RE: SAP information sniffing - need help

Many thanks !

Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee
mistake :) I know that in your email/paper you said that theres not a lot of
information out there for SAP vuln/pen-test, but are you aware of any
"white-paper" that i could read that explains the details of DIAG, i really
would like to go deeper in this issue.

Many thanks for the great white-paper & support you offered thru these
emails, appreciated!

Have a good day!
 

-----Message d'origine-----
De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De
la part de Mariano Nuñez Di Croce
Envoyé : vendredi 2 mai 2008 17:54
À : Rivest, Philippe
Cc : security-basics_at_securityfocus.com
Objet : Re: SAP information sniffing - need help

Hi Philippe,

        Please let me know if I'm wrong, but I understand that you are
sniffing the traffic between your client (SAPGUI) and a remote SAP
Application Server.
In the paper you have read I have described the possibility of uncovering
the credentials used in communications performed using the RFC (Remote
Function Call) protocol.
        
        The communication between the SAPGUI and an SAP AS is done mostly
through the DIAG protocol, which sends the information compressed in what
seems to be a variation of the LZ algorithm, thus you won't get any
cleartext or obfuscated credentials despite not using SNC.

        However, if you are sure SNC is not being used, try to sniff
communication between different SAP systems (and with external systems) and
you may be able to prove your point.

        Cheers,
        
-----------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez_at_cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------

> ----- Original Message -----
> From: rivestp_at_metro.ca
> To: security-basics_at_securityfocus.com
> Sent: Tue Apr 29 14:09
> Subject: Fwd: SAP information sniffing - need help
>
>
> Hello,
>
>
> This question is from a previous post i got that sent me to this
> interesting web
> page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf.
> <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun
> ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the
> document, it shows a sniffing result and tells us about the
> username/password of SAP.
>
>
> I have tried to reproduce this with Wireshark, filtering the traffic
> from my SAP server (using the ip as filter). I cant find the username,
> client_id or anything related to authentification. I would then think
> we are using SNC, but in fact we are not (i check the proprieties of the
client).
>
>
> Anyone who can give me links or a way to identify the
> username/client_id or password (that i will XOR) would greatly help me
> get SNC activated here (and also get rid of telnet & ftp :))
>
>
>
> Appreciated
>
>
> Philippe Rivest, Certified Ethical Hacker
>
>
>