User guide¶
The following parts of the documentation contains some background information about pysap, as well as some step-by-step instructions for installing, configuring and using pysap.
Projects using pysap¶
The following projects, tools and repositories are known to be using pysap:
- HoneySAP: HoneySAP is a low-interaction research-focused honeypot specific for SAP services. HoneySAP uses pysap as a library in order to craft and parse different protocol network packets.
- SAP dissection plug-in for Wireshark:
This Wireshark plugin provides dissection of SAP’s
NI, Message Server,Router,Diag,Enqueue,IGS,SNCandHDBprotocols. The Wireshark plug-in makes use of pysap in order to craft packets used during unit tests. - SAP Message Server research: Exploit proof of
concept code for two attacks against the Message Server service:
- Logon Group (transparent) Hijacking
- BeTrusted
- SAP Gateway RCE exploit PoCs: Exploit proof of concept code for ACL misconfigurations in the SAP Gateway that leads to a Remote Command Execution (RCE).
- John the Ripper’s pse2john script: Script to export PSE’s encryption PIN into a format that can be cracked with John the Ripper.
Installation¶
This section of the documentation covers the installation process of pysap.
Installation with pip¶
Installing pysap is simple with pip, just run the following command on a terminal:
$ pip install pysap
Some example scripts has additional required libraries:
Some of those extra libraries can be installed with pip running the following command:
$ pip install pysap[examples]
Manual installation¶
The tool relays on the Scapy library for crafting packets. To install the required libraries use:
$ pip install -r requirements.txt
Once you have downloaded pysap’s sources, you can install it easily using
the Python’s setuptools script provided:
python setup.py testpython setup.py install
References¶
Additional information about the protocols and the research can be found at different publications:
- Uncovering SAP vulnerabilities: reversing and breaking the Diag protocol
- SAP’s Network Protocols Revisited
- HoneySAP: Who really wants your money
- Deep-dive into SAP archive file formats
- Intercepting SAP SNC-protected traffic
- SAPCAR Heap Buffer Overflow: From crash to exploit
- Hunting crypto secrets in SAP systems
- Revisiting the Old and Looking at New Potential SAP Vulnerabilities
- Exploring the SAP HANA SQL Command Network Protocol Blog post series:
And advisories:
- SAP Netweaver Dispatcher Multiple Vulnerabilities
- SAP Netweaver Message Server Multiple Vulnerabilities
- SAP Router Password Timing Attack
- SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
- SAP LZC LZH Compression Multiple Vulnerabilities
- SAP Download Manager Password Weak Encryption
- SAP CAR Multiple Vulnerabilities
- SAP SAPCAR Heap Based Buffer Overflow Vulnerability
- SAP Note Assistant Insecure Handling of SAP Notes Signature Vulnerability
- SAP HANA SAML Assertion Improper Validation Vulnerability
Initial research about the SAP CAR file format was performed by Martin Gallo and published in Deep-dive into SAP archive file formats at the Troopers 2016 Security Conference. Additional research was performed by Hans-Christian Esperer and published in the Hascar tool.
Documentation on the SAP SAR archive file format is available in SAP’s Virus Scan Interface (NW-VSI) specification document. An example implementation can be also found in the Virus Scan Adapter SDK, which is available upon request.
Initial research about the IGS protocol was performed by Yvan Genuer and published in SAP IGS : The ‘vulnerable’ forgotten component.
Additional research about the Message Server (MS) and Remote Function Call (RFC) protocols was performed by
Dmitry Chastuhin and Mathieu Geli and published in (SAP) Gateway to Heaven.
The specifications of the HDB protocol are published in the SAP HANA SQL Command Network Protocol Reference
guide.