Re: SAP information sniffing - need help

Philippe,

        Right now I can recall of just one presentation regarding the DIAG protocol, which was on CCC
(www.ccc.de/congress/2004/fahrplan/files/157-sap-slides.pdf). It's not a white-paper but you can get some more information.
        Cheers,

-----------------------------------------
Mariano Nuñez Di Croce

CYBSEC S.A. Security Systems
Email: mnunez_at_cybsec.com
Tel/Fax: (54-11) 4371-4444
Web: http://www.cybsec.com
PGP: http://www.cybsec.com/pgp/mnunez.txt
-----------------------------------------

Rivest, Philippe wrote:
> Many thanks !
>
> Yes you are right, i was trying to sniff out DIAG and not RFC'S. My newbee
> mistake :) I know that in your email/paper you said that theres not a lot of
> information out there for SAP vuln/pen-test, but are you aware of any
> "white-paper" that i could read that explains the details of DIAG, i really
> would like to go deeper in this issue.
>
>
> Many thanks for the great white-paper & support you offered thru these
> emails, appreciated!
>
> Have a good day!
>
>
>
> -----Message d'origine-----
> De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De
> la part de Mariano Nuñez Di Croce
> Envoyé : vendredi 2 mai 2008 17:54
> À : Rivest, Philippe
> Cc : security-basics_at_securityfocus.com
> Objet : Re: SAP information sniffing - need help
>
> Hi Philippe,
>
> Please let me know if I'm wrong, but I understand that you are
> sniffing the traffic between your client (SAPGUI) and a remote SAP
> Application Server.
> In the paper you have read I have described the possibility of uncovering
> the credentials used in communications performed using the RFC (Remote
> Function Call) protocol.
>
> The communication between the SAPGUI and an SAP AS is done mostly
> through the DIAG protocol, which sends the information compressed in what
> seems to be a variation of the LZ algorithm, thus you won't get any
> cleartext or obfuscated credentials despite not using SNC.
>
> However, if you are sure SNC is not being used, try to sniff
> communication between different SAP systems (and with external systems) and
> you may be able to prove your point.
>
> Cheers,
>
> -----------------------------------------
> Mariano Nuñez Di Croce
>
> CYBSEC S.A. Security Systems
> Email: mnunez_at_cybsec.com
> Tel/Fax: (54-11) 4371-4444
> Web: http://www.cybsec.com
> PGP: http://www.cybsec.com/pgp/mnunez.txt
> -----------------------------------------
>
>
>> ----- Original Message -----
>> From: rivestp_at_metro.ca
>> To: security-basics_at_securityfocus.com
>> Sent: Tue Apr 29 14:09
>> Subject: Fwd: SAP information sniffing - need help
>>
>>
>> Hello,
>>
>>
>> This question is from a previous post i got that sent me to this
>> interesting web
>> page: http://www.cybsec.com/upload/bh-eu-07-nunez-di-croce-WP_paper.pdf.
>> <parse.pl?redirect=http%3A%2F%2Fwww.cybsec.com%2Fupload%2Fbh-eu-07-nun
>> ez-di-croce-WP_paper.pdf.> Basicly if you look at page 6 of the
>> document, it shows a sniffing result and tells us about the
>> username/password of SAP.
>>
>>
>> I have tried to reproduce this with Wireshark, filtering the traffic
>> from my SAP server (using the ip as filter). I cant find the username,
>> client_id or anything related to authentification. I would then think
>> we are using SNC, but in fact we are not (i check the proprieties of the
> client).
>>
>> Anyone who can give me links or a way to identify the
>> username/client_id or password (that i will XOR) would greatly help me
>> get SNC activated here (and also get rid of telnet & ftp :))
>>
>>
>>
>> Appreciated
>>
>>
>> Philippe Rivest, Certified Ethical Hacker
>>
>>
>>
Received on May 07 2008