Skip to main content
Blog

Detecting SAP MDM systems

By 16 August 2021August 30th, 2021No Comments

With NMAP service detection

Posted by Joris van de Vis, SAP Security researcher and co-founder at Protect4S 

Detecting SAP MDM systems

Introduction

When in the process of SAP penetration testing, an early step is to perform reconnaissance. This step is needed to better understand the environment you are dealing with and it can be executed in different ways.

One often-used technique is port scanning and service detection to find open ports and detect the software and versions running behind them. For this purpose, the guys from ERPScan have developed a lot of SAP probes for NMAP. Using these extended service probes, you can find the most common sap services like the RFC gateway, message server, GUI services, Hana Database services, etc.

However, when researching on SAP MDM servers (see link earlier blog) we were struggling to detect SAP MDM servers over the network as these were not yet supported. Therefore we wanted to figure out additional support for SAP MDM in NMAP to detect SAP MDM systems.

In this post, we explain how this was achieved.

Detecting SAP MDM systems

After setting up a test landscape with 2 different versions of SAP MDM we used Wireshark to sniff traffic while using the SAP MDM Clix client to request the version from the server. This was not that easy as SAP MDM uses a proprietary protocol and client-server communication that changes for each version. Both the client AND the server of SAP MDM need to be on the same version level to properly communicate with each other. If not, a “failed CRC check” error will be shown as can be seen in this example:

SAP MDM “failed CRC check” error

Yet it seemed that when sending some specially crafted packets we could match some string that robustly indicates the use of the so-called i2A protocol. This is the protocol used for communication with the SAP MDM server, proving we are dealing with a SAP MDM server. The below example shows a part of the TCP stream and indicates the “i2A” string.

SAP MDM part of TCP stream

While in the above example the version is also clearly mentioned, this is only the case if the specific command we sent is specific for that version of the server. But even in the cases of an error, we can find the “i2A” string indicating that we are dealing with an SAP MDM server.

Based on the above we were able to come up with the following matching pattern in the NMAP-service-probes file to detect an SAP MDM system:

##############################NEXT PROBE##############################

Probe TCP SAPMDM q|\x69\x12\x94\xa2\x00\x69\x32\x41\x09\x00\x00\x00\x01\x00\x01\x00\x43\x2e\x07\x82\x00|

ports 59750,59950

rarity 9

match sapmdm m|\x56\x65\x72\x73\x69\x6f\x6e (\d.{0,30})|  p/sap mdm/ v/$1/

match sapmdm m|\xi2A| p/sap mdm/

##############################NEXT PROBE##############################

When adding the above pattern to the NMAP service probes file you can detect SAP MDM server:

Without SAP MDM Support: (NMAP standard probes)

Without SAP MDM Support

With SAP MDM Support:

With SAP MDM Support

Or:

With SAP MDM Support

To use the pattern, please see Github or add it manually to the Nmap-services-probes file based on the pattern mentioned above.

Happy hunting!

Want to know more about SAP Security? Please get in touch for more information or request an SAP security assessment here and find out how vulnerable your SAP systems are within a few days.