Release and version history
v0.1.19 - 2021-04-29
- Using Scapy version 2.4.4.
pysap/SAPSSFS.py
: New module for SAP Secure Store in File System file format.
bin/pysaphdbuserstore
: New script for interacting with hdbuserstore
SSFS files.
requirements-examples.txt
: Renamed to match setup.py
’s extra.
pysap/SAPHDB.py
: Implementation of GSS-based auth method with Kerberos 5.
pysap/SAPHDB.py
: Handling of Session Cookie values when found in the CONNECT
response.
- pysap/SAPRouter.py: Add support to route string in SAPRouterNativeProxy ([#33](https://github.com/OWASP/pysap/pull/33)). Thanks @gloomicious!
- examples/router_fingerprints.json: New fingerprints for SAP Router version 7450.34.25.5091. Thanks [@jvis](https://twitter.com/jvis)!
- examples/router_portfw.py: Add support to route string. ([#33](https://github.com/OWASP/pysap/pull/33)) Thanks @gloomicious!
tests/sapssfs_test.py
: Basic unit tests for the SSFS file format.
v0.1.18 - 2020-07-15
- Using Sphinx 1.8.5 for documentation.
- Replaced AppVeyor and Travis builds with GitHub Actions.
- Added
cryptography
as required library instead of optional requirement.
- Replaced the use of deprecated
optparse
module for argparse
across all tools and examples.
- Fixed some PEP8 warnings across modules and example scripts.
pysap/SAPCAR.py
: Added signature manifest file type.
pysap/SAPHDB.py
: New module for SAP HANA SQL Command Network protocol packets, authentication methods and connection classes.
pysap/SAPNI.py
: Disconnect clients in SAPNIServer if socket errors are catched.
pysap/utils/crypto
: Added implementation of SCRAM algorithms for use in HDB authentication.
examples/hdb_auth.py
: New example script to illustrate the use of the different authentication methods in HDB.
examples/hdb_discovery.py
: New example script to perform discovery of HANA database tenants.
examples/diag_login_brute_force.py
: Handling valid users (e.g. no dialog users) vs valid passwords. Thanks fabhap!
examples/diag_login_brute_force.py
: Fixed discovery with right message match (“Client does not exist”).
examples/default_sap_credentials
: Added a couple of default credentials from trial versions.
tests/crypto_test.py
: Testing output of SCRAM algorithms.
tests/saphdb_test.py
: Basic unit tests for the HDB protocol.
tests/sapni_test.py
: Arranged and fixed a couple of tests that were failing on macOS and Windows.
v0.1.17 - 2019-11-05
- Using Scapy version 2.4.3.
- Added documentation of projects using
pysap
.
- Added documentation of all example scripts.
- bin/pysapcar: Add cli option to determine output directory when extracting archives with pysapcar ([#24](https://github.com/OWASP/pysap/pull/24)) Thanks @okuuva!
pysap/SAPDiag.py
: Added support bits for SAP GUI 7.50 and SAP NW 7.52 SP01.
- pysap/SAPCAR.py: Fixed crafting of archive files by defaulting length fields to zero ([#22](https://github.com/OWASP/pysap/issues/22)) Thanks @okuuva!
- pysap/SAPMS.py: Added the DPInfo[1-3] packets for handling specific Message Server ADM packets relaying Dispatcher/WP info:
[1-3]
because of tight SAP kernel version dependency. (#31) Thanks Mathieu (@gelim) and Dmitry (@_chipik)!
- pysap/SAPRFC.py: Enhanced with mainly SAPCPIC* and SAPRFXPG* new packets. ([#31](https://github.com/OWASP/pysap/pull/31)) Thanks Mathieu (@gelim) and Dmitry (@_chipik)!
pysap/SAPRouter.py
: Fixed padding on SAPRouter client info packets.
examples/rfc_monitor.py
: Renamed the script to gw_monitor.py
.
examples/router_scanner.py
: Add capability to provide a comma separated list of targets/ports to scan.
examples/list_sap_parameters
: Updated recommended values and added new parameters.
examples/ms_dump_info.py
: Added NOTEQUAL
check type.
examples/router_fingerprints.json
: Added fingerprints for SAP Router 7.49 and 7.45 kernels.
v0.1.16 - 2018-06-19
- Using Scapy version 2.4.0.
- Using Sphinx 1.7.4 for documentation.
- Added missing
pysap.utils
package in source/binary packages.
