Nmap Development mailing list archives
SAP services probes
From: Martin Gallo <mgallo () coresecurity com>
Date: Thu, 7 Aug 2014 10:05:59 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, Find attached service probes for some SAP services: - - SAP Router: Improved the current SAP Router service probe to work with more versions. Uses the default NULL probe. - - SAP Dispatcher/GUI: Moved the current sap-gui probe to a soft-match and added a new probe to grab kernel version, hostname and database instance name. - - SAP Gateway: Added a new probe to confirm the service. - - SAP Message Server: Added a new probe to grab release version, patch level, database version and system number on the MS internal port, and to confirm the service on the external port. - - SAP Enqueue Server: Added a new probe to grab hostname and confirm the service. The probes were built mostly from knowledge gained while reversing and playing with the protocols. Details on each packet and how to generate it are in the probes. General information about the protocols in [1]. Here's a sample output on some hosts: [..] PORT STATE SERVICE VERSION 3200/tcp open sap-gui SAP Dispatcher release 7200, patch level 70, database release 702 (DB name NSP) 3299/tcp open saprouter SAP Router release 720, version 40.4 3300/tcp open sapgw SAP Gateway Service 3600/tcp closed sapms 3900/tcp open sapms SAP Message Server release 7200, patch level 52 (instance NSP) Service Info: Host: sapnw702 [..] PORT STATE SERVICE VERSION 3200/tcp open sap-gui SAP Dispatcher release 7010, patch level 32, database release 701 (DB name ECC) 3299/tcp closed saprouter 3300/tcp open sapgw SAP Gateway Service 3600/tcp open sapms SAP Message Server release 7010, patch level 11 (instance ECC) 3900/tcp open sapms SAP Message Server release 7010, patch level 11 (instance ECC) Service Info: Host: sapecc [..] PORT STATE SERVICE VERSION 3200/tcp open sap-gui SAP Enqueue Server 3299/tcp closed saprouter 3300/tcp closed sapgw 3600/tcp open sapms SAP Message Server release 7010, patch level 11 (instance ECC) 3900/tcp open sapms SAP Message Server release 7010, patch level 11 (instance ECC) Service Info: Host: sapeccen [..] I've been testing and sharing this probes with other SAP security folks since a few months, also already published at [2]. Any feedback would be appreciated. Thanks in advance ! Regards, Martin. [1] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=saps_network_protocols_revisited [2] http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=publication&page=saps_network_protocols_revisited&file=nmap-service-probes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iF4EAREIAAYFAlPjea4ACgkQk2kqnq8YFYSDlAEAm5+tdqS5e7xPxSRH/fp5bAiS EkJ/W8Owm/5XetvhcFAA/jZZZ3n4Ybr9U56CSXwVs+QDJlcm7xdMmyFIaZZf4a/F =qMZK -----END PGP SIGNATURE-----
Attachment:
nmap-service-probes
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- SAP services probes Martin Gallo (Aug 07)