.. User guide frontend
User guide
==========
The following parts of the documentation contains some background information about
`pysap `_, as well as some
step-by-step instructions for installing, configuring and using pysap.
Projects using pysap
--------------------
The following projects, tools and repositories are known to be using pysap:
* `HoneySAP `_: HoneySAP is a
low-interaction research-focused honeypot specific for SAP services. HoneySAP uses
pysap as a library in order to craft and parse different protocol network packets.
* `SAP dissection plug-in for Wireshark `_:
This Wireshark plugin provides dissection of SAP's ``NI``, Message Server,
``Router``, ``Diag``, ``Enqueue``, ``IGS``, ``SNC`` and ``HDB`` protocols. The Wireshark
plug-in makes use of pysap in order to craft packets used during unit tests.
* `SAP Message Server research `_: Exploit proof of
concept code for two attacks against the Message Server service:
* Logon Group (transparent) Hijacking
* BeTrusted
* `SAP Gateway RCE exploit PoCs `_:
Exploit proof of concept code for ACL misconfigurations in the SAP Gateway that
leads to a Remote Command Execution (RCE).
* `John the Ripper's pse2john script `_:
Script to export PSE's encryption PIN into a format that can be cracked with
John the Ripper.
.. _installation:
Installation
------------
This section of the documentation covers the installation process of pysap.
Installation with pip
~~~~~~~~~~~~~~~~~~~~~
Installing pysap is simple with `pip `_, just run the
following command on a terminal::
$ python -m pip install pysap
Some example scripts has additional required libraries:
- ``tabulate``
- ``netaddr``
- ``requests``
- `wxPython `_
- `fau_timer `_
Some of those extra libraries can be installed with `pip`_ running the following
command::
$ python -m pip install pysap[examples]
Manual installation
~~~~~~~~~~~~~~~~~~~
The tool relays on the `Scapy `_ library for crafting
packets. To install the required libraries use::
$ python -m pip install -r requirements.txt
Once you have downloaded pysap's sources, you can install it easily using
the Python's ``setuptools`` script provided:
1) ``python setup.py test``
2) ``python setup.py install``
Scapy installation
~~~~~~~~~~~~~~~~~~
- For installing `Scapy`_, see the official `installation documentation `_ for each platform:
- `Linux `_.
- `macOS `_.
- `Windows `_.
References
----------
Additional information about the protocols and the research can be found at different publications:
* `Uncovering SAP vulnerabilities: reversing and breaking the Diag protocol `_
* `SAP’s Network Protocols Revisited `_
* `HoneySAP: Who really wants your money `_
* `Deep-dive into SAP archive file formats `_
* `Intercepting SAP SNC-protected traffic `_
* `SAPCAR Heap Buffer Overflow: From crash to exploit `_
* `Hunting crypto secrets in SAP systems `_
* `Revisiting the Old and Looking at New Potential SAP Vulnerabilities `_
* Exploring the SAP HANA SQL Command Network Protocol Blog post series:
* `Protocol Basics and Authentication `_
* `Password-based Authentication and TLS `_
* `Federated Authentication `_
* `SecureAuth Innovation Labs Sheds Light on Protecting Credentials in SAP HANA: The Client Secure User Store `_
And advisories:
* `SAP Netweaver Dispatcher Multiple Vulnerabilities `_
* `SAP Netweaver Message Server Multiple Vulnerabilities `_
* `SAP Router Password Timing Attack `_
* `SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability `_
* `SAP LZC LZH Compression Multiple Vulnerabilities `_
* `SAP Download Manager Password Weak Encryption `_
* `SAP CAR Multiple Vulnerabilities `_
* `SAP SAPCAR Heap Based Buffer Overflow Vulnerability `_
* `SAP Note Assistant Insecure Handling of SAP Notes Signature Vulnerability `_
* `SAP HANA SAML Assertion Improper Validation Vulnerability `_
* `Associated Blog Post SecureAuth uncovers SAML validation weakness in SAP HANA `_
Initial research about the SAP CAR file format was performed by Martin Gallo and published in `Deep-dive into SAP archive file formats `_
at the `Troopers 2016 Security Conference `_. Additional research was
performed by `Hans-Christian Esperer `_ and published in the
`Hascar `_ tool.
Documentation on the SAP `SAR `_ archive file format
is available in SAP's `Virus Scan Interface (NW-VSI) `_
specification document. An example implementation can be also found in the `Virus Scan Adapter SDK`, which is
available upon request.
Initial research about the ``IGS`` protocol was performed by Yvan Genuer and published in `SAP IGS : The 'vulnerable' forgotten component `_.
Additional research about the Message Server (``MS``) and Remote Function Call (``RFC``) protocols was performed by
Dmitry Chastuhin and Mathieu Geli and published in `(SAP) Gateway to Heaven `_.
The specifications of the ``HDB`` protocol are published in the `SAP HANA SQL Command Network Protocol Reference `_
guide.
Initial research about the ``SSFS`` file formats and encryption, and the Client Secure Store was performed by Dmitr
Chastuhin and Vladimir Egorov and published in a series of blogpost now unavailable, and shared by Dmitry at the
Confidence Security Conference 2014 Edition session
"`All your SAP Passwords belong to us `_".
Additional research was also shared by Yvan Genuer and published in "`The security of ‘SAP Secure Storage. `_".