.. User guide frontend User guide ========== The following parts of the documentation contains some background information about `pysap `_, as well as some step-by-step instructions for installing, configuring and using pysap. Projects using pysap -------------------- The following projects, tools and repositories are known to be using pysap: * `HoneySAP `_: HoneySAP is a low-interaction research-focused honeypot specific for SAP services. HoneySAP uses pysap as a library in order to craft and parse different protocol network packets. * `SAP dissection plug-in for Wireshark `_: This Wireshark plugin provides dissection of SAP's ``NI``, Message Server, ``Router``, ``Diag``, ``Enqueue``, ``IGS``, ``SNC`` and ``HDB`` protocols. The Wireshark plug-in makes use of pysap in order to craft packets used during unit tests. * `SAP Message Server research `_: Exploit proof of concept code for two attacks against the Message Server service: * Logon Group (transparent) Hijacking * BeTrusted * `SAP Gateway RCE exploit PoCs `_: Exploit proof of concept code for ACL misconfigurations in the SAP Gateway that leads to a Remote Command Execution (RCE). * `John the Ripper's pse2john script `_: Script to export PSE's encryption PIN into a format that can be cracked with John the Ripper. .. _installation: Installation ------------ This section of the documentation covers the installation process of pysap. Installation with pip ~~~~~~~~~~~~~~~~~~~~~ Installing pysap is simple with `pip `_, just run the following command on a terminal:: $ python -m pip install pysap Some example scripts has additional required libraries: - ``tabulate`` - ``netaddr`` - ``requests`` - `wxPython `_ - `fau_timer `_ Some of those extra libraries can be installed with `pip`_ running the following command:: $ python -m pip install pysap[examples] Manual installation ~~~~~~~~~~~~~~~~~~~ The tool relays on the `Scapy `_ library for crafting packets. To install the required libraries use:: $ python -m pip install -r requirements.txt Once you have downloaded pysap's sources, you can install it easily using the Python's ``setuptools`` script provided: 1) ``python setup.py test`` 2) ``python setup.py install`` Scapy installation ~~~~~~~~~~~~~~~~~~ - For installing `Scapy`_, see the official `installation documentation `_ for each platform: - `Linux `_. - `macOS `_. - `Windows `_. References ---------- Additional information about the protocols and the research can be found at different publications: * `Uncovering SAP vulnerabilities: reversing and breaking the Diag protocol `_ * `SAP’s Network Protocols Revisited `_ * `HoneySAP: Who really wants your money `_ * `Deep-dive into SAP archive file formats `_ * `Intercepting SAP SNC-protected traffic `_ * `SAPCAR Heap Buffer Overflow: From crash to exploit `_ * `Hunting crypto secrets in SAP systems `_ * `Revisiting the Old and Looking at New Potential SAP Vulnerabilities `_ * Exploring the SAP HANA SQL Command Network Protocol Blog post series: * `Protocol Basics and Authentication `_ * `Password-based Authentication and TLS `_ * `Federated Authentication `_ * `SecureAuth Innovation Labs Sheds Light on Protecting Credentials in SAP HANA: The Client Secure User Store `_ And advisories: * `SAP Netweaver Dispatcher Multiple Vulnerabilities `_ * `SAP Netweaver Message Server Multiple Vulnerabilities `_ * `SAP Router Password Timing Attack `_ * `SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability `_ * `SAP LZC LZH Compression Multiple Vulnerabilities `_ * `SAP Download Manager Password Weak Encryption `_ * `SAP CAR Multiple Vulnerabilities `_ * `SAP SAPCAR Heap Based Buffer Overflow Vulnerability `_ * `SAP Note Assistant Insecure Handling of SAP Notes Signature Vulnerability `_ * `SAP HANA SAML Assertion Improper Validation Vulnerability `_ * `Associated Blog Post SecureAuth uncovers SAML validation weakness in SAP HANA `_ Initial research about the SAP CAR file format was performed by Martin Gallo and published in `Deep-dive into SAP archive file formats `_ at the `Troopers 2016 Security Conference `_. Additional research was performed by `Hans-Christian Esperer `_ and published in the `Hascar `_ tool. Documentation on the SAP `SAR `_ archive file format is available in SAP's `Virus Scan Interface (NW-VSI) `_ specification document. An example implementation can be also found in the `Virus Scan Adapter SDK`, which is available upon request. Initial research about the ``IGS`` protocol was performed by Yvan Genuer and published in `SAP IGS : The 'vulnerable' forgotten component `_. Additional research about the Message Server (``MS``) and Remote Function Call (``RFC``) protocols was performed by Dmitry Chastuhin and Mathieu Geli and published in `(SAP) Gateway to Heaven `_. The specifications of the ``HDB`` protocol are published in the `SAP HANA SQL Command Network Protocol Reference `_ guide. Initial research about the ``SSFS`` file formats and encryption, and the Client Secure Store was performed by Dmitr Chastuhin and Vladimir Egorov and published in a series of blogpost now unavailable, and shared by Dmitry at the Confidence Security Conference 2014 Edition session "`All your SAP Passwords belong to us `_". Additional research was also shared by Yvan Genuer and published in "`The security of ‘SAP Secure Storage. `_".