User guide

The following parts of the documentation contains some background information about pysap, as well as some step-by-step instructions for installing, configuring and using pysap.

Projects using pysap

The following projects, tools and repositories are known to be using pysap:

  • HoneySAP: HoneySAP is a low-interaction research-focused honeypot specific for SAP services. HoneySAP uses pysap as a library in order to craft and parse different protocol network packets.
  • SAP dissection plug-in for Wireshark: This Wireshark plugin provides dissection of SAP’s NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols. The Wireshark plug-in makes use of pysap in order to craft packets used during unit tests.
  • SAP Message Server research: Exploit proof of concept code for two attacks against the Message Server service:
    • Logon Group (transparent) Hijacking
    • BeTrusted
  • SAP Gateway RCE exploit PoCs: Exploit proof of concept code for ACL misconfigurations in the SAP Gateway that leads to a Remote Command Execution (RCE).
  • John the Ripper’s pse2john script: Script to export PSE’s encryption PIN into a format that can be cracked with John the Ripper.


This section of the documentation covers the installation process of pysap.

Installation with pip

Installing pysap is simple with pip, just run the following command on a terminal:

$ python -m pip install pysap

Some example scripts has additional required libraries:

Some of those extra libraries can be installed with pip running the following command:

$ python -m pip install pysap[examples]

Manual installation

The tool relays on the Scapy library for crafting packets. To install the required libraries use:

$ python -m pip install -r requirements.txt

Once you have downloaded pysap’s sources, you can install it easily using the Python’s setuptools script provided:

  1. python test
  2. python install

Scapy installation


Additional information about the protocols and the research can be found at different publications:

And advisories:

Initial research about the SAP CAR file format was performed by Martin Gallo and published in Deep-dive into SAP archive file formats at the Troopers 2016 Security Conference. Additional research was performed by Hans-Christian Esperer and published in the Hascar tool.

Documentation on the SAP SAR archive file format is available in SAP’s Virus Scan Interface (NW-VSI) specification document. An example implementation can be also found in the Virus Scan Adapter SDK, which is available upon request.

Initial research about the IGS protocol was performed by Yvan Genuer and published in SAP IGS : The ‘vulnerable’ forgotten component.

Additional research about the Message Server (MS) and Remote Function Call (RFC) protocols was performed by Dmitry Chastuhin and Mathieu Geli and published in (SAP) Gateway to Heaven.

The specifications of the HDB protocol are published in the SAP HANA SQL Command Network Protocol Reference guide.

Initial research about the SSFS file formats and encryption, and the Client Secure Store was performed by Dmitr Chastuhin and Vladimir Egorov and published in a series of blogpost now unavailable, and shared by Dmitry at the Confidence Security Conference 2014 Edition session “All your SAP Passwords belong to us”. Additional research was also shared by Yvan Genuer and published in “The security of ‘SAP Secure Storage.”.