Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: Re: Fwd: SAP information sniffing - need help

Re: Fwd: SAP information sniffing - need help

From: Mariano Nuņez Di Croce <mnunez_at_cybsec.com>
Date: Fri, 02 May 2008 18:53:41 -0300

Hi Philippe,

        Please let me know if I'm wrong, but I understand that you are sniffing the traffic between your client (SAPGUI) and a remote SAP Application Server.
In the paper you have read I have described the possibility of uncovering the credentials used in communications performed using the RFC (Remote
Function Call) protocol.
        
        The communication between the SAPGUI and an SAP AS is done mostly through the DIAG protocol, which sends the information compressed in what seems to
be a variation of the LZ algorithm, thus you won't get any cleartext or obfuscated credentials despite not using SNC.

        However, if you are sure SNC is not being used, try to sniff communication between different SAP systems (and with external systems) and you may be
able to prove your point.

        Cheers,
        
-----------------------------------------
Mariano Nuņez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez_at_cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------

> ----- Original Message -----
> From: rivestp_at_metro.ca
> To: security-basics_at_securityfocus.com
> Sent: Tue Apr 29 14:09
> Subject: Fwd: SAP information sniffing - need help
>
>
> Hello,
>
>
> This question is from a previous post i got that sent me to this interesting web
> page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf.
> <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nunez-di-croce-WP_paper.pdf.>
> Basicly if you look at page 6 of the document, it shows a sniffing result and
> tells us about the username/password of SAP.
>
>
> I have tried to reproduce this with Wireshark, filtering the traffic from my SAP
> server (using the ip as filter). I cant find the username, client_id or anything
> related to authentification. I would then think we are using SNC, but in fact we
> are not (i check the proprieties of the client).
>
>
> Anyone who can give me links or a way to identify the username/client_id or
> password (that i will XOR) would greatly help me get SNC activated here (and
> also get rid of telnet & ftp :))
>
>
>
> Appreciated
>
>
> Philippe Rivest, Certified Ethical Hacker
>
>
>
Received on May 05 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]