Re: SAP information sniffing - need help

[Mariano Nuñez Di Croce <mnunez () cybsec com>]

Philippe,

        Right now I can recall of just one presentation regarding the DIAG protocol, which was on CCC
(www.ccc.de/congress/2004/fahrplan/files/157-sap-slides.pdf). It's not a white-paper but you can get some more 
information.
        Cheers,

-----------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez () cybsec com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------


Rivest, Philippe wrote:
> Many thanks !
>
> Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee
> mistake :) I know that in your email/paper you said that theres not a lot of
> information out there for SAP vuln/pen-test, but are you aware of any
> "white-paper" that i could read that explains the details of DIAG, i really
> would like to go deeper in this issue.
>
>
> Many thanks for the great white-paper & support you offered thru these
> emails, appreciated!
>
> Have a good day!
>  
>
>
> -----Message d'origine-----
> De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
> la part de Mariano Nuñez Di Croce
> Envoyé : vendredi 2 mai 2008 17:54
> À : Rivest, Philippe
> Cc : security-basics () securityfocus com
> Objet : Re: SAP information sniffing - need help
>
> Hi Philippe,
>
>       Please let me know if I'm wrong, but I understand that you are
> sniffing the traffic between your client (SAPGUI) and a remote SAP
> Application Server.
> In the paper you have read I have described the possibility of uncovering
> the credentials used in communications performed using the RFC (Remote
> Function Call) protocol.
>       
>       The communication between the SAPGUI and an SAP AS is done mostly
> through the DIAG protocol, which sends the information compressed in what
> seems to be a variation of the LZ algorithm, thus you won't get any
> cleartext or obfuscated credentials despite not using SNC.
>
>       However, if you are sure SNC is not being used, try to sniff
> communication between different SAP systems (and with external systems) and
> you may be able to prove your point.
>
>       Cheers, 
>       
> -----------------------------------------
> Mariano Nuñez Di Croce
>
> CYBSEC S.A. Security Systems
> Email: mnunez () cybsec com
> Tel/Fax: (54-11) 4371-4444
> Web: http://www.cybsec.com
> PGP: http://www.cybsec.com/pgp/mnunez.txt
> -----------------------------------------
>
>
> > ----- Original Message -----
> > From: rivestp () metro ca
> > To: security-basics () securityfocus com
> > Sent: Tue Apr 29 14:09
> > Subject: Fwd: SAP information sniffing - need help
> >
> >
> > Hello,
> >
> >
> > This question is from a previous post i got that sent me to this 
> > interesting web
> > page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf. 
> > <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun
> > ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the 
> > document, it shows a sniffing result and tells us about the 
> > username/password of SAP.
> >
> >
> > I have tried to reproduce this with Wireshark, filtering the traffic 
> > from my SAP server (using the ip as filter). I cant find the username, 
> > client_id or anything related to authentification. I would then think 
> > we are using SNC, but in fact we are not (i check the proprieties of the
> client).
> > Anyone who can give me links or a way to identify the 
> > username/client_id or password (that i will XOR) would greatly help me 
> > get SNC activated here (and also get rid of telnet & ftp :))
> >
> >
> >
> > Appreciated
> >
> >
> > Philippe Rivest, Certified Ethical Hacker