- Use flake8 to find syntax errors and undefined names in Travis (#20) Thanks @cclauss!
pysap/SAPCAR.py
: Improved SAPCAR files parsing, adding proper structure names based on VSI documentation.
v0.1.15 - 2018-03-27
- Version released at Troopers’18
- Added initial support for handling IGS (Internet Graphic Server) packets along with example scripts to play with them (#19) Thanks @iggy38!
- Added initial support for handling PSE and SSO Credential format files.
bin/pysapgenpse
: New binary tool for working with PSE and SSO credential files.
bin/pysapcar
: Added options for creating a new archive and appending files to an existing one.
pysap/SAPCredv2.py
: New module for SSO Credential files definitions and decryption logic.
pysap/SAPDiagItems.py
, extra/parsesupportbits.py: Corrected order of support data bit fields ([#18](https://github.com/OWASP/pysap/pull/18)). Thanks @hnzlmnn!
- pysap/SAPIGS.py: New module for IGS packets layer ([#19](https://github.com/OWASP/pysap/pull/19)).
pysap/SAPLPS.py
: New module for LPS definitions and INT/DP API decryption logic.
pysap/SAPMS.py
: Added Message Server Domain field, MS J2EE Cluster/Header/Service packets. Thanks Albert Zedlitz!
pysap/SAPPSE.py
: New module for PSE files definitions and decryption logic.
pysap/utils.py
: Moved utils classes into a package.
- examples/diag_login_brute_force.py: Detect invalid clients while logins ([#17](https://github.com/OWASP/pysap/pull/17)). Thanks @hnzlmnn!
examples/dlmanager_decrypt.py
: Replaced use of PyCrypto with Cryptography library.
- examples/igs_*.py: New example scripts to interact with IGS services ([#19](https://github.com/OWASP/pysap/pull/19)).
examples/rfc_monitor.py
: Added noop
command in the monitor and version command line option.
examples/ms_*.py
: Added command line option to specify Message Server Domain.
extra/pse2john.py
: New extra script to extract crypto material in John the Ripper format.
v0.1.14 - 2017-10-04
- Added initial support for handling SNC frames and some of their fields.
pysap/SAPNC.py
: Added fields for SNCFrames and helper wrapper/unwrapper functions.
pysap/SAPRouter.py
: Fixed route request for more than one SAP Router when using the native proxy.
pysap/SAPRouter.py
: Allow route strings to use lowercase separator chars (e.g. “/h/host/s/port”).
pysap/SAPRouter.py
: Allow a SAPRoutedStreamSocket
to bypass the NI layer if no route was specified but talk mode
was set to raw (#10).
pysap/SAPRouter.py
: Enhanced the version retrieve routine by not failing when an error is returned by the server
(#11). Thanks @gelim!
- pysap/SAPRouter.py: Fixed missing eyecatcher in control messages ([#10](https://github.com/OWASP/pysap/pull/10)).
Thanks @gelim!.
examples/diag_login_screen_info.py
: Script was improved by better printing technical information and
outputting login screen text items (language, input fields, login text) (#14).
Thanks @gelim!.
examples/diag_login_brute_force.py
: Script was improved to handle currently logged in users
(#16). Thanks @hnzlmnn!
- example/router/admin.py: Improved client list table display and fixed timestamps ([#12](https://github.com/OWASP/pysap/issues/12)).
Thanks @gelim!.
examples/ms_dump_param.py
: New example script to list Message Server parameters and check them against a list of
expected values (#15). Thanks @iggy38!
- examples/ms_dos_exploit.py: New example script to check for [CVE-2017-5997](https://erpscan.com/advisories/erpscan-16-038-sap-message-server-http-remote-dos/)
DoS vulnerability on Message Server and fixed at SAP Note 2358972
(#10). Thanks @vah13 and @gelim!
v0.1.13 - 2017-02-16
- Documentation now includes graphical representation of the main packets of each protocol.
- Example scripts now accept route strings without requiring remote host option.
pysap/SAPRouter.py
: Fixed route request for more than one SAP Router.
pysap/SAPEnqueue.py
: SAPEnqueueStreamSocket
now can connect to an Enqueue server through a SAPRouter.
examples/router_niping.py
: New example script that implements a very basic
version of the niping
tool. It works on client or server mode.
examples/enqueue_monitor.py
: The script now accepts route strings for connecting through a SAPRouter.
v0.1.12.1 - 2016-12-19
- Minor release.
