2kqnq8YFYSDlAEAm5+tdqS5e7xPxSRH/fp5bAiS
EkJ/W8Owm/5XetvhcFAA/jZZZ3n4Ybr9U56CSXwVs+QDJlcm7xdMmyFIaZZf4a/F
=qMZK
-----END PGP SIGNATURE-----

Attachment: nmap-service-probes
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

SAP services probes Martin Gallo (Aug 07)