index.rst

User guide

The following parts of the documentation contains some background information about pysap, as well as some step-by-step instructions for installing, configuring and using pysap.

Projects using pysap

The following projects, tools and repositories are known to be using pysap:

• HoneySAP: HoneySAP is a low-interaction research-focused honeypot specific for SAP services. HoneySAP uses pysap as a library in order to craft and parse different protocol network packets.
• SAP dissection plug-in for Wireshark: This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols. The Wireshark plug-in makes use of pysap in order to craft packets used during unit tests.
• SAP Message Server research: Exploit proof of concept code for two attacks against the Message Server service:
  • Logon Group (transparent) Hijacking
  • BeTrusted
• SAP Gateway RCE exploit PoCs: Exploit proof of concept code for ACL misconfigurations in the SAP Gateway that leads to a Remote Command Execution (RCE).
• John the Ripper's pse2john script: Script to export PSE's encryption PIN into a format that can be cracked with John the Ripper.

Installation

This section of the documentation covers the installation process of pysap.

Installation with pip

Installing pysap is simple with pip, just run the following command on a terminal:

$ python -m pip install pysap

Some example scripts has additional required libraries:

• tabulate
• netaddr
• requests
• wxPython
• fau_timer

Some of those extra libraries can be installed with pip running the following command:

$ python -m pip install pysap[examples]

Manual installation

The tool relays on the Scapy library for crafting packets. To install the required libraries use:

$ python -m pip install -r requirements.txt

Once you have downloaded pysap's sources, you can install it easily using the Python's setuptools script provided:

1. python setup.py test
2. python setup.py install

Scapy installation

• For installing Scapy, see the official installation documentation for each platform:
  • Linux.
  • macOS.
  • Windows.

References

Additional information about the protocols and the research can be found at different publications:

• Uncovering SAP vulnerabilities: reversing and breaking the Diag protocol
• SAP’s Network Protocols Revisited
• HoneySAP: Who really wants your money
• Deep-dive into SAP archive file formats
• Intercepting SAP SNC-protected traffic
• SAPCAR Heap Buffer Overflow: From crash to exploit
• Hunting crypto secrets in SAP systems
• Revisiting the Old and Looking at New Potential SAP Vulnerabilities
• Exploring the SAP HANA SQL Command Network Protocol Blog post series:
  • Protocol Basics and Authentication
  • Password-based Authentication and TLS
  • Federated Authentication
• SecureAuth Innovation Labs Sheds Light on Protecting Credentials in SAP HANA: The Client Secure User Store

And advisories:

• SAP Netweaver Dispatcher Multiple Vulnerabilities
• SAP Netweaver Message Server Multiple Vulnerabilities
• SAP Router Password Timing Attack
• SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability
• SAP LZC LZH Compression Multiple Vulnerabilities
• SAP Download Manager Password Weak Encryption
• SAP CAR Multiple Vulnerabilities
• SAP SAPCAR Heap Based Buffer Overflow Vulnerability
• SAP Note Assistant Insecure Handling of SAP Notes Signature Vulnerability
• SAP HANA SAML Assertion Improper Validation Vulnerability
  • Associated Blog Post SecureAuth uncovers SAML validation weakness in SAP HANA

Initial research about the SAP CAR file format was performed by Martin Gallo and published in Deep-dive into SAP archive file formats at the Troopers 2016 Security Conference. Additional research was performed by Hans-Christian Esperer and published in the Hascar tool.

Documentation on the SAP SAR archive file format is available in SAP's Virus Scan Interface (NW-VSI) specification document. An example implementation can be also found in the Virus Scan Adapter SDK, which is available upon request.

Initial research about the IGS protocol was performed by Yvan Genuer and published in SAP IGS : The 'vulnerable' forgotten component.

Additional research about the Message Server (MS) and Remote Function Call (RFC) protocols was performed by Dmitry Chastuhin and Mathieu Geli and published in (SAP) Gateway to Heaven.

The specifications of the HDB protocol are published in the SAP HANA SQL Command Network Protocol Reference guide.

Initial research about the SSFS file formats and encryption, and the Client Secure Store was performed by Dmitr Chastuhin and Vladimir Egorov and published in a series of blogpost now unavailable, and shared by Dmitry at the Confidence Security Conference 2014 Edition session "All your SAP Passwords belong to us". Additional research was also shared by Yvan Genuer and published in "The security of ‘SAP Secure Storage.".