- Source build didn’t included header files and thus builds from pip source were failing.
v0.1.12 - 2016-12-16
- Using Scapy version 2.3.3.
- Minor fixes and code arrangements.
- Building and testing in OSX with Travis and Windows with Appveyor.
pysap/SAPDiagItems.py
: Added default support bits from SAP GUI 7.40 version.
examples/diag_capturer.py
: Added option to display available capture interfaces.
- examples/enqueue_dos_exploit.py: New example script to check for [CVE-2016-4015](https://erpscan.com/advisories/erpscan-16-019-sap-netweaver-enqueue-server-dos-vulnerability/)
DoS vulnerability on Standalone Enqueue Server and fixed at SAP Note 2258784
(#6). Thanks @vah13!
examples/router_fingerprints.json
: Added fingerprints from SAP Router releases 745.
v0.1.10 - 2016-03-25
- Version released at Troopers’16
- Added support for handling SAP SAR file formats.
pysap/SAPCAR.py
: New module for handling SAP SAR file formats.
- extra/dlmanager_decrypt.py: Example PoC for [decrypting](https://www.coresecurity.com/advisories/sap-download-manager-password-weak-encryption)
SAP Download Manager stored passwords.
examples/dlmanager_infector.py
: Example script to open a SAP SAR archive file and infect it by adding files with
arbitrary filenames (e.g. including absolute or relative paths). It can be also used as a
mitmproxy script for on-the-fly infecting SAR files being downloaded.
v0.1.9 - 2016-02-08
- Using Scapy version 2.3.2.
- Replaced epydoc with Sphinx for documentation.
- Minor enhancement and code arrangements.
pysap/SAPDiagItems.py
: Added new support bits from SAP GUI 7.30p9 and 7.40 versions.
pysap/utils.py
: Removed custom fields now available on Scapy.
examples/router_fingerprints.json
: Added some fingerprints from SAP Router releases 720.32 and 742.
v0.1.8 - 2015-10-29
- Enabled travis containers for more quick builds.
- Minor documentation and README improvements.
- pysap/SAPRouter.py: Documented some version numbers from old releases ([#3](https://github.com/OWASP/pysap/pull/3)). Thanks invisiblethreat!
- pysapcompress/vpa108csulzh.cpp: Improved the fix for CVE-2015-2278 by properly initializing arrays ([#4](https://github.com/OWASP/pysap/pull/4)). Thanks ret5ret!
examples/diag_render_login_screen.py
: Fail gracefully if wx
is not found.
examples/router_password_check.py
: Updating the fau_timer
library in use and failing gracefully if it’s not found.
examples/router_fingerprint.py
: New example script for performing fingerprint over SAP Router versions.
This is experimental and the database included only contains a few SAP Router versions, but it might work.
v0.1.7 - 2015-05-13
- Fixed vulnerabilities in
LZC
and LZH
compression libraries (CVE-2015-2282 and CVE-2015-2278).
Added test cases for checking proper fixes.
pysap/SAPRouter.py
: Moved SAP Router native proxy implementation to the SAP Router module so it can be reused.
examples/router_portfw.py
: Using the native proxy implementation in SAP Router module.
v0.1.6 - 2015-03-25
- Requirements now handled by setuptools.
- Test building with clang on travis.
- Cleared installation docs.
pysap/SAPNI.py
: Made clients an instance variable in SAPNIServer
.
pysap/SAPRouter.py
: Added unknown field.
examples/diag_dos_exploit.py
: Small fix.
examples/router_admin.py
: Small fix on response handling.
examples/router_portfw.py
: Added support for specify talk mode when requesting routes.
examples/router_scanner.py
: Added support for specify talk mode when requesting routes.
v0.1.5 - 2015-01-16
- Updated to use scapy v2.3.1.
- Code is more Python3-friendly.
- Added travis script for running tests.
- General minor fixes and code improvements.
- Added test suites for SAPNI, SAPDiag and SAPRouter modules.
