pysap.SAPCredv2 module

pysap.SAPCredv2.CIPHER_ALGORITHM_3DES = 0

Constant for 3DES encryption algorithm

pysap.SAPCredv2.CIPHER_ALGORITHM_AES256 = 1

Constant for AES256 encryption algorithm

class pysap.SAPCredv2.SAPCredv2(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.asn1packet.ASN1_Packet

SAP Credv2 Credential set definition

ASN1_codec = <ASN1Codec BER[1]>
ASN1_root = <ASN1F_SEQUENCE_OF creds>
aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2'>, <class 'scapy.asn1packet.ASN1_Packet'>, <class 'scapy.packet.Packet'>]
fields_desc = [<ASN1F_SEQUENCE_OF creds>]
class pysap.SAPCredv2.SAPCredv2Cred(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.asn1packet.ASN1_Packet

SAP Credv2 Credential definition

ASN1_codec = <ASN1Codec BER[1]>
ASN1_root = <pysap.utils.fields.ASN1F_CHOICE_SAFE object>
aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2Cred'>, <class 'scapy.asn1packet.ASN1_Packet'>, <class 'scapy.packet.Packet'>]
fields_desc = [<pysap.utils.fields.ASN1F_CHOICE_SAFE object>]
class pysap.SAPCredv2.SAPCredv2_Cred(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.asn1packet.ASN1_Packet

SAP Credv2 Credential without LPS definition

ASN1_codec = <ASN1Codec BER[1]>
ASN1_root = <ASN1F_SEQUENCE(<scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_BIT_STRING object>)>
aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2_Cred'>, <class 'scapy.asn1packet.ASN1_Packet'>, <class 'scapy.packet.Packet'>]
cipher_algorithm
cipher_format_version
common_name
decrypt(username)[source]

Decrypt a credential given a particular username. Tries to identify the credential format and choose the decryption method to use.

Parameters:username (string) – Username to use when decrypting
Returns:decrypted object
Return type:SAPCredv2_Cred_Plain
decrypt_simple(username)[source]

Decrypt a credential using the simple approach. It only handles 3DES. Tries to parse the decrypted object into a plain credential object type. If it fails, probably due to an invalid username use to decrypt it, raises an exception.

Parameters:username (string) – Username to use when decrypting
Returns:decrypted object
Return type:SAPCredv2_Cred_Plain
decrypt_with_header(username)[source]

Decrypt a credential file using the header. It handles 3DES and AES256 algorithms. Tries to parse the decrypted object into a plain credential object type. If it fails, probably due to an invalid username use to decrypt it, raises an exception.

Parameters:username (string) – Username to use when decrypting
Returns:decrypted object
Return type:SAPCredv2_Cred_Plain
Raises:SAPCredv2_Decryption_Error – if there’s an error decrypting the object
derive_key(key, blob, header, username)[source]

Derive a key using SAP’s algorithm. The key is derived using SHA256 and xor from an initial key, a header, salt and username.

fields_desc = [<scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_BIT_STRING object>]
lps_type
lps_type_str
pse_file_path
xor(string, start)[source]

XOR a given string using a fixed key and a starting number.

class pysap.SAPCredv2.SAPCredv2_Cred_Cipher(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.packet.Packet

SAP Cred cipher packet. This is the header of an encrypted credential format 1. It contains all the required data to decrypt the stored credential.

aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2_Cred_Cipher'>, <class 'scapy.packet.Packet'>]
fields_desc = [<Field (SAPCredv2_Cred_Cipher).version>, <Field (SAPCredv2_Cred_Cipher).algorithm>, <Field (SAPCredv2_Cred_Cipher).unknown>, <Field (SAPCredv2_Cred_Cipher).salt>, <Field (SAPCredv2_Cred_Cipher).iv>, <Field (SAPCredv2_Cred_Cipher).cipher_text>]
class pysap.SAPCredv2.SAPCredv2_Cred_LPS(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.asn1packet.ASN1_Packet

SAP Credv2 Credential with LPS definition

ASN1_codec = <ASN1Codec BER[1]>
ASN1_root = <ASN1F_SEQUENCE(<scapy.asn1fields.ASN1F_INTEGER object>, <ASN1F_SEQUENCE_OF subject>, <scapy.asn1fields.ASN1F_UTF8_STRING object>, <scapy.asn1fields.ASN1F_BIT_STRING object>)>
aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2_Cred_LPS'>, <class 'scapy.asn1packet.ASN1_Packet'>, <class 'scapy.packet.Packet'>]
cipher_algorithm
cipher_format_version
common_name

This reassembles the issuer construction from Scapy’s X.509 Certificate class.

decrypt(username=None)[source]

Decrypt a credential file using LPS.

Parameters:username (string) – Username to use when decrypting. Not used but kept to match signature
Returns:decrypted object
Return type:SAPCredv2_Cred_Plain
fields_desc = [<scapy.asn1fields.ASN1F_INTEGER object>, <ASN1F_SEQUENCE_OF subject>, <scapy.asn1fields.ASN1F_UTF8_STRING object>, <scapy.asn1fields.ASN1F_BIT_STRING object>]
get_subject()[source]
lps_type
lps_type_str
pse_file_path
class pysap.SAPCredv2.SAPCredv2_Cred_Plain(_pkt='', post_transform=None, _internal=0, _underlayer=None, **fields)[source]

Bases: scapy.asn1packet.ASN1_Packet

ASN1_codec = <ASN1Codec BER[1]>
ASN1_root = <ASN1F_SEQUENCE(<scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_optional object>, <scapy.asn1fields.ASN1F_optional object>, <scapy.asn1fields.ASN1F_optional object>)>
PROVIDER_MSCryptProtect = 'MSCryptProtect'

Provider for Windows hosts using DPAPI

aliastypes = [<class 'pysap.SAPCredv2.SAPCredv2_Cred_Plain'>, <class 'scapy.asn1packet.ASN1_Packet'>, <class 'scapy.packet.Packet'>]
static decrypt_MSCryptProtect(plain, cred)[source]

Decrypts a credential using the Windows DP API. Requires the current logged-in user to have permissions to decrypt the blob stored in the credentials file.

Parameters:
Returns:

the content in the blob decrypted using the provider

Return type:

string

decrypt_provider(cred)[source]

Decrypts a credential file already decrypted using the specified provider. This is platform dependent.

Parameters:cred (SAPCredv2_Cred) – credential from where the blob was extracted
Returns:the content in the blob decrypted using the provider
Return type:string
Raises:Exception – if the provider is invalid or unsupported
fields_desc = [<scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>, <scapy.asn1fields.ASN1F_IA5_STRING object>]
providers = {'MSCryptProtect': <staticmethod object>}

Definition of implemented providers

exception pysap.SAPCredv2.SAPCredv2_Decryption_Error[source]

Bases: exceptions.Exception

pysap.SAPCredv2.cipher_algorithms = {0: '3DES', 1: 'AES256'}

Dict with encryption algorithms supported

pysap.SAPCredv2.cred_key_fmt = '240657rsga&/%srwthgrtawe45hhtrtrsr35467b2dx3456j67mv67f89656f75'

Fixed key embedded in CommonCryptoLib for encrypted credentials