Diag Example scripts¶
diag_capturer
¶
This example script can be used to grab SAP GUI login credentials from a pcap
file or by
directly sniffing on a network interface. The SAP Diag protocol packets are parsed and
processed to obtain login credentials from the login form submissions. Identification of the
password field is performed by means of looking at the “invisible” property used by SAP to
denote password or other sensitive fields that should be masked by the SAP GUI.
diag_dos_exploit
¶
This example script can be used to tests against Denial of Service vulnerabilities affecting the Dispatcher service. Currently 5 different vulnerabilities can be triggered:
diag_interceptor
¶
This example script is aimed at demonstrating the use of the SAPNIProxy
and SAPNIProxyHandler
interfaces. It can be used to establish a proxy between a SAP GUI client and a SAP Netweaver
Application Server and inspect the traffic via the filter_client
and filter_server
functions.
The given example implements a simple function that grabs input fields sent by the client and prints them.
diag_login_brute_force
¶
This example script can be used to perform a brute force attack against a SAP Netweaver application server. The scripts performs a login through the Diag protocol, by submitting username and passwords to the login screen. It can also be used to discover available clients.
Usernames, passwords and SAP clients to test can be provided as individual files (using
--usernames
, --passwords
and --clients
command line options), in which case the
script will calculate and test the combination of those, or provided in a credentials file
(via the --credentials
parameter). The credential file is expected to have a format
containing username:password:client
and blank lines or lines starting with the #
are
ignored.
Clients discovery can be also performed as a firs step of the brute-force attack, by specifying
the --discovery
option and providing a list of clients to test using the --discovery-range
parameter.
Testing of the credentials can be performed using multiple parallel threads using the --threads
parameter as a way to increase performance.
A list of default credentials and their associated default clients is also provided in the
examples/default_sap_credentials
file. This credentials file can be used to perform basic
checks.
Note that as error responses might vary across versions it might be possible that the script generates false positive. In addition, it should be noted that there’s no mechanism implemented to prevent the lockout of user accounts if the server is configured with a lockout policy. Use with care and at your own risk.
Finally, the login/show_detailed_errors
parameter can be configured to FALSE
in the SAP
Application Server to avoid disclosing information about whether a client exists or not, and
to avoid returning information about existent users. For more information see
SAP Security Note 1823687.
If the parameter is configured to FALSE
, the results of the discovery will be flawed, with
probably a large set (if not all) of clients invalidly reported as existent. The same false
positives will be reported for user names validity. The finding of valid credentials is not
affected thought.
diag_login_screen_info
¶
This example script can be used to gather information provided by a SAP Netweaver Application Server during the login process. This information includes generally hostname, instance, database name, language and other technical information about the application server.
diag_render_login_screen
¶
This example script is a proof of concept of how the library can be used to obtain and interpret
the screen components and fields provided by an SAP Netweaver Application Server. It takes the
login screen presented by the application server and renders it using wxPython
widgets and user
interface components. Take into account that not all field types and Diag protocol packets
are completely implemented in the library, and that those change from version to version.
diag_rogue_server
¶
This example script is a proof of concept that implements a rogue server using the SAP Diag protocol. It offers users a customizable login screen and gathers credentials provided by the clients connecting to it. A basic interaction is implemented that allows for the user to introduce the credentials and then returns a generic error message.
Tested with SAP Gui for Java 7.20 Patch Level 5 running on Ubuntu.