- Added support for routing via SAP Router in almost all example scripts.
pysap/SAPDiag.py
: Added support for message info and Diag error packets.
pysap/SAPDiag.py
: Diag item lookup now support looking up multiple items, and string lookups.
pysap/SAPDiagClient.py
: Added support for specifying support bits when connecting, support for routing via SAP Router.
pysap/SAPDiagClient.py
: If no terminal is supplied, use a random looking IP by default to avoid identification
(SAP Note 1497445).
pysap/SAPDiagItems.py
: Fixes on some atom items for old versions.
pysap/SAPEnqueue.py
: Added trace max file size field.
pysap/SAPNI.py
: Added helpers for creating new connections.
pysap/SAPNI.py
: SAPNIProxy
implemented using a Worker thread.
pysap/SAPNI.py
: SAPNIServer
implemented using SAPNIStreamSocket
.
pysap/SAPRouter.py
: Added route hop conversion helpers.
pysap/SAPRouter.py
: Added info client and info server packets.
pysap/SAPRouter.py
: Added SAPRoutedStreamSocket
.
pysap/utils.py
: Reimplemented MutablePacketField
with evaluators.
pysapcompress/pysapcompress.cpp
: Improved routines and added handling of some error conditions.
examples/diag_capturer.py
: New example script for dumping Diag login credentials by sniffing or reading a pcap file.
examples/enqueue_monitor.py
: Added command for get replication info and command for checking trace pattern endless
loop vulnerability (CVE-2014-0995).
examples/router_admin.py
: Parsing of info request responses.
examples/router_password_check
: New example script for testing if a SAP Router is vulnerable to a timing attack on
the password check (CVE-2014-0984).
requirements-optional.txt
: Added optional requirements.
v0.1.4 - 2014-03-25
- Version released at Troopers’14.
- Changelog now in GNU format.
- Changed setup from distutils to setuptools.
- Added some unit tests.
- Arranged most of the code according to PEP8.
pysap/SAPDiagItems.py
: Fixed some support bits and added new ones found in SAP GUI version 7.30.
- pysap/SAPDiagItems.py: Added new Diag Items:
WindowsSize
.
- pysap/SAPEnqueue.py: New packet classes. Crafting of Enqueue Server packets: Connection Admin and Server Admin.
pysap/SAPNI.py
: Fixed handling of NI_PING
keep-alive requests.
pysap/SAPNI.py
: Added logging namespace sapni
for all NI layer activity.
pysap/SAPMS.py
: New packet classes. Crafting of Message Server packets.
- pysap/SAPRouter.py: New packet classes. Crafting of SAP Router packets: Route, Admin, Control and Error Information.
pysap/SAPSNC.py
: New packet class. Container for SNC Frame packets.
- pysapcompress/pysapcompress.cpp: Splitted exception class in two:
CompressError
and DecompressError
.
examples/ms_change_param.py
: Added example for retrieving or changing a parameter value using MS Admin set_param
commands.
examples/ms_dump_info.py
: New example script for retrieving information using MS Admin dump commands.
examples/ms_impersonator.py
: New example script for impersonating an application server connected to a Message
Server service instance.
examples/ms_listener.py
: New example script for connecting to a Message Server and listening for messages coming
from the server.
examples/ms_messager.py
: New example script for sending a message to a connected client through the Message Server.
examples/ms_monitor.py
: New example script for monitoring the Message Server service (msmon
tool on steroids).
examples/ms_observer.py
: New example script for connecting to a Message Server service and observe clients
connecting to it (msprot
tool).
examples/router_admin.py
: New example script for performing administrative tasks on a SAP Route. Includes
undocumented commands.
examples/router_portfw.py
: New example script for routing native connections through SAP Router.
examples/router_scanner.py
: New example script for scanning internal hosts using SAP Router.
v0.1.3 - 2013-08-28
- Added general documentation and setup.py command to build it using epydoc.
pysap/SAPNI.py
: Refactored the SAP Diag Proxy and Server modules to a base NI implementation.
pysapcompress/pysapcompress.cpp
: Added handling of error return codes.
examples/diag_interceptor.py
: Refactored to use the new NIProxy
implementation. Fixed some hanging issues.
Thanks Florian Grunow for the feedback!
examples/diag_login_brute_force.py
: Handling of license errors.
v0.1.2 - 2012-09-27
- Version released at Brucon’12.
pysap/SAPNI.py
, pysap/SAPDiag.py
: Network Interface packet class moved to a new module. Binding of the
SAPNI/protocol layer is performed now by each script to allow the use of different protocols with SAPNI.
pysap/SAPNI.py
: Added a NI Stream Socket class for using it instead of the base Stream Socket.
pysap/SAPDiagItems.py
: Added new Diag Atom types, as used in NW 7.01 and early versions.
examples/diag_rogue_server.py
: Minor fixes.
examples/diag_render_login_screen.py
: Minor fixes.
examples/diag_login_brute_force.py
: Added multi-thread support.
v0.1.1 - 2012-07-29
- Initial version released at Defcon